Terms of Subscription and Use

In accordance with articles 6(I) and 6(II) of the LCEN (French Act for Confidence in the Digital Economy):

Company name: MIFELIA

Legal form: SASU (simplified single-member joint-stock company)

SIRET number: 10268028700012

SIREN number: 102680287

Registered office: 17 rue Saint-Jean, 54000 Nancy, France

Email address: contact@miloria.fr

Phone: +33 3 72 47 25 99

Legal representative / Publication director: MIFELIA

Representative's phone number: +33 3 72 47 25 99

The Publisher is subject to all regulations applicable to information-society services, in particular the LCEN, the GDPR, the French Consumer Code, and Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights.

Technical infrastructure: Google Cloud Platform (Firebase)

Server location (active data): European Union, zone EU-WEST-1 (Ireland)

Main hosting provider: Google Cloud Division

Hosting terms: https://cloud.google.com/terms/

The Publisher ensures that the Application is hosted on infrastructure located within the European Union, guaranteeing compliance with the GDPR provisions relating to the location of core personal data.

Personal data is not transferred outside the EU, except for the third-party services listed in section 4.7 below, for which appropriate safeguards are implemented (Standard Contractual Clauses - SCC - articles 46 and 47 of the GDPR, post-Schrems II).

Safeguards for data transfers outside the EU: transfers to the United States (in particular for Anthropic Inc., Mistral AI SAS, and Google Cloud Services) are ensured by:

a) The Standard Contractual Clauses (SCC) published by the European Commission in accordance with article 46(2)(c) of the GDPR;

b) The standard Data Processing Agreement (DPA) provided by Google Cloud, including post-Schrems II compliance safeguards;

c) Sub-processing terms compliant with article 28 of the GDPR.

The Publisher undertakes to update these safeguards should European case law on data transfers outside the EU change.

In accordance with article 37 of the GDPR, the Publisher appoints a data protection officer:

Title: Data Protection Officer ("DPO")

Capacity: DPO

Email address: dpo@miloria.fr or contact@miloria.fr

Postal address: MIFELIA, 17 rue Saint-Jean, 54000 Nancy, France

The Data Protection Officer is responsible for:

a) Monitoring the compliance of personal data processing with the GDPR and applicable law;

b) Acting as the single point of contact with the French Data Protection Authority ("CNIL") and any competent supervisory authority;

c) Receiving and handling Users' requests to exercise their rights under articles 15-22 of the GDPR;

d) Ensuring professional secrecy and the duty of confidentiality inherent to the role;

e) Directing data-protection requests and complaints received by the Publisher;

f) Carrying out data protection impact assessments in accordance with article 35 of the GDPR;

g) Cooperating with the CNIL and any competent supervisory authority.

Users may send any request concerning their personal data to the Data Protection Officer at the contact details above, within the time limits and under the conditions provided by the GDPR (articles 12-14).

These Terms of Use, together with the Terms of Sale, the Privacy Policy and the Legal Notice, are entirely governed by the law of the French Republic, in particular:

- The French Civil Code (articles 1101 et seq., notably articles 1218-1221 on force majeure);

- The French Consumer Code (articles L. 211-1 et seq.);

- The French Commercial Code (articles L. 110-1 et seq.);

- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR);

- Act No. 2004-575 of 21 June 2004 for Confidence in the Digital Economy (LCEN);

- Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights;

- Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 (Directive on electronic commerce).

Any dispute, litigation or action arising from the application, interpretation or performance of these Terms of Use shall be subject to the jurisdiction of the courts within the jurisdiction of the Publisher's registered office.

However, a consumer User residing within the European Union retains the right, under article 4(1) of Council Directive 93/13/EEC of 5 April 1993, to bring proceedings before the courts of their place of residence or domicile.

Before any legal action, the consumer User undertakes to comply with the prior mediation procedure set out in section 1.5 below.

Authoritative language version: These terms are drafted in French. Any translation into another language, in particular English, is provided as a courtesy. In the event of any divergence, contradiction or difficulty of interpretation between the French version and a translated version, the French version alone is authoritative and prevails, and French law remains solely applicable in accordance with this section.

In accordance with article L. 611-1 of the French Consumer Code and articles 14 and 15 of Directive 2013/11/EU of the European Parliament and of the Council of 21 May 2013 on alternative dispute resolution for consumer disputes ("ADR Directive"), every consumer User has the inalienable right to use, free of charge and before any litigation, an out-of-court dispute resolution mechanism.

Designated consumer mediator: appointment in progress

Full address: to be specified shortly

Email address: to be specified shortly

Website: to be specified shortly

Access terms: free recourse after an unsuccessful written complaint to MIFELIA

The mediation procedure follows these steps:

a) The consumer User first sends the Publisher a written and detailed request setting out their complaint, using the form available at contact@miloria.fr, within two (2) months following the event giving rise to the dispute;

b) The Publisher undertakes to respond to this request within fourteen (14) calendar days;

c) In the absence of an amicable resolution within two (2) months following the initial request, the consumer User may refer the matter to the consumer mediator at the contact details above;

d) Mediation is free for the consumer and does not require any additional legal costs;

e) The parties undertake to cooperate in good faith with the mediator and to comply with the recommendations issued, save for legitimate reason.

The Publisher agrees to participate fully in the mediation procedure and to abide by the mediator's conclusions.

The "Miloria" Application is a digital platform for generating personalised stories for children, qualified as an "information-society service" within the meaning of article 1(1)(b) of Directive 2015/1535/EU of the European Parliament and of the Council of 9 September 2015.

On a non-exhaustive basis, the Application enables:

a) The creation and configuration of family-member profiles (physical characteristics, age, personality traits);

b) The selection of collections of narrative universes (talking animals, wizard universes, super-hero universes, and other predefined or freely entered themes);

c) The automated generation of personalised stories through orchestration of third-party artificial-intelligence services (Anthropic Claude, Mistral AI);

d) The optional generation of personalised illustrations matching the generated stories, via Google Imagen;

e) The storage, management and deletion of this generated content.

The Application is expressly provided as a "digital service" operating under a "Business-to-Consumer" (B2C) model. The Publisher provides the story- and illustration-generation service by orchestrating third-party AI services. The Publisher does not directly create the generated content, but provides:

- The technical orchestration of API calls to the AI models (Anthropic, Mistral);

- The filtering of user requests through structured and secure prompts;

- The transmission of user data to the third-party sub-processors;

- The storage and delivery of the generated content to the User.

The third-party AI services apply their own safety and compliance filters according to their respective terms of use.

2.2.1 Minimum age required and access to the Application

The Application is accessible from the age of 3 in accordance with the rules of the distribution stores (Apple App Store and Google Play), which constitute the first level of access control. These platforms require, for family accounts, explicit parental consent for any download or purchase made by a minor, unless voluntarily disabled by the parent.

Creating an account within the Application requires that the User, or their legal representative if a minor, accepts these Terms of Use and meets the conditions of use.

If manifestly inappropriate use, or use contrary to these Terms, is detected, the Publisher reserves the right to suspend or close the account concerned without notice.

2.2.2 Minor users

For minor users, the Publisher relies on the parental-control mechanisms built into the distribution platforms (Apple Family Sharing, Google Family Link), which require the authorisation of a parent or legal guardian for:

a) Downloading the Application;

b) Any in-app purchase (subscriptions, packs).

The Publisher strongly recommends that parents exercise appropriate supervision over their children's use of the Application, in particular regarding the creation of personalised content and the sharing of family data.

The processing of minors' personal data is carried out in accordance with article 8 of the GDPR, under the responsibility of the legal representative who accepts these Terms on behalf of the minor.

