Privacy Policy
Last updated: 22 April 2026
This Privacy Policy describes how Schneider Improvement Ltd ("we", "us", "our"), trading as MimicReader.ai, collects, uses, and protects your personal data when you use our website at mimicreader.ai and related services (the "Service").
We are registered in Scotland. Our registered office address is 4 Maclellan Road, Neilston, Glasgow, Scotland, G78 3HP (company number SC828943). We are registered with the UK Information Commissioner's Office (ICO) as a data controller — ICO registration number C1917055.
For questions about this policy or your personal data, contact us at [email protected].
1. Data Controller
The data controller responsible for your personal data is:
- Company: Schneider Improvement Ltd
- Address: 4 Maclellan Road, Neilston, Glasgow, Scotland, G78 3HP (company number SC828943)
- ICO registration: C1917055
- Email: [email protected]
- Data Protection Officer: [email protected]
2. What Data We Collect
2.1 Account Information
When you create an account, we collect:
- Email address — to identify your account, send password resets, and (with your consent) service updates
- Username — your chosen display name
- Password — stored only as a bcrypt hash; we never store or can access your plain text password
2.2 Content You Upload
- Ebooks — files you upload (EPUB, PDF, MOBI, FB2, TXT) are stored on our private server infrastructure for processing
- Generated audiobooks — AI-generated audio files stored on our private storage (TrueNAS) and accessible only to you
2.3 Usage Data
- Playback progress — your reading/listening position in books, synced across devices
- Forum posts and comments — content you voluntarily post in the community forum
- Generation job metadata — language, voice selection, processing status, and timestamps for audiobook generation requests
2.4 Payment Data
Payment processing is handled entirely by Stripe. We do not store your credit/debit card details, bank account numbers, or other financial information on our servers. We receive from Stripe only:
- Stripe customer ID
- Transaction confirmations (amount, date, status)
- Subscription/credit balance status
2.5 Data We Do NOT Collect
- We do not use tracking cookies or advertising cookies
- We do not use Google Analytics or similar tracking tools
- We use Cloudflare Web Analytics, which is privacy-focused and does not use cookies or track individual users
- We do not sell, rent, or trade your personal data
3. Legal Basis for Processing
Under the UK General Data Protection Regulation (UK GDPR), we process your personal data on the following legal bases:
| Data | Legal Basis | Purpose |
|---|---|---|
| Account details (email, username, password hash) | Contract performance (Art. 6(1)(b)) | Necessary to provide the Service |
| Uploaded ebooks & generated audiobooks | Contract performance (Art. 6(1)(b)) | Core functionality of the Service |
| Playback progress | Contract performance (Art. 6(1)(b)) | Sync reading position across devices |
| Payment data (via Stripe) | Contract performance (Art. 6(1)(b)) | Process purchases and manage credits |
| Forum posts & comments | Consent (Art. 6(1)(a)) | Community features you choose to use |
| Essential cookies (auth tokens) | Legitimate interest (Art. 6(1)(f)) | Keep you logged in securely |
| GDPR consent record | Legal obligation (Art. 6(1)(c)) | Demonstrate compliance |
| Voice notes (audio recordings & Whisper transcripts) | Contract performance (Art. 6(1)(b)), explicit consent for biometric data (Art. 9(2)(a)) | Voice journal feature. Recordings may contain biometric voice markers; we do not analyse them biometrically. Stored in your account, deleted on account deletion or when you delete the note. |
| User-uploaded voice samples (for voice cloning) | Explicit consent (Art. 9(2)(a)) | Only uploaded when you explicitly confirm the voice is yours or you have the speaker's permission. Used as a reference for AI TTS synthesis. |
| Login history (IP, browser, approximate location) | Legitimate interest (Art. 6(1)(f)) | Security — detect suspicious sign-in activity. Retained while the account exists; deleted on account deletion. |
| Primer child data — admin-only feature (child name, age bracket, stories, learning progress) | Explicit consent of the parent/guardian (Art. 6(1)(a) + Art. 8 for children) | Currently restricted to the admin account. If opened to users, parental consent is required. Can contain child voice input via Whisper transcription. |
3.1 Children's data
MimicReader's Primer feature (interactive AI stories for children aged 3-9) is currently restricted to the administrator account only and is not available to public users. If we open it to the public, we will require verifiable parental consent and comply with the UK Age Appropriate Design Code (Children's Code) and COPPA where applicable.
