Privacy Policy
Status: January 2026
1. Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) is:
99 Miracles LTD
Dimitri Margariti No. 10
Gemi court office 303
6042 Larnaca
Cyprus
E-Mail: support@miracles.my
Website: www.miracles.my
The brand "Miracles" is operated by Pushed FlexCo.
2. Overview
This Privacy Policy informs you about how we collect, use, store, and share personal data when you visit our website, place an order, or otherwise communicate with us.
Our shop is based on Shopify. In case of conflicts between our Terms and Conditions and this Privacy Policy, this Privacy Policy takes precedence regarding data processing.
3. Which personal data we collect
Depending on the use of our services, we process different categories of personal data:
3.1 Data provided by you
- Contact data: Name, email address, billing and shipping address, phone number
- Payment data: Credit card information, payment details, transaction data
- Account data: Username, password, settings, and preferences
- Order data: Purchased items, shopping cart contents, returns, cancellations
- Communication data: Support requests, email correspondence
- Personalization data: Names, texts, photos, and other content for personalized products
3.2 Automatically collected data
- Technical data: IP address, browser type, device type, operating system, language settings, access times
- Usage data: Visited pages, clicks, duration of stay, navigation
- Tracking data: Via cookies, pixels, and similar technologies
4. Processing of uploaded content for personalization
For the creation of personalized children's books, we process the content you provide such as names, texts, and photos.
Purpose: Creation, design, customization, quality control, and production of your personalized product.
Legal basis: Art. 6 para. 1 lit. b GDPR (contract fulfillment).
Storage duration: The data is only stored as long as necessary for production, possible complaints, or legal retention periods.
No use for advertising purposes: Use of your personalization data for advertising purposes only takes place with your explicit consent.
5. Processing of image data (including children's pictures)
As part of our personalized products, you can upload images depicting identifiable persons, including children. These images constitute personal data within the meaning of the GDPR.
5.1 Your Confirmation upon Upload
By uploading an image, you confirm that you:
- are authorized to use and transmit the image
- for images of children where the legal guardian is the person or appropriate consent is available
- for images of other persons whose consent has been obtained
5.2 Purpose of Use
The uploaded images are used exclusively for:
- Creation and design of your personalized product
- Quality control before production
- Production and printing
No use is made:
- for training AI models
- for advertising purposes (except with your explicit consent)
- for transfer to uninvolved third parties
5.3 Technical Processing by Service Providers
To create the personalized illustrations, we use AI-supported image processing services, including:
- Google Gemini API (Google LLC, USA)
These service providers act as processors according to Art. 28 GDPR and process data exclusively according to our instructions. We have data processing agreements with all service providers.
International Data Transfer: Processing may take place in third countries (e.g. USA). In these cases, we ensure an adequate level of data protection by concluding EU standard contractual clauses (Art. 46 para. 2 lit. c GDPR).
5.4 Storage duration and deletion
Image data is stored for:
- The duration of production
- The statutory warranty period (2 years)
- Possible complaint handling
The data is then deleted or anonymized.
6. Legal bases of processing
We process personal data on the following legal bases:
| Processing | Legal basis |
|---|---|
| Contract processing, orders, personalization | Art. 6 para. 1 lit. b GDPR (Contract fulfillment) |
| Accounting, invoices, taxes | Art. 6 para. 1 lit. c GDPR (Legal obligation) |
| Marketing, tracking, personalized advertising | Art. 6 para. 1 lit. a GDPR (Consent) |
| Newsletter distribution | Art. 6 para. 1 lit. a GDPR (Consent) |
| Fraud prevention, security | Art. 6 para. 1 lit. f GDPR (Legitimate interest) |
| Customer service, communication | Art. 6 para. 1 lit. b/f GDPR |
7. Purposes of Data Processing
We process your data for the following purposes:
- Provision of Our Services: Order processing, shipping, returns, account management, personalized product creation
- Marketing and Advertising: Email marketing, retargeting, personalized advertising (only with consent)
- Security: Fraud prevention, authentication, technical integrity
- Customer Service: Responding to inquiries, support
- Legal Obligations: Accounting, retention periods, official requests
8. Disclosure of Personal Data
We only share personal data to the necessary extent:
8.1 Service Providers and Partners
- Shopify Inc. – Hosting, shop infrastructure, analytics
- Payment Service Providers: Shopify Payments, Stripe, Klarna, PayPal, Apple Pay, Google Pay (process as independent controllers)
- Shipping Service Providers: For the delivery of your orders
- Printing Partners: For the production of personalized books
- Marketing Partners: Meta (Facebook/Instagram), Google, TikTok (only with consent)
- Email Service Providers: Shopify Email
- AI Image Processing: Google Gemini API
8.2 Other Recipients
- Authorities and Courts: When legally obligated
- Corporate restructuring: In the event of mergers or acquisitions
9. Cookies and tracking technologies
We use cookies and similar technologies. Non-essential cookies are only set with your consent.