See section 4.8 for the full regime applicable to minors' data.

2.2.3 Users aged eighteen (18) and over

Users aged eighteen (18) and over access the Application without additional restriction, provided they have the legal capacity required to enter into a valid contract, in particular being legally capable, not subject to a measure of incapacity or guardianship, and not under any legal prohibition.

2.3.1 Account-creation formalities

To access the full features of the Application, the User must create a personal account by providing the following minimum information:

a) A valid, active email address under their exclusive control (format compliant with the RFC 5322 standards). This address will serve as the unique identifier for authentication and account recovery;

b) A password of appropriate complexity, establishing authentication sufficiently robust against unauthorised access;

c) Explicit acceptance of these Terms of Use and the Privacy Policy;

d) A date of birth allowing verification of compliance with the minimum age required.

The User undertakes to provide accurate, complete, up-to-date, lawful and truthful information. The Publisher reserves the right to verify the accuracy of this information by any appropriate means, including by requesting proof of identity, without being required to justify such request.

2.3.2 Optional user-profile data

In addition to the minimum data, the User may optionally provide:

a) A profile photograph (not mandatory), which, where applicable, will be subject to automatic filtering against nudity and other inappropriate content;

b) A textual profile description (short biography, interests).

This optional data remains under the User's absolute responsibility. The User warrants that it does not infringe any third-party right (copyright, image rights, trademarks, legal provisions against discrimination, disparagement or defamation).

2.3.3 Account security and responsibility

The User remains solely responsible for maintaining the absolute confidentiality of their authentication credentials (email address, password) and the physical security of the device from which they access the Application.

The User assumes full civil and criminal liability for all activities carried out using their account, including activities initiated by a third party who has obtained access to their credentials.

The User undertakes to notify the Publisher immediately via contact@miloria.fr in the event of suspected unauthorised access, fraudulent use of their account, or disclosure of credentials.

2.3.4 Loss or forgetting of access

In the event of loss or forgetting of the password, the User has a reset feature accessible via the login interface, which will send a reset link to the email address associated with the account.

The User remains responsible for maintaining access to that email address. The Publisher cannot be held liable for the inability to access the account following the loss of access to the associated email address.

2.4.1 Right of termination and deletion

The User may terminate their contractual relationship with the Publisher and delete their account at any time and without justification, by submitting a formal request via the Application interface (Settings menu > Delete account) or by sending a written request to contact@miloria.fr.

This deletion results in the immediate inaccessibility of the account and the progressive deletion of the associated personal data in accordance with the provisions of section 4.5 (Retention periods) below and articles 17-18 of the GDPR (Right to erasure).

2.4.2 Automatic deletion of inactive accounts

In accordance with article 5(1)(e) of the GDPR (storage limitation), any account remaining inactive for a continuous period of twenty-four (24) months will be automatically deleted by the Publisher.

"Inactivity" is defined as the total absence of connection to the Application or of any interaction (collection creation, story generation, purchase) during that period.

The Publisher will send a prior notification to the associated email account thirty (30) days before the scheduled automatic deletion, informing the User of the imminent deletion and allowing them to restore their account by simply logging in.

Failing any action by the User within this thirty (30) day period, the account will be permanently deleted.

2.4.3 Anonymisation of identifying data

Upon the User's voluntary deletion of the account or automatic deletion for inactivity, the identifying data allowing the direct identification of the User will be deleted in accordance with GDPR article 17 (Right to erasure):

a) Email address;

b) Password (hashed or encrypted);

c) Profile photograph;

d) Date of birth;

e) IP address of last connection;

f) Session identifiers.

This data will be deleted from the Publisher's active databases within a maximum of forty-eight (48) hours following the request or the triggering event.

Anonymised or aggregated data, namely:

- General usage statistics (total number of stories generated, average number of images per story, favourite collections) stripped of any identifier allowing identification of the author;

- Generation data with no link to an identified person;

- Anonymised error or audit logs; may be kept indefinitely for statistical, behavioural-analysis, academic-research and service-improvement purposes, in accordance with GDPR article 5(1)(e).

This anonymised data does not allow the identification of a natural person and is processed in a manner irreversibly dissociated from any personal identifier.

2.4.4 Complete and irrevocable deletion

A User wishing to obtain the total, definitive and irrevocable deletion of all their data, including anonymised and aggregated data, must make an explicit and formal request by registered letter with acknowledgement of receipt addressed to contact@miloria.fr, with the express subject line: "REQUEST TO EXERCISE THE RIGHT TO ERASURE - GDPR ARTICLE 17".

The Publisher undertakes to handle this request within thirty (30) calendar days of receipt, extendable by a further two (2) months in the event of justified complexity under article 12(3) of the GDPR, and will inform the User of the measures taken.

The Publisher offers two types of services sold via the Application:

a) Recurring subscription: The User subscribes to a monthly or annual plan allowing them to generate a limited number of stories and images per billing period (example: "Starter" plan = 10 stories/month);

b) One-shot pack purchases: The User makes occasional purchases of batches of additional stories or batches of additional images, independently of or in addition to an active subscription.

The prices and commercial terms of the subscription plans and packs are publicly displayed in the Application and may be modified in accordance with the terms described in section 3.2 below.

The Publisher reserves the right to modify subscription prices, commercial terms and the features of the Application at any time.

In the event of a price change:

a) The Publisher will notify the User by email at least thirty (30) days before the change takes effect;

b) The change will apply to the next billing cycle following that notification;

c) The User retains the right to cancel their subscription without penalty before the date the change applies, by sending a written request to contact@miloria.fr;

d) Keeping the subscription after notification constitutes tacit acceptance of the new prices.

For one-shot packs, the price in force at the time of purchase applies, with no retroactivity on previous purchases.

3.3.1 Payment via official platforms

All payments are processed exclusively via the official payment platforms of the application stores:

a) Apple App Store (for iOS devices);

b) Google Play Store (for Android devices).

The Publisher has access neither to any sensitive payment data (card number, CVV, expiry date) nor to any payment token directly. The processing of banking data and transactions is entirely handled by the aforementioned providers according to their respective terms of use and security policies.

3.3.2 Publisher's liability regarding payment

The Publisher does not collect, store or process any sensitive data relating to the User's means of payment. The Publisher therefore cannot be held liable for:

a) Fraud, identity theft, or unauthorised use of means of payment registered with the providers (Apple, Google);

b) The closing or blocking of transactions carried out by the payment providers;

c) Billing or debit errors made by the payment providers.

In the event of a dispute relating to a payment, the User must first contact the payment provider (Apple or Google) before requesting the Publisher's intervention.

3.3.3 Purchase confirmation and invoice

For each purchase (subscription or pack), the User receives immediate confirmation within the Application. Invoices are available in the Application's management interface or may be requested from contact@miloria.fr.

3.4.1 Absence of a right of withdrawal for performed digital services

In accordance with article 16(d) of Directive 2011/83/EU on consumer rights (transposed into French law in articles L. 221-28 of the Consumer Code), the User agrees to expressly and irrevocably waive their fourteen (14) day right of withdrawal for contracts concerning digital content supplied in a non-tangible manner.

The stories and illustrations generated via the Application constitute "digital content" within the meaning of that Directive. As soon as the content is generated and delivered to the User, the service is deemed "immediately performed" and the right of withdrawal becomes inapplicable.

This waiver applies to:

a) Subscriptions: from the first billing, access to the services begins immediately and the content can be viewed without delay;

b) One-shot packs: from the generation and delivery of the stories or images purchased.