Our general service is not directed at children under 13. We ask for age confirmation at signup and on the waitlist. If we learn that we have collected personal data from a child under 13 without parental consent, we will delete it.
4. How We Use Your Data
We use your personal data to:
- Provide, maintain, and improve the Service
- Process your ebook-to-audiobook conversion requests
- Authenticate your identity and keep your account secure
- Process payments and manage your credit balance
- Sync your reading/listening progress
- Display your forum posts to other users
- Respond to your support requests
- Comply with legal obligations
5. Third-Party Processors
We share your data with the following third-party service providers, each under appropriate data processing agreements:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Stripe | Payment processing | Email, payment details (entered directly on Stripe) | US (EU SCCs in place) |
| Cloudflare | CDN, DNS, DDoS protection, cookieless analytics | IP address (for routing/security only, not stored for analytics) | Global (US-based, EU SCCs) |
| RunPod | GPU cloud processing (overflow capacity for TTS + Whisper transcription) | Text and audio content for processing (temporarily, not retained after job completes) | US/EU |
| Anthropic (Claude API) | Premium translation, Chat-with-Characters fallback, Primer story generation (admin-only) | Text content sent for inference (book excerpts, chat messages, child input in Primer); not retained by Anthropic beyond 30 days | US (SCCs in place) |
| Google (Gemini API) | Live Reader text-to-speech, Chat-with-Characters fallback | Text content sent for TTS / chat inference; not retained for model training (paid API tier) | US (SCCs in place) |
| Google (Sign-In with Google) | Optional federated login | Email address + Google ID token (only when you choose "Sign in with Google") | US (SCCs in place) |
| Resend | Transactional email (verification, waitlist, receipts) | Email address + message body | US/EU (SCCs in place) |
| fal.ai (planned overflow) | Image generation for Primer (admin-only feature) | Text prompts; no personal identifiers sent | Global |
AI-generated content & automated processing: We use the services above to generate audio, translate text, and power AI chat. These operations do not result in any automated decision with legal or similarly significant effects on you (UK GDPR Art. 22). You can avoid AI processing by simply not using the features that require it.
5.1 Book Source APIs
When you browse free books on our Explore page, your browser connects directly to these public APIs:
- Project Gutenberg (gutendex.com) — public domain book metadata
- Open Library (openlibrary.org) — book metadata and covers
- Internet Archive (archive.org) — public domain texts
- Wolne Lektury (wolnelektury.pl) — Polish public domain literature
These are direct browser-to-API connections governed by each provider's own privacy policy. We do not proxy or log these requests.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until you delete your account |
| Uploaded ebooks | Until you delete them or your account |
| Generated audiobooks | Until you delete them or your account |
| Playback progress | Until you delete your account |
| Forum posts & comments | Until you delete them or your account |
| Payment records | 6 years after transaction (UK tax/accounting law) |
| Auth tokens (cookies) | Access: 15 minutes; Refresh: 7 days |
When you delete your account, we delete all your personal data, uploaded files, and generated audiobooks within 30 days, except where retention is required by law (e.g., payment records for tax compliance).
7. Your Rights (UK GDPR)
Under UK data protection law, you have the right to:
- Access — request a copy of your personal data
- Rectification — correct inaccurate or incomplete data
- Erasure ("right to be forgotten") — request deletion of your data
- Data portability — receive your data in a structured, machine-readable format
- Restrict processing — limit how we use your data
- Object — object to processing based on legitimate interest
- Withdraw consent — where processing is based on consent, withdraw it at any time
To exercise any of these rights, email us at [email protected]. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
8. International Data Transfers
Your data is primarily stored on servers located in the United Kingdom. Some of our third-party processors (Stripe, Cloudflare) operate globally, including in the United States. Where data is transferred outside the UK, we ensure adequate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the ICO
- UK International Data Transfer Agreement (IDTA) where applicable
- Adequacy decisions by the UK Secretary of State
9. Data Security
We implement appropriate technical and organisational measures to protect your data, including:
- All connections encrypted with TLS/HTTPS (HSTS enforced)
- Passwords hashed with bcrypt (never stored in plain text)
- Authentication via httpOnly, secure cookies (not accessible to JavaScript)
- SSH key-only authentication on all servers (password auth disabled)
- Intrusion detection and prevention (fail2ban)
- Private server infrastructure (not shared hosting)
- Regular security audits
10. Children
MimicReader.ai is not directed to children under 13 years of age. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at [email protected] and we will promptly delete such data.