9.1 Essential cookies
Necessary for the operation of the website (e.g., shopping cart, login). Legal basis: Art. 6 para. 1 lit. f GDPR.
9.2 Analysis and marketing cookies (only with consent)
| Service | Provider | Purpose |
|---|---|---|
| Google Analytics 4 | Google LLC, USA | Website analysis, usage statistics |
| Google Ads Conversion Tracking | Google LLC, USA | Measurement of advertising effectiveness |
| Google Tag Manager | Google LLC, USA | Management of tracking scripts |
| Meta Pixel | Meta Platforms Inc., USA | Personalized advertising on Facebook/Instagram |
| TikTok Pixel | TikTok Inc., USA | Conversion tracking, targeted advertising |
Legal basis: Art. 6 para. 1 lit. a GDPR (consent).
Revocation: You can revoke your consent at any time via our cookie banner.
9.3 Google Fonts
We use Google Fonts to display fonts. Your IP address is transmitted to Google in the process. Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in uniform presentation).
10. Newsletter
With your explicit consent, we send you our newsletter. Registration is done via double opt-in: after entering your email address, you will receive a confirmation email with an activation link.
Legal basis: Art. 6 para. 1 lit. a GDPR (consent).
Unsubscribe: You can unsubscribe at any time via the link at the end of each newsletter or by email to support@miracles.my.
Service provider: Shopify Email (Shopify Inc., Canada/USA).
11. Relationship with Shopify
Our shop is hosted by Shopify Inc. Shopify processes personal data to provide the platform, improve services, and prevent fraud.
Further information:
12. International data transfers
Some of our service providers are located outside the European Economic Area (EEA), especially in the USA.
We ensure an adequate level of data protection by:
- EU Standard Contractual Clauses (Art. 46 para. 2 lit. c GDPR)
- Adequacy decisions of the EU Commission, if available
- Supplementary technical and organizational protective measures
13. Retention periods
| Data category | Storage duration |
|---|---|
| Order and invoice data | 7 years (Austrian tax law) |
| Account data | Until account deletion |
| Personalization data (images, names) | Until production completion + warranty period (2 years) |
| Marketing data | Until consent is withdrawn |
| Communication data | 3 years after completion of the request |
14. Data of Children
Our services are not directed at persons under 16 years of age. We knowingly do not collect personal data of minors under 16 years as customers.
Note: The processing of children's images for personalized products is carried out on the instruction and under the responsibility of the ordering adult (see section 5).
If you suspect that we have unintentionally collected data of a minor as a customer, please contact us immediately.
15. Automated Decision-Making
We use AI-powered systems to create personalized illustrations. This processing is solely for contract fulfillment and has no legal or similarly significant effects on you.
If you are not satisfied with the result, you can contact us, and we will create a manual alternative or refund the purchase price.
16. Data security
We take appropriate technical and organizational measures to protect your data, including:
- SSL/TLS encryption for all data transmissions
- Secure storage on protected servers
- Access restrictions for employees
- Regular security checks
No method of data transmission or storage can guarantee absolute security.
17. Your rights
Under the GDPR, you have the following rights:
| Right | Description |
|---|---|
| Information (Art. 15) | You can request information about your stored data. |
| Correction (Art. 16) | You can request the correction of incorrect data. |
| Deletion (Art. 17) | You can request the deletion of your data, provided there are no legal retention obligations. |
| Restriction (Art. 18) | You can request the restriction of processing. |
| Data portability (Art. 20) | You can receive your data in a common format. |
| Objection (Art. 21) | You can object to the processing, especially for direct marketing. |
| Revocation of consent (Art. 7 para. 3) | You can revoke a given consent at any time. |
To exercise your rights, contact us at support@miracles.my.
Right to complain to the supervisory authority
You have the right to file a complaint with the competent data protection authority:
Austrian Data Protection Authority
Barichgasse 40-42
1030 Vienna
www.dsb.gv.at
18. Changes to this privacy policy
We may update this privacy policy to reflect changes in our processing practices, legal requirements, or technical developments. The current version is always available on this page.
19. Contact
If you have questions about this privacy policy or about exercising your rights:
Pushed FlexCo
Gölsdorfgasse 3/5
1010 Vienna, Austria
E-Mail: support@miracles.my