3.4.2 Mandatory pre-purchase warning block

Because of this immediate and complete performance of the digital service, the User is asked to expressly state their waiver of the 14-day right of withdrawal. This waiver is made by accepting the legal warning block displayed before final payment, which clearly states:

The User must explicitly tick the acceptance box before being able to confirm the payment. This acceptance constitutes an express and voluntary waiver of the right of withdrawal under article 16(m) of Directive 2011/83/EU.

3.4.3 Exceptions to the waiver of the right of withdrawal

Notwithstanding the waiver described above, the User retains their right of withdrawal in the following cases:

a) Proven technical failure: If the Application has failed to provide the service purchased (example: generation error, no access to the generated content) within twenty-four (24) hours following the purchase, the User may request a refund or a new free generation;

b) Payment anomaly: If the payment provider (Apple or Google) has made a double debit or an unauthorised debit, the User must first contact the provider, then the Publisher if the problem persists;

c) Legal non-compliance: If the generated content violates applicable laws (illegal, dangerous content), the User may request cancellation and a refund without penalty.

3.4.4 Refund-request procedure in the event of an exception

A User wishing to request a refund for one of the above exceptions must send a detailed written request to contact@miloria.fr, including:

- The transaction or subscription identifier;

- The date of purchase;

- A precise description of the problem encountered;

- The evidence or screenshots justifying the request.

The Publisher undertakes to handle the request within thirty (30) calendar days and to respond with a reasoned decision.

In the event of a favourable decision, the refund will be made to the payment provider used (Apple or Google), which will pass it on to the User according to its own procedures.

3.5.1 Automatic renewal

Subscriptions renew automatically at the expiry of the subscription period (month or year). The User may cancel their subscription at any time via the Application interface (Settings menu > Manage subscription) or by sending a written request to contact@miloria.fr.

Cancellation takes effect at the end of the current subscription period. No pro-rata refund is granted for the remaining period.

3.5.2 Suspension and reactivation

In the event of non-payment of an automatic billing, the Publisher may suspend access to the Application's premium features. The User will have twenty (20) days to settle the payment via the providers concerned (Apple or Google). Failing this, the account will be kept but access to paid services will remain suspended indefinitely.

Reactivation of the subscription will occur automatically as soon as the payment is settled and detected by the Publisher's systems.

3.5.3 Access limitation for debts

In the event of persistent failed billing, the Publisher reserves the right to fully suspend the User's account after a formal notice sent to the email address associated with the account, left without effect for thirty (30) days.

In accordance with Council Directive 2006/112/EC of 28 November 2006 (VAT), all prices displayed in the Application for consumers residing in France are expressed in euros, inclusive of all taxes (TTC).

The applicable VAT is twenty percent (20%), the standard rate in force for digital services supplied to final consumers in France.

The Publisher collects and remits VAT to the French tax authorities according to the applicable quarterly or monthly reporting obligations.

The consumer User cannot recover or deduct the VAT paid. Professionals registered with an intra-Community VAT number may request this from contact@miloria.fr and will provide a valid VAT number.

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ("GDPR"), the Publisher undertakes to process Users' personal data according to the following principles:

a) Lawfulness, fairness and transparency: Data is collected and processed only on the basis of explicit legal bases;

b) Purpose limitation: Collected data is processed only for the specifically declared purposes;

c) Data minimisation: Only strictly necessary data is collected;

d) Accuracy: Data is kept accurate and up to date;

e) Storage limitation: Data is kept only for the necessary duration;

f) Integrity and confidentiality: Data is secured against unauthorised access;

g) Accountability: The Publisher demonstrates its compliance at all times.

"Personal data": Within the meaning of article 4(1) of the GDPR, any information relating to an identified or identifiable natural person. For Miloria, this includes: the email address, the date of birth, the profile photograph (if provided), the family first names entered by the User, and the connection IP address.

"Processing": Within the meaning of article 4(2) of the GDPR, any operation performed on personal data (collection, recording, organisation, structuring, storage, adaptation, retrieval, use, transmission, deletion).

"Controller": The Publisher (identified in section 1.1).

"Processor": The third-party technical providers listed in section 4.7.

4.2.1 Mandatory data for account creation and management

The following data is collected on a mandatory basis when creating the account and maintaining the service:

a) Email address: Used for authentication, account recovery, and important notifications;

b) Date of birth: Used to verify compliance with the legal minimum age and to adapt the generated content;

c) Password (hashed/encrypted): Used for secure authentication.

4.2.2 Optional and profile data

The following data may be collected if the User provides it voluntarily:

a) Profile photograph: Image uploaded by the User to personalise their profile;

b) Textual profile description: Free text describing the User;

c) Family members' first names: Freely entered by the User for the generation of personalised stories (example: "Emma", "Léo", "Mum").

These first names constitute personal data if the User associates them with identifiable real people.

4.2.3 Physical-characteristics data for illustration generation

When creating family profiles, the User may (optionally) specify the following physical characteristics for illustration-generation purposes:

a) Eye colour (example: "blue", "brown");

b) Hair colour (example: "blond", "black");

c) Skin colour (example: "fair", "medium", "dark");

d) Build/height (example: "short", "average", "tall").

This data does not constitute "sensitive data" within the meaning of article 9 of the GDPR (racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, biometric data for identification purposes, health data or data concerning sex life). It is processed as ordinary data under article 6 of the GDPR.

However, in combination with other information, it could allow a real person to be identified. The User assumes responsibility for this.

4.2.4 Technical and logging data

When using the Application, the following technical data is collected automatically:

a) Connection IP address (server logging): Used for fraud detection, access statistics, and technical diagnostics;

b) Session identifiers (authentication tokens): Used to keep the session active and secure;

c) Device type and operating system: Used for optimisation and compatibility;

d) Error and application-crash logs: Used for debugging and service improvement;

e) Event timestamps (story creations, purchases, connections): Used for traceability.

4.2.5 Payment data

No sensitive payment data (card number, CVV, expiry date, IBAN) is collected or stored by the Publisher. Transactions are processed exclusively by Apple (App Store) and Google (Play Store) according to their respective security policies.

The Publisher only receives non-sensitive transaction identifiers and payment confirmations.

Personal data is processed on one of the following legal bases:

4.3.1 Legal basis 1: Consent (article 6(1)(a))

Concerning:

- Profile photograph;

- Family first names entered as examples or tests;

- Physical characteristics for illustration generation;

- Firebase Analytics (if enabled): collection of application events.

Terms:

- Explicit consent through acceptance of the Terms of Use when creating the account;

- Specific consent for enabling Firebase Analytics if applicable;

- Right to withdraw consent at any time without penalty (GDPR article 7(3)): the User may refuse or disable collection by changing the privacy settings.

4.3.2 Legal basis 2: Performance of the contract (article 6(1)(b))

Concerning:

- Email address: essential for account creation and authentication;

- Date of birth: essential to verify legal age obligations;

- Password (hashed): essential for secure authentication;

- Payment data (transaction identifiers): essential for performing purchases and managing subscriptions;

- Family first names associated with an active account: essential for performing the story-generation service.

Terms:

- This data cannot be refused or deleted without giving up the service.

4.3.3 Legal basis 3: Legal obligation (article 6(1)(c))

Concerning:

- IP address (logging for security compliance): obligation arising from LCEN article 6 (retention of connection data as evidence) and cybersecurity directives;

- Error logs for audit and compliance: obligation arising from article 32 of the GDPR (data security).

4.3.4 Legal basis 4: Legitimate interest (article 6(1)(f))

Concerning:

- Connection IP address: fraud prevention and abuse detection;

- Error and crash logs: continuous service improvement;

- Anonymised/aggregated data: statistical analysis and academic research;

- Firebase Analytics: performance and user-service optimisation.