11. Region-Specific Rights
In addition to the UK GDPR rights described above, users in certain jurisdictions have additional rights under local data protection laws.
11.1 European Economic Area (EU GDPR)
If you are located in the EEA (including France, Germany, Spain, Portugal), the EU General Data Protection Regulation (GDPR) applies. Your rights under EU GDPR are substantially the same as under UK GDPR (Section 7 above). Additionally:
- You may lodge a complaint with your local Supervisory Authority (e.g., CNIL in France, BfDI in Germany, AEPD in Spain, CNPD in Portugal)
- International transfers outside the EEA are protected by EU Standard Contractual Clauses (SCCs)
- Legal basis for processing follows EU GDPR Art. 6, which mirrors UK GDPR
11.2 Poland (RODO)
Polish users are protected under RODO (the Polish implementation of EU GDPR). You have all rights listed in Section 7. Your supervisory authority is the UODO (Urząd Ochrony Danych Osobowych) at uodo.gov.pl.
11.3 Turkey (KVKK)
If you are located in Turkey, the Personal Data Protection Law No. 6698 (KVKK) applies. In addition to the rights in Section 7, you have the right to:
- Learn whether your personal data is processed
- Request information about data processing purposes and whether data is used in line with its purpose
- Know the third parties to whom your data is transferred
- Request correction of incomplete or inaccurate data
- Request deletion or destruction of your data under KVKK Art. 7
- Object to results arising exclusively from automated processing
- Claim compensation for damages caused by unlawful processing
You may lodge a complaint with the KVKK Board (Kişisel Verileri Koruma Kurumu) at kvkk.gov.tr.
11.4 Japan (APPI)
If you are located in Japan, the Act on the Protection of Personal Information (APPI) applies. Under APPI:
- You have the right to request disclosure, correction, cessation of use, or deletion of your personal data
- We will not provide your personal data to third parties without your consent, except as permitted by APPI
- Cross-border transfers to the UK and service providers are conducted with appropriate safeguards
You may contact the Personal Information Protection Commission (PPC) at ppc.go.jp.
11.5 South Korea (PIPA)
If you are located in South Korea, the Personal Information Protection Act (PIPA) applies. Under PIPA:
- You have the right to access, correct, delete, and suspend processing of your personal information
- We collect the minimum personal information necessary to provide our Service
- Your personal information is destroyed without delay when the purpose of processing has been achieved
- Cross-border transfers are conducted with your consent and appropriate safeguards
You may lodge a complaint with the Personal Information Protection Commission (PIPC) at pipc.go.kr.
11.6 India (DPDPA)
If you are located in India, the Digital Personal Data Protection Act 2023 (DPDPA) applies. Under DPDPA:
- You have the right to access, correct, and erase your personal data
- You have the right to grievance redressal and to nominate another person to exercise your rights
- We process your data based on consent or legitimate uses as defined under DPDPA
- We do not process children's data (under 18 in India) without verifiable parental consent
You may contact the Data Protection Board of India once established.
11.7 Saudi Arabia & UAE (PDPL / Federal Decree-Law)
If you are located in Saudi Arabia or the UAE:
- Saudi Arabia (PDPL): You have the right to access, correct, and request destruction of your personal data under the Personal Data Protection Law. You may lodge a complaint with the Saudi Data & AI Authority (SDAIA)
- UAE (Federal Decree-Law No. 45/2021): You have the right to access, correct, restrict processing, and request erasure of your personal data. Cross-border transfers are conducted with adequate safeguards
11.8 Arabic-Speaking Regions
For users in other Arabic-speaking regions, we apply the same data protection standards as outlined in this policy. Where local data protection laws apply, we comply with them in addition to UK GDPR.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting a prominent notice on our website or by email. The "Last updated" date at the top of this page indicates when the policy was last revised.
13. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data protection rights, contact us:
- Email: [email protected]
- Company: Schneider Improvement Ltd
- Address: 4 Maclellan Road, Neilston, Glasgow, Scotland, G78 3HP (company number SC828943)
- ICO registration: C1917055
- Data Protection Officer: [email protected]