XSTORY.IO – PRIVACY POLICY
Last updated: May 13, 2025
Welcome to xstory.io ("XStory", "we", "our", or "us"). We respect your privacy and are committed to protecting it through this policy ("Privacy Policy"). It explains what personal data we collect, how we use and share it, and the choices you have. By using our website, mobile application, or related services (collectively, the "Service"), you agree to the practices described here.
Summary – We collect only what we need to operate an 18‑plus interactive‑story platform, run analytics, process payments, and send you updates if you opt in. Prompts you type are not stored on our servers, and generated stories become public only when you choose to publish them.
1. WHO WE ARE & HOW TO CONTACT US
XStory.io
- Mailing address: (We operate remotely in the U.S.)
- Privacy email: support@xstory.io
- DMCA/Content takedown: support@xstory.io
We do not currently have an EU/UK GDPR representative because we do not actively target EU/UK users. If this changes, we will update this section.
2. AGE RESTRICTIONS
The Service is intended only for individuals 18 years of age or older. We do not knowingly collect personal information from anyone under 18 or permit under‑18 registration. If you believe a minor has provided us personal data, contact us and we will delete it.
3. INFORMATION WE COLLECT
Category | Examples | Collected? | Purpose |
---|---|---|---|
Account Identifiers | Email, username, social‑login ID | ✔ | Account creation, login, security |
Payment Information | Tokenized card data via Stripe | ✔ (handled by Stripe; we never see full card) | Subscription billing |
Device & Usage Data | IP address, browser type, referrer, session duration, clickstream | ✔ (via Google Analytics & server logs) | Service analytics, security, fraud prevention |
Marketing Data | Email preferences, newsletter sign‑ups | ✔ (future) | Send updates & offers with consent |
Cookies / Similar IDs | First‑party session cookies; Google Analytics cookies | ✔ | Remember login state, measure traffic |
Prompt Text | The text you type to instruct the AI | ✖ (only cached on your device; not stored server‑side) | Generate requested content |
AI‑Generated Content | Stories or images output by our model | ✔ (only if you publish) | Display to public readers |
Sensitive Data | Biometric, health, precise location | ✖ | N/A |
4. HOW WE USE YOUR INFORMATION
We use personal data only when we have a lawful basis (typically contract or consent) and to:
- Provide the Service – set up your account, generate AI stories, enforce our Terms of Use.
- Process payments – via Stripe for XStory Pro subscriptions.
- Measure & improve – monitor performance, aggregate statistics.
- Communicate – send service announcements, newsletters (opt‑in), and respond to inquiries.
- Protect the Service – detect fraud, abuse, or violations of law.
No model training: We do not feed your prompts, usage data, or AI outputs back into model fine‑tuning.
5. COOKIES & TRACKING TECHNOLOGIES
We use:
- Essential cookies – keep you logged in, remember settings.
- Analytics cookies – Google Analytics to understand traffic patterns.
We do not use behavioral advertising or retargeting cookies.
You can manage cookies in your browser settings or via our in‑app cookie banner.
6. DATA SHARING & PROCESSORS
We share data only with trusted service providers who process it on our behalf and under confidentiality agreements:
- Hosting & Serverless: Vercel, Supabase (U.S.)
- Analytics: Google Analytics (U.S.)
- Payments: Stripe (U.S.) – receives billing name, email, payment token
- AI Model Host(s): Proprietary U.S.‑based vendor (name withheld for security/commercial reasons)
We do not sell or rent your personal data.
7. INTERNATIONAL TRANSFERS
Our servers are located in the United States. If you access the Service from outside the U.S., your data will be transferred to the U.S., where privacy laws may differ. For EU personal data (should we later process any) we will rely on Standard Contractual Clauses or the EU–U.S. Data Privacy Framework.
8. DATA RETENTION
Data type | Retention period |
---|---|
Account & billing records | While account is active + 1 year for audit/compliance |
Server logs (IP, user‑agent) | 30 days rolling, unless investigating abuse |
Published AI stories & comments | Until deleted by user or account closure |
Back‑ups | Encrypted backups retained for 6 months, then purged |
You may delete your account at any time; deletion is instant in production databases and propagates from backups during the next scheduled purge.
9. YOUR RIGHTS & CHOICES
- Access / Portability – download your data from your dashboard.
- Deletion – delete your account or email support@xstory.io.
- Opt‑out of marketing – unsubscribe link in every email.
- Cookie control – browser settings or cookie banner.
We respond to all verified requests within 30 days.
10. SECURITY
- HTTPS encryption in transit
- AES‑256 encryption at rest for Supabase databases
- Role‑based access controls; staff access limited to need‑to‑know
- Regular third‑party vulnerability scans (no formal bug‑bounty yet)
No system is perfect, but we take commercially reasonable measures to protect your data.
11. AI‑GENERATED & MATURE CONTENT DISCLOSURE
- AI outputs may contain factual inaccuracies or "hallucinations." Treat stories as fictional entertainment, not advice.
- Mature or explicit themes may appear. We label age‑restricted content and require users to confirm they are 18+.
- Users own the AI content they publish, subject to our Terms of Use. XStory may display such content publicly and showcase excerpts for marketing with attribution.
12. CHANGES TO THIS POLICY
We may update this Privacy Policy from time to time. If changes are material, we will notify you by email or in‑app banner 30 days before they take effect. The "Last updated" date at the top will also change.
13. DISPUTE RESOLUTION
Privacy‑related disputes follow the same arbitration process described in our Terms of Use (Wilmington, Delaware, JAMS). If you have concerns, please contact us first so we can try to resolve them informally.
Questions? Email support@xstory.io. We're here to help.