Terms:

- The Publisher has weighed its legitimate interest (service improvement, security) against the User's rights;

- The User may object to processing for certain purposes by sending a request to dpo@miloria.fr.

The personal data collected is processed for the following purposes:

a) Account management and authentication;

b) Provision of the story- and illustration-generation service;

c) Payment and billing management;

d) Verification of legal compliance (minimum-age compliance);

e) Fraud and service-abuse prevention;

f) Technical diagnostics and performance improvement;

g) Communication with the User (important notifications, support);

h) Statistical and anonymised analysis for service improvement;

i) Legal compliance and retention of evidence (LCEN, Civil Code);

j) Response to legal requests from authorities (police, justice, CNIL).

The data will never be used for purposes incompatible with these, in particular marketing or sale to third parties without explicit consent.

4.5.1 Active data (active user account)

As long as the User maintains an active account:

- Email address: kept indefinitely (necessary for authentication);

- Date of birth (year only after verification): kept indefinitely;

- Password (hashed): kept indefinitely;

- Profile photograph: kept indefinitely;

- Family first names: kept indefinitely;

- Physical characteristics for illustrations: kept indefinitely;

- Technical data (IP, logs): kept for a period of ninety (90) days;

- Payment history: kept according to legal obligations (period varying from 3 to 6 years depending on the tax jurisdiction).

4.5.2 Data after account deletion by the User

Upon the User's voluntary deletion of the account:

- Identifying data (email, date of birth, password, photo): deleted within forty-eight (48) hours;

- Family first names and physical characteristics entered: deleted within forty-eight (48) hours;

- IP addresses and technical logs: kept for a further ninety (90) days (for security audit), then deleted;

- Anonymised data (statistics, aggregates): kept indefinitely;

- Anonymised payment history: kept indefinitely for accounting and statistical purposes.

4.5.3 Data after automatic deletion for inactivity (24 months)

Identical to section 4.5.2 (voluntary deletion).

4.5.4 Data kept by processors

The retention periods at the processors (Google Cloud, Anthropic, Mistral, Google Imagen) are governed by their own policies and their data-processing agreements (DPA, article 28). See section 4.7 for details.

The User has the following rights over their personal data:

4.6.1 Right of access (article 15)

The User may at any time request access to all their personal data processed by the Publisher. The Publisher will provide a complete copy in a structured, commonly used and machine-readable format (GDPR article 20).

Request method: Email to dpo@miloria.fr with the mention "DATA ACCESS REQUEST - GDPR ARTICLE 15".

Response time: Thirty (30) calendar days, extendable by two (2) months in case of complexity (GDPR article 12(3)).

4.6.2 Right to rectification (article 16)

The User may request the correction or updating of inaccurate or incomplete data. The Publisher undertakes to rectify within fifteen (15) days.

Method: The User may correct their data themselves via the Application's settings interface, or submit a formal request to dpo@miloria.fr.

4.6.3 Right to erasure (article 17) - "Right to be forgotten"

The User may request the deletion of their personal data if:

a) The data is no longer necessary in relation to the purposes (inactive account);

b) They withdraw their consent (for consent-based processing);

c) They object to the processing and there is no overriding legitimate interest;

d) The data has been processed unlawfully;

e) Deletion is required to comply with a legal obligation;

f) The data concerns a minor (GDPR article 8).

Exceptions to erasure:

- If processing is necessary for the performance of the contract (account history);

- If a legal obligation requires retention (accounting, audit trail);

- If the Publisher has an overriding legitimate interest (fraud prevention).

Time: Fifteen (15) days for review, then effective deletion within forty-eight (48) hours (except for the exceptions above).

4.6.4 Right to restriction of processing (article 18)

The User may request the restriction of the processing of their data, for example if accuracy is contested. During restriction, the data remains stored but is no longer processed.

Time: Fifteen (15) days for effective restriction.

4.6.5 Right to portability (article 20)

The User may request a copy of their data in a structured, commonly used and machine-readable format (CSV, JSON, XML), so as to be able to transfer it to another service.

This copy will include:

- Email address;

- Date of birth;

- Family first names entered;

- Physical characteristics provided;

- History of generated stories (metadata);

- Payment history (anonymised).

Limitation: The copy will not include the generated content (stories, images) because these are works created by the third-party AI models and governed by their own terms.

Time: Forty-five (45) days for provision.

4.6.6 Right to object (article 21)

The User may object to the processing of their data for:

a) Direct-marketing purposes: immediate stop;

b) Legitimate interest: the Publisher must cease processing, unless it can demonstrate a compelling and legitimate reason;

c) Statistical purposes: more complex, subject to conditions.

Time: Fifteen (15) days for effective cessation.

4.6.7 Right not to be subject to automated decision-making (article 22)

The User has the right not to be subject to a decision based solely on automated processing (including profiling) if that decision produces legal effects or significantly affects the User.

Miloria does not currently use automated decision-making affecting access to services (example: automatic blocks based on profiling).

In the event of a future change, the Publisher will inform Users and offer human intervention.

4.7.1 List of processors

In accordance with article 28 of the GDPR, the Publisher discloses the list of its processors with whom personal data is shared:

Processor: Google Cloud Platform (Firebase)

• Registered office: Mountain View, CA, USA
• Sector: Hosting infrastructure, data storage, analytics
• Data transferred: Email, IP, technical logs, session tokens
• Legal basis for transfer: Standard Contractual Clauses (SCC) + DPA
• DPA link: https://cloud.google.com/terms/data-processing-amendment
• Sub-processors: Google Cloud services (see DPA)

Processor: Anthropic Inc.

• Registered office: San Francisco, CA, USA
• Sector: AI model (Claude), text generation
• Data transferred: First names, generation parameters, prompts
• Legal basis for transfer: SCC + API terms of use
• Terms link: https://www.anthropic.com/terms-of-service

Processor: Mistral AI SAS

• Registered office: Paris, France (European Union)
• Sector: Alternative AI model (fallback), text generation
• Data transferred: Identical to Anthropic (used only in case of unavailability)
• Legal basis for transfer: Intra-EU processing, no transfer outside the EU required
• Terms link: https://mistral.ai/terms/

Processor: Google Imagen (Google Cloud)

• Registered office: Mountain View, CA, USA
• Sector: Image generation by artificial intelligence
• Data transferred: Physical characteristics, descriptions, prompts
• Legal basis for transfer: SCC + Google Cloud DPA
• Legal coverage: Included in the Google Cloud DPA mentioned above

4.7.2 Data Processing Agreements (DPA)

Each processor has signed or accepted processing terms including:

- Obligation to process data according to the Publisher's instructions;

- Absolute confidentiality of data;

- Technical and organisational security measures;

- Prohibition on sub-processing without prior authorisation;

- Obligation to notify the Publisher in the event of a data breach;

- The Publisher's right to audit security practices;

- Deletion or return of data at the end of the service.

The Publisher undertakes to regularly verify the compliance of these processors and to update this list as soon as a new processor is engaged.

4.7.3 Data transfers outside the EU (GDPR articles 46-47)

Personal data is transferred to the United States (Anthropic, Google) according to the following safeguard mechanisms:

a) Standard Contractual Clauses (SCC): Decision 2004/915/EC and the European Commission decision of 4 June 2021 (C(2021)3671);

b) Additional post-Schrems II safeguards: The Publisher assessed US remote-access laws (FISA 702, EO 12333) and implemented compensating measures (encryption, separation of sensitive data, contractual measures).

c) Transfer Impact Assessment (TIA) information sheet available on request.

The User retains the right to challenge these transfers before the CNIL (contact@cnil.fr).

