Save 40% on printable downloadsDirect-site discount applied automatically at checkout
Little Ekko Co.
Legal

Privacy Policy

Effective 4 May 2026

1. Who we are

LittleEkkoCo is a small US-based studio publishing children's picture books, papercraft templates, and printable ebooks. This policy covers the website at littleekkoco.org and any official LittleEkkoCo automation that authenticates against third-party APIs on our behalf — notably Pinterest.

You can reach us at [email protected] for any privacy-related question.

2. What data we collect

From you directly

Email addresses you submit through our lead-capture forms — for example, the form that unlocks a free PDF download or reveals a preview before a purchase. If we later enable account sign-in (Phase 6), Google OAuth will provide your name, email address, and Google account ID.

From Pinterest's API

When the LittleEkkoCo maintainer authorizes our Pinterest integration, we receive and store: account ID, username, account type, board IDs and metadata, pin IDs and metadata, and OAuth access and refresh tokens. We request the following scopes:

  • boards:read — list and inspect existing boards to avoid creating duplicates.
  • pins:read — list existing pins to avoid republishing the same image.
  • boards:write — create new boards for product launches.
  • pins:write— publish marketing pins to LittleEkkoCo's own boards.
  • user_accounts:read — confirm the connected account is the LittleEkkoCo business account before publishing.

Today this integration is first-party only — only the LittleEkkoCo account itself authorizes it. We do not act on behalf of any other Pinterest user.

Automatic

Our server records standard access logs (IP address, user agent, request path) for a short period to investigate abuse. We use Umami for analytics. Umami is self-hosted on our own infrastructure, does not set cookies, and does not track you across other websites.

3. Why we collect it

  • Email addresses — to deliver the requested PDF and, if you opted in, to send occasional product announcements. You can unsubscribe at any time.
  • Account data (Phase 6+) — to sign you in, authorize purchases, and let you re-download paid templates from your account page.
  • Pinterest API data— to publish marketing pins to LittleEkkoCo's own boards on the maintainer's behalf, and to read board and pin state for de-duplication. We do not use Pinterest data for advertising, profile-building, training models, or any purpose unrelated to publishing our own marketing content.
  • Server logs and analytics — to keep the site running, investigate errors, and understand which pages people find useful in aggregate.

4. Who we share it with

We do not sell your personal data. We share limited data only with service providers that help us run the site:

  • Cloudflare — CDN and the secure tunnel that fronts our site.
  • Google — when you sign in with Google OAuth (Phase 6 onwards).
  • Resend — transactional email delivery (order confirmations and download links), when enabled.
  • Stripe — payment processing, tax calculation, fraud screening, and payment receipts for direct checkout.
  • Cloudflare R2 — encrypted off-site storage for nightly database backups.

We do not sell, rent, or repurpose Pinterest API data, and we do not share it with any third party other than the storage providers above.

5. How long we keep it

  • Pinterest OAuth tokens — until the maintainer revokes access in Pinterest, or 90 days of integration inactivity, whichever comes first. We refresh tokens automatically while the integration is in active use.
  • Email addresses — until you ask us to delete them.
  • Account data — until you delete your account.
  • Database backups — 30 days, then automatically pruned.
  • Server access logs — 14 days.

6. How to delete your data or revoke access

You can revoke the LittleEkkoCo Pinterest integration at any time from https://www.pinterest.com/settings/apps/. Once revoked, our copy of your tokens becomes unusable and is removed on the next cleanup cycle.

To delete email or account data we hold about you, write to [email protected] and we will action the request within 30 days.

7. Token storage and security

OAuth tokens are stored in our self-hosted Postgres database, which runs on hardware we operate behind a Cloudflare Tunnel with no inbound ports exposed to the public internet. Tokens are not transmitted to any third party. Database backups are encrypted in transit and at rest in Cloudflare R2.

8. Children

Our products are designed for children, but the Service — meaning the website and its accounts — is not directed at users under 13 and is intended to be used by parents, guardians, and educators. We do not knowingly collect personal information from children under 13. If you believe a child has submitted information through the site, contact us and we will remove it.

9. International users

LittleEkkoCo operates from the United States. Personal data submitted from outside the United States is transferred to and stored in the United States. By using the Service you consent to this transfer.

10. Changes to this policy

We may update this policy from time to time. Material changes will update the effective date at the top of this page. Continued use of the Service after changes constitutes acceptance of the revised policy.

11. Contact

Questions, deletion requests, or anything else privacy-related — [email protected].