4.8.1 Legal framework and Miloria's approach

In accordance with article 8(1) of the GDPR, the processing of personal data of minors under sixteen (16) requires an appropriate legal basis. In France, the national threshold is set at 15 years (French Data Protection Act).

The Application is available on the App Store (Apple) and Google Play from the age of 3, in accordance with the minimum rules of these platforms. The control of minors' access relies primarily on the stores' native mechanisms:

- Apple Family Sharing: any purchase or download by a minor account requires the explicit approval of the organising parent, unless voluntarily disabled;

- Google Family Link: same principle, with parental validation required for downloads and purchases.

The Publisher thus delegates this first level of control to the stores, which constitutes the effective parental-consent mechanism for access to the Application and in-app purchases.

4.8.2 Age brackets and restrictions

Bracket 1: under 13 years

• Status: Access subject to parental approval via the store
• Mechanism: Apple Family Sharing / Google Family Link
• Legal basis for processing: Consent of the legal representative

Bracket 2: 13 to 14 years

• Status: Access allowed with parental supervision recommended
• Legal basis: Parental consent (GDPR art. 8 / national threshold 15 years)
• Store mechanism: Parental approval required for download and purchases
• Data collected: Email, date of birth, first and last names

Bracket 3: 15 to 17 years

• Status: Access allowed
• Legal basis: Consent of the minor (national threshold of 15 years reached)
• Parental consent: Not legally required beyond 15 years
• Data collected: Identical to that of adults

Bracket 4: 18 years and over

• Status: Unrestricted access
• Legal basis: Full legal capacity
• Data collected: Standard data (email, date of birth, etc.)

4.8.3 Parental rights

If a parent or guardian discovers that their minor child is using the Application without their consent, they may:

a) Request access to their child's data (GDPR art. 15);

b) Request the deletion of the account (GDPR art. 17);

c) Challenge the processing before the CNIL.

Procedure: Email to dpo@miloria.fr with the mention "PARENTAL RIGHTS REQUEST MINOR - GDPR ARTICLE 8".

The Publisher undertakes to handle the request within 15 days.

In accordance with article 32 of the GDPR, the Publisher undertakes to implement technical and organisational measures to ensure a level of security appropriate to the risk:

4.9.1 Technical measures

a) Encryption of data in transit: All transfers of personal data use the HTTPS protocol with TLS 1.2 minimum;

b) Encryption of data at rest: Data stored on Firebase is encrypted by Google using AES 256-bit;

c) Multi-factor authentication: Optionally available for sensitive accounts;

d) Password hashing: Passwords are hashed with bcrypt or equivalent (never stored in plain text);

e) Web application firewall (WAF): Deployment of protection rules against common web attacks (SQL injection, XSS, DDoS);

f) Data isolation: Data separated per user at the database level;

g) Regular backups: Automated daily backups with geographic redundancy;

h) Monitoring and alerts: 24/7 monitoring of access logs and anomaly detection.

4.9.2 Organisational measures

a) Restrictive access policy: Only authorised staff have access to the databases (least-privilege principle);

b) Confidentiality agreements: All staff sign confidentiality agreements including the non-disclosure of personal data;

c) Security training: Mandatory annual training in security and GDPR compliance;

d) Security audit: Regular (annual) security audits carried out by independent external third parties;

e) Crisis-management policy: Established procedures to respond to security incidents (see section 4.10);

f) Access management: Quarterly review of staff access rights.

4.9.3 Measures specific to third-party services

- Google Cloud Platform: SOC 2 Type II, ISO 27001 certifications;

- Anthropic: Security policies under its terms of service;

- Mistral AI: Based in France, maximum GDPR compliance.

The Publisher regularly assesses the compliance of these providers.

In accordance with articles 33-34 of the GDPR, in the event of a personal data breach, the Publisher proceeds according to the following protocol:

4.10.1 Definition of a data breach

A breach is any destruction, loss, alteration, unauthorised disclosure of, or accidental or unlawful access to, personal data.

Example: Unauthorised access to a user account, leak of a database, loss of a backup, ransomware.

4.10.2 Internal procedure

Upon discovery of a breach:

a) Containment: Identification and immediate stopping of the attack vector;

b) Assessment: Assessment of the risk to users' rights and freedoms (severity, number of people affected);

c) Documentation: Detailed recording of the breach and the corrective measures;

d) CNIL notification: If high risk, notification to the CNIL within 72 hours (GDPR article 33).

4.10.3 Notification to users (article 34)

If the breach presents a "high risk" to users' rights and freedoms, the Publisher notifies the affected users without undue delay by all means (email, in-app notification) in clear language setting out:

a) The nature of the breach;

b) The data affected;

c) The foreseeable consequences;

d) The measures taken or proposed to mitigate the risk;

e) The DPO's contact details for any questions.

4.10.4 Exemption from notification

Notification to users is NOT required if:

- The breach does not present a high risk (e.g. anonymised data);

- The data was encrypted and the keys are not compromised;

- The Publisher has taken technical measures preventing access (e.g. brute-force blocked by WAF).

4.10.5 Cooperation with authorities

The Publisher cooperates fully with the authorities in the event of an investigation (CNIL, police, justice) by providing the available information.

4.11.1 Use of cookies

Miloria uses cookies and tracking technologies for:

a) Technical (session) cookies: Maintaining the user's connection, session management;

b) Firebase Analytics (optional): Anonymised collection of application events for statistical analysis and service improvement.

Technical cookies: do NOT require consent (essential to providing the service - article 5(3) of the ePrivacy Directive 2002/58/EC, amended by 2009/136/EC);

Firebase Analytics: IF enabled, subject to implicit or explicit consent according to user preferences.

4.11.2 Cookie-consent management

The User may control their tracking preference via:

a) The Application settings (Settings > Privacy > Allow Analytics);

b) Their device settings (iOS: Settings > Privacy > Tracking) (Android: Settings > Google > Manage your Google Account > Data & Personalisation);

c) Refusing cookies via a banner message on first launch.

5.1.1 Service provided "as is"

The Miloria Application is provided to the User "as is", without any warranty of any kind, express or implied, except as expressly provided by mandatory law (consumer law).

The User accepts that:

a) The Application may contain bugs, errors or malfunctions;

b) The availability of the service is not guaranteed (no "SLA" or service-level agreement);

c) The content generated by the AI models is provided without any warranty of quality, accuracy, or conformity to specific expectations;

d) The generated illustrations may not exactly match the parameters entered;

e) The third-party services (Anthropic, Mistral, Google) may be unavailable, degraded, or provide unpredictable results.

5.1.2 No guarantee of result

The Publisher does not guarantee that:

a) The generated stories will be suitable for all children or situations;

b) The generated illustrations will be faithful to a particular vision;

c) The generated content will be free of any spelling, grammatical, or factual error;

d) The Application will function without interruption or errors;

e) The data will be fully restored after an involuntary loss or deletion (except for legal obligation).

5.1.3 Limited liability of the Publisher

Notwithstanding any other provision, the Publisher's overall liability towards the User is strictly limited to:

a) Zero euros (€0): The Publisher accepts no liability for direct or indirect damage resulting from the use of the Application;

b) Or, in the alternative: A refund limited to the amount of the last payment made by the User (monthly subscription, one-shot pack).

This means that, in no event, will the Publisher be held liable for:

c) Loss of profits or commercial benefits;

d) Loss of data or generated content;

e) Indirect, consequential, special, or punitive damages;

f) Business or service interruption;

g) Losses caused by third parties (hacking, viruses, accidents);

h) Unsuitability of the service for a particular use (even if the User has informed the Publisher).

This limitation applies even if the Publisher has been advised of the possibility of such damage.

5.2.1 The Publisher's liability for generated content

Miloria orchestrates several third-party AI services (Anthropic Claude, Mistral AI, Google Imagen) to generate the stories and illustrations.

The Publisher controls:

a) The structured prompts sent to the AI models (filtered user input);

b) The application filters to refuse dangerous or illegal requests;

c) The delivery of the generated content to the User.

The Publisher does NOT control:

a) The accuracy or relevance of the results generated by the AI models;

b) The errors, hallucinations, or unpredictable content produced by the models;

c) Changes in the capabilities or behaviour of the AI models (versions updated by Anthropic/Mistral);

d) Variable performance depending on the parameters entered.

5.2.2 Liability for dangerous content generated despite the filters

The Publisher has implemented two layers of filtering:

a) The AI models themselves apply their own safety filters according to their terms of use;

b) Miloria adds filtering at the prompt level to refuse dangerous requests (violence, sex, drugs, etc.).

If, despite these layers, dangerous content is generated (very low risk):

- The User may delete the content immediately;

- The User may report the problem to contact@miloria.fr;

- The Publisher is NOT liable for direct or indirect damage caused by this content.

5.2.3 Damage caused by generated content

In no event will the Publisher be held liable for:

a) Psychological or emotional disturbance caused by a generated story;

b) Educational or factual errors contained in a story;

c) Unintentionally offensive or discriminatory content;

d) Poorly generated or non-representative images.

The User's (parent's) primary responsibility is to review the generated content before reading it to their children.

5.3.1 The User's full responsibility for their data

The User is entirely responsible for:

a) The truthfulness and legality of the data they provide (family first names, physical characteristics);

b) The appropriate use of this data in the context of story generation;

c) Verifying that the data provided does not infringe the rights of a third party (image rights, confidentiality of minors, etc.).

The User warrants that:

a) The first names entered correspond to persons for whom they have the right to use the first name as an example;

b) The physical characteristics provided are not intended to create a discriminatory or offensive simulation;

c) The User will not modify the data to circumvent the security measures.

5.3.2 Special case: use of photos or data of minors

If the User provides first names or physical descriptions of real children:

- The User agrees that this data will be transmitted to the third-party services (Anthropic, Mistral, Google);

- The User warrants that the parents or guardians of these children have authorised the use of this data as an example in a story-generation service;

- The Publisher is NOT liable for infringements of the image rights or confidentiality of these children.

In no event must the User upload photos of children to Miloria.

5.4.1 No availability guarantee ("No SLA")

The Publisher does not guarantee the continuous availability of the Application.

The Application may be unavailable due to:

a) Planned maintenance (update, security patch);

b) Emergency maintenance (security incident, infrastructure failure);

c) Force majeure (see section 5.5);

d) Unavailability of third-party services (Anthropic, Mistral, Google Cloud);

e) Network problems or user connection issues.

The User agrees to use the Application "as is", including with the risks of unavailability.

5.4.2 Maintenance notification

The Publisher endeavours to notify Users via the Application or by email before planned maintenance of more than 2 hours.

In the event of emergency maintenance, no prior notification can be guaranteed.

5.4.3 Data backup

The Publisher performs regular backups of user data via Google Cloud. However, no backup is 100% guaranteed against loss.

The User is advised to keep local copies of the generated stories they wish to keep indefinitely.

In accordance with articles 1218-1221 of the French Civil Code, the Publisher cannot be held liable for breaches of its obligations if the breach results from a force majeure event.

5.5.1 Definition of force majeure

An event constitutes force majeure if it meets the following three cumulative criteria:

a) Externality: The event is beyond the Publisher's control;

b) Unforeseeability: The event was not foreseeable at the time of the conclusion of the contract;

c) Irresistibility: The Publisher cannot overcome the event despite reasonable efforts.

5.5.2 Events constituting force majeure

The following events are presumed to be force majeure:

a) Natural disasters (earthquake, storm, flood);

b) Wars, terrorist attacks, acts of terrorism;

c) Pandemics or epidemics (e.g. COVID-19, avian flu);

d) Massive cyberattacks (DDoS botnets, hacking of national infrastructure) affecting the providers (Google Cloud, Anthropic);

e) Large-scale power or network outages;

f) Extraordinary government acts (service ban, emergency regulation).

5.5.3 No liability in the event of force majeure

If a force majeure event affects the Application or the third-party services, the Publisher is released from its liability for:

a) The temporary interruption of the service;

b) Data loss (within the limit of what is technically unavoidable);

c) Damage caused to Users.

The Publisher nevertheless undertakes to:

a) Notify Users of the force majeure upon discovery;

b) Restore the service as quickly as possible;

c) Provide reasonable recovery estimates.

5.5.4 Non-application of force majeure

The following do NOT constitute force majeure:

a) Design or security errors to be corrected by the Publisher;

b) Processor failures due to poor management (which would be avoidable);

c) Simple cyberattacks (without massive scale affecting the infrastructure);

d) Scheduled unavailability of third-party services (e.g. planned Google Cloud maintenance).

5.6.1 Complaint steps

In the event of a problem or complaint concerning the Application:

Step 1 - Initial contact: The User sends a detailed request to contact@miloria.fr describing the problem.

Waiting time: 24-48 hours before a first response.

Step 2 - Diagnosis: The Publisher examines the problem and proposes a solution or explanation.

Waiting time: 5-10 days depending on complexity.

Step 3 - Resolution or escalation: If the problem is not resolved:

- For consumer customers: recourse to consumer mediation (section 1.5);

- For other types of customers: escalation to management or litigation.

5.6.2 Evidence and burden of proof

For certain complaints, the User may be required to provide evidence:

a) Screenshots of the error;

b) Exact timestamp of the incident;

c) Detailed description of the steps to reproduce the problem;

d) Identifiers of the account concerned.

The Publisher will only accept reasonably documented support requests.

5.6.3 Limitation period

Complaints must be sent within a period of:

a) Three (3) years for consumer customers (Civil Code);

b) Two (2) years for professional customers (commercial law).

After this period, the complaint will no longer be examined.

The User indemnifies and defends the Publisher against any claim, demand, or action from third parties, arising from:

a) The User's inappropriate use of the Application;

b) The User's breach of these Terms of Use;

c) Data provided by the User that infringes the rights of a third party;

d) The User's non-compliance with applicable law;

e) The use of the Application for illegal purposes or contrary to public order.

The User bears all costs, lawyers' fees, and expenses arising from this indemnity.

6.1.1 Generated content as performed digital services

The stories and illustrations generated by Miloria constitute "non-tangible digital content" within the meaning of Directive 2011/83/EU, supplied as digital services, and not as hosted third-party content.

Stories generated by AI at the user's request = "digital service" provided by the Publisher; the Publisher is a "service provider" (Directive 2011/83/EU, limited liability via as-is clauses).

Consequently:

a) The stories/illustrations belong to the User who requested them, but remain generated by third parties (Anthropic, Mistral, Google);

b) The Publisher provides the generation "service"; it does not directly create the content;

c) The Publisher is only responsible for the technical orchestration, filtering, and delivery;

d) The third-party AI models remain responsible for the quality of their outputs according to their own terms.

6.2.1 Multi-layer filtering system

Miloria implements a robust filtering system to prevent the generation of dangerous content:

LAYER 1 - Filtering at the structured-prompt level:

All user requests are transformed into structured and secure prompts before transmission to the AI models. Unauthorised or dangerous parameters are refused before they even reach Anthropic/Mistral/Google.

Examples refused:

- Explicit requests for graphic violence;

- Requests for sexual content or nudity;

- Requests positively mentioning alcohol, tobacco, drugs;

- Requests for discriminatory content;

- Requests for dangerous instructions (making explosives, self-harm).

LAYER 2 - Filtering at the AI-model level:

The Anthropic Claude and Mistral models have their own safety filters ("safety training") that refuse to generate certain content even if the prompts requested it.

LAYER 3 - Optional post-processing:

After generation, the content may be subjected to post-generation filtering to detect problematic content (optional, not systematic).

6.2.2 Explicitly prohibited content

Miloria explicitly refuses to generate:

a) VIOLENCE AND GORE:

- Graphic descriptions of physical violence;

- Fatal or seriously injuring accidents;

- Torture, mutilation, or physical abuse;

- Graphic war or combat;

b) SEXUAL CONTENT:

- Any content with sexual connotations;

- Nudity or exposure of the body;

- Paedophile or child-abuse content;

- Sexual exploitation in any form;

c) DANGEROUS SUBSTANCES:

- Promotion of alcohol, tobacco, or drugs;

- Drug-manufacturing instructions;

- Content glorifying substance use;

d) SELF-HARM AND SUICIDE:

- Incitement to self-harm or suicide;

- Suicide or self-harm instructions;

- Content encouraging self-harm;

e) DISCRIMINATION AND HARASSMENT:

- Discriminatory content based on race, ethnic origin, religion, sex, sexual orientation, disability;

- Harassment, intimidation, or cyberbullying;

- Content inciting hatred or violence;

f) ILLEGAL CONTENT:

- Instructions for crimes (robbery, hacking, etc.);

- Content infringing copyright;

- Content involving exploitation or trafficking;

g) DANGEROUS MISINFORMATION:

- False medical content that could cause harm (e.g. vaccine refusal presented as "better than vaccine");

- Misleading financial advice;

- False information about legal rights;

h) EXPLOITATION OF MINORS:

- Any content involving minors inappropriately;

- Grooming content;

- Child-abuse content.

Although the multi-layer filtering system makes this case very rare, Miloria has a procedure in the event of problematic content generated despite the filters:

6.3.1 Immediate deletion by the User

The User may delete any story or illustration in a single click via the Application interface ("Delete" option). Deletion is immediate and irreversible.

6.3.2 Reporting to the Publisher

If the User considers that generated content is dangerous or inappropriate, they may:

a) Fill in a reporting form available in the Application (menu Help > Report a problem);

b) Send an email to support@miloria.fr with:

- The identifier of the problematic story/image;

- A detailed description of the problem;

- A screenshot if applicable;

- A proposed correction.

6.3.3 Handling by the Publisher

The Publisher undertakes to:

a) Receive and document the report within 24 hours;

b) Examine the flagged content within 3-5 business days;

c) Determine whether the content actually violates Miloria's policies;

d) Take appropriate action:

- If a violation is confirmed: review of the filtering system for improvement;

- If a false positive: explanation to the User of the reasons;

e) Inform the User of the decision within 7 days.

6.3.4 Possible actions

In the event of a confirmed violation of a content policy, the Publisher may:

a) Improve the filtering to prevent recurrence;

b) Document the incident for the purpose of improving the system;

c) Contact the AI providers (Anthropic, Mistral) if the problem originates from their models (which is rare);

d) No account-closure action is contemplated, because the User did not create the content directly (they simply requested the generation).

6.3.5 No liability of the Publisher

Notwithstanding the procedure above, the Publisher is NOT liable for:

a) Damage caused by the generated content before reporting;

b) Trauma or psychological distress caused;

c) Actions taken by children exposed to the content (parental responsibility);

d) Content not detected despite the filters.

By accepting these Terms of Use, the User undertakes to:

6.4.1 Lawful and compliant use

a) Use the Application in accordance with applicable laws (France, EU);

b) Not use the Application for illegal, fraudulent, or purposes contrary to public order;

c) Respect the rights of others (copyright, image rights, confidentiality);

d) Not circumvent or disable the security measures.

6.4.2 Responsible use of the account

a) Provide accurate and up-to-date data;

b) Maintain the confidentiality of their access credentials;

c) Immediately notify the Publisher in the event of unauthorised access;

d) Not share their account with third parties;

e) Not create multiple accounts to circumvent the limitations.

6.4.3 Respect for the generated content

a) Not claim intellectual-property ownership of the generated content (the content is generated by third-party AI, subject to the terms of Anthropic/Mistral/Google);

b) Not claim to have created the generated content themselves;

c) Not use the content for commercial purposes without prior authorisation (see section 6.5);

d) Not claim that Miloria endorses or approves the commercial use.

6.4.4 No misuse

a) Not generate thousands of stories repeatedly to overload the systems (DoS);

b) Not attempt to discover security vulnerabilities (without responsible notification);

c) Not use the Application for spam, phishing, or scams;

d) Not share access to the Application so as to circumvent the subscriptions.

6.5.1 Ownership of the AI models

The AI models themselves (Claude, Mistral, Imagen) are the intellectual property of Anthropic Inc., Mistral AI SAS, and Google Inc. respectively.

The User has no ownership right over the models or their weights/parameters.

6.5.2 Ownership of the generated stories

Once a story is generated, the intellectual-property regime is as follows:

Miloria's responsibility: Zero (we are merely the technical orchestrator).

Presumed ownership of the User: Each generated story may be considered a "creative work" of which the User is deemed the author under French civil law (the User provided the creative parameters: characters, universe, tone).

However, the content remains generated by third-party AI. The User should consult the terms of use of Anthropic and Mistral to clarify ownership.

6.5.3 Personal vs commercial use

Personal use (family, leisure): The User may keep and use the generated stories without additional restriction.

Commercial use (sale, publication, monetisation): If the User wishes to sell or publish generated stories (e.g. self-publishing on Amazon):

a) The User must verify that they have the necessary rights under the terms of Anthropic/Mistral/Google;

b) The User must obtain written authorisation from Miloria before commercial use (contact@miloria.fr);

c) The User acknowledges that the third-party AI models may refuse this commercial use in their terms.

6.5.4 Generated illustrations

Same regime as the stories. The illustrations generated by Google Imagen are presumed to be the User's property for personal use, but commercial use requires clarification with Google.

6.6.1 Stories dealing with sensitive subjects

Miloria may generate stories dealing with sensitive subjects for children:

a) Emotions (fear, sadness, anger, jealousy): ALLOWED (appropriate emotional development);

b) Parental separation or bereavement: ALLOWED (emotional processing);

c) The human body and puberty: ALLOWED (informative education, without explicit images);

d) Differences and diversity: ALLOWED (inclusion, normalisation);

e) Conflicts and resolution: ALLOWED (social learning).

Limit: The content must not be traumatising or graphic.

6.6.2 Parental responsibility in these cases

For all these subjects, the User (parent) is responsible for:

a) Reviewing the generated content before reading it to their child;

b) Adapting the story if it is not suitable for their child;

c) Providing appropriate emotional follow-up after reading.

The Publisher cannot know the exact age or sensitivity of each child.

The Publisher reserves the right to suspend or close a user account in the event of:

a) Repeated and intentional breach of these Terms of Use;

b) Misuse of the Application (spam, DoS, hacking attempt);

c) Harassment or threats directed at the Publisher or other users;

d) Fraudulent or illegal activity;

e) Persistent non-payment after formal notice (section 3.5.3).

Suspension procedure:

1. The Publisher notifies the User by email of the reason for the suspension;

2. The User has 7 days to contest it via contact@miloria.fr;

3. After review, the Publisher notifies its final decision;

4. If the suspension is confirmed: account permanently closed, data deleted in accordance with GDPR art. 17, no refund.

7.1.1 Right to modify

The Publisher reserves the right to modify these Terms of Use at any time and without notice, in particular to:

a) Adapt the service to new legal or regulatory requirements;

b) Clarify or correct existing provisions;

c) Introduce new features or services;

d) Maintain compliance with the GDPR and applicable laws.

7.1.2 Notification and entry into force

In the event of a substantial change to the Terms of Use:

a) The Publisher will notify active Users by email at least thirty (30) days before entry into force;

b) The new version will be displayed in the Application before entry into force;

c) A User who continues to use the Application after notification is deemed to accept the changes;

d) The User retains the right to terminate their account without penalty before the changes enter into force.

7.1.3 Minor or clarifying changes

Minor changes (typo corrections, clarifications without change of meaning) may be made without prior notice.

The Publisher undertakes to make the Application progressively accessible to people with disabilities, in accordance with Directive (EU) 2016/2102 on the accessibility of websites and mobile applications.

Accessibility measures:

a) Sufficient contrast between text and background (WCAG 2.1 level AA);

b) Alternative text for images and illustrations;

c) Screen-reader support (VoiceOver iOS, TalkBack Android);

d) Accessible keyboard (navigation without a mouse);

e) Adjustable font size;

f) Optional subtitles for audio content (future).

The User may report accessibility problems to contact@miloria.fr, and the Publisher undertakes to address them within 14 days.

7.3.1 General legal compliance

The Miloria Application is designed to comply with:

a) French Civil Code (articles 1101 et seq.);

b) French Consumer Code (articles L. 211-1 et seq.);

c) French Commercial Code;

d) GDPR (EU) 2016/679;

e) Directive 2011/83/EU (Consumer rights);

f) Directive 2000/31/EC (Electronic commerce);

g) Directive 2002/58/EC amended by 2009/136/EC (ePrivacy Directives);

h) Directive (EU) 2016/2102 (Accessibility);

i) LCEN (Act for Confidence in the Digital Economy, No. 2004-575 of 21 June 2004);

j) CNIL regulation (French Data Protection Authority).

7.3.2 Protection of children

In accordance with the provisions for the protection of children online (GDPR art. 8, Directive 2011/83/EU art. 5), Miloria:

a) Sets a minimum access age (13 years);

b) Strongly recommends parental supervision for 13-15 year olds;

c) Applies content filters to prevent the generation of content dangerous for children;

d) Provides access to parental rights (GDPR rights articles 15-22 as a parent/guardian);

e) Does not collect sensitive biometric data (KYC, mandatory photos).

7.3.3 Reporting abuse

In the event of suspected child abuse or fraudulent use involving minors, the Publisher undertakes to:

a) Cooperate with the authorities (police, gendarmerie, justice);

b) Retain sufficient data for reporting without delay;

c) Report to the competent authorities in accordance with legal procedures.

7.4.1 Applicable law

These Terms of Use are governed exclusively by French law, irrespective of the rules of private international law.

Any interpretation or application of the Terms will be made in accordance with French law.

7.4.2 Jurisdiction

Any dispute arising from the Terms will be subject to the exclusive jurisdiction of the French courts within the jurisdiction of the Publisher's registered office in Nancy.

Exception: A consumer User residing in the European Union retains the right to bring proceedings before the courts of their place of residence (Directive 93/13/EEC, article 4).

7.4.3 Mandatory amicable-resolution procedure

Before any legal action, the consumer User must:

1. Send a detailed written request to contact@miloria.fr;

2. Wait for a response within 14 calendar days;

3. If the response is unsatisfactory, refer the matter to the consumer mediator in accordance with the procedure in section 1.5;

4. Only after exhausting mediation may the User refer the matter to a court.

Failure to comply with this procedure may result in the rejection of the legal claim.

The following articles of these Terms of Use cannot be waived and apply automatically:

a) Section 1.4 (Applicable law and jurisdiction);

b) Section 1.5 (Consumer mediation);

c) Section 2.2 (Minor access restrictions);

d) Section 3.4 (Withdrawal) - For minimum legal compliance;

e) Section 4.8 (Protection of minors, GDPR art. 8);

f) Section 5.3 (User indemnity);

g) Section 7.4 (Dispute resolution).

Any clause contrary to French public order or to the mandatory provisions of the GDPR is void and replaced as of right by the applicable legal provision.

If any provision of these Terms of Use is held to be invalid, illegal, or unenforceable by a competent court:

a) That provision will be removed or modified to the minimum necessary to make it valid;

b) The other provisions remain in force and applicable;

c) The User and the Publisher undertake to negotiate a suitable replacement provision.

These Terms of Use, together with:

- The Privacy Policy (section 4);

- The Legal Notice (section 1.1);

- Any document incorporated by reference (providers' terms); constitute the entire agreement between the User and the Publisher concerning Miloria.

Any prior agreement, representation, or warranty is revoked and replaced by these Terms of Use.

No modification of the Terms may be made except by:

a) A writing signed jointly by the User and the Publisher;

b) Or a notification of change in accordance with section 7.1 above.

The Publisher does not waive any right or obligation under these Terms of Use, unless the waiver is express and in writing.

The Publisher's failure to enforce a provision does not constitute a waiver of that provision.

7.9.1 The User's rights and obligations

The User may not assign, transfer, or delegate their rights or obligations under the Terms without the Publisher's prior written consent.

Any attempted assignment without consent is void.

7.9.2 The Publisher's rights and obligations

The Publisher may assign or transfer its rights and obligations to a third party in the following cases:

a) Merger, acquisition, or restructuring of the Publisher;

b) Transfer to an approved subcontractor;

c) Transfer required by a court order.

In the event of a significant transfer, the Publisher will notify Users in accordance with the terms of section 7.1 above.

The official and authoritative version of the Terms of Use is the French version available at https://www.miloria.fr/legal.html.

In the event of translation into other languages (including the present English translation), only the French version prevails in the event of any contradiction, and French law applies.

For any question, request, or complaint concerning Miloria:

General contact: contact@miloria.fr

User support: support@miloria.fr

Data Protection Officer (DPO): dpo@miloria.fr

Postal address: 17 rue Saint-Jean, 54000 Nancy, France

Phone: +33 3 72 47 25 99

Support opening hours: Monday to Friday 9am-6pm (France time)

Target response time: 24-48 hours for acknowledgement, 5-10 days for resolution depending on complexity.

The Publisher, as an early-stage organisation, ensures GDPR compliance through the following measures:

a) Regular internal review of data processing and its compliance with the GDPR;

b) Application of security updates for the dependencies and infrastructure used;

c) Use of certified providers (Firebase / Google Cloud) incorporating their own security protocols and audits;

d) Monitoring of applicable legal obligations and adapting practices accordingly.

The Publisher undertakes to progressively strengthen these arrangements (external audits, penetration tests) as the organisation develops, and cooperates fully with the CNIL or any competent supervisory authority upon request.

These Terms of Use enter into force from their publication on the Application (date: 03/04/2026) and remain in force indefinitely until formal revocation or modification.

They apply to any new User creating an account after this date, as well as to all existing Users under article 7.1 above.

The Publisher acknowledges its status as a provider of digital services and agrees to submit to:

a) The present and future regulations of the European Commission regarding AI (Digital Services Act, AI Act);

b) The transparency and accountability standards imposed on providers of digital services;

c) The inspections and investigations of the CNIL or any competent authority;

d) Any injunctions to block or modify the service decided by a judicial or administrative authority.

The Publisher undertakes to publish an annual transparency report setting out:

- Number of accounts created and account deletions;

- Number of GDPR access/deletion/modification requests received;

- Number of data breaches reported;

- Number of requests for personal data from authorities;

- Effectiveness of the content-filtering measures.