Privacy Policy

Last updated: December 4, 2024

Summary

We collect only what we need to operate an 18+ interactive-story platform, run analytics, process payments, and send you updates if you opt in. Prompts you type are not stored on our servers, and generated stories become public only when you choose to publish them.

1. WHO WE ARE & HOW TO CONTACT US

XStory.io

We do not currently have an EU/UK GDPR representative because we do not actively target EU/UK users. If this changes, we will update this section.

2. AGE RESTRICTIONS

The Service is intended only for individuals 18 years of age or older. We do not knowingly collect personal information from anyone under 18 or permit under-18 registration. If you believe a minor has provided us personal data, contact us and we will delete it.

3. INFORMATION WE COLLECT

CategoryExamplesCollected?Purpose
Account IdentifiersEmail, username, social-login IDAccount creation, login, security
Payment InformationTokenized card data via Stripe✔ (via Stripe)Subscription billing
Device & Usage DataIP address, browser type, session data✔ (via Analytics)Service analytics, security
Marketing DataEmail preferences, newsletter sign-ups✔ (future)Send updates with consent
Cookies / Similar IDsSession cookies, Google AnalyticsRemember login, measure traffic
Prompt TextText you type to instruct AI✖ (not stored)Generate content
AI-Generated ContentStories or images from our model✔ (if published)Display to readers
Sensitive DataBiometric, health, precise locationN/A

4. HOW WE USE YOUR INFORMATION

We use personal data only when we have a lawful basis (typically contract or consent) and to:

  1. Provide the Service – set up your account, generate AI stories, enforce our Terms of Use.
  2. Process payments – via Stripe for XStory Pro subscriptions.
  3. Measure & improve – monitor performance, aggregate statistics.
  4. Communicate – send service announcements, newsletters (opt-in), and respond to inquiries.
  5. Protect the Service – detect fraud, abuse, or violations of law.

No model training: We do not feed your prompts, usage data, or AI outputs back into model fine-tuning.

5. COOKIES & TRACKING TECHNOLOGIES

We use:

  • Essential cookies – keep you logged in, remember settings.
  • Analytics cookies – Google Analytics to understand traffic patterns.

We do not use behavioral advertising or retargeting cookies.

You can manage cookies in your browser settings or via our in-app cookie banner.

6. DATA SHARING & PROCESSORS

We share data only with trusted service providers who process it on our behalf and under confidentiality agreements:

  • Hosting & Serverless: Vercel, Supabase (U.S.)
  • Analytics: Google Analytics (U.S.)
  • Payments: Stripe (U.S.) – receives billing name, email, payment token
  • AI Model Host(s): Proprietary U.S.-based vendor

We do not sell or rent your personal data.

7. DATA RETENTION

Data typeRetention period
Account & billing recordsWhile active + 1 year for compliance
Server logs (IP, user-agent)30 days rolling
Published AI stories & commentsUntil deleted by user
BackupsEncrypted backups for 6 months

You may delete your account at any time; deletion is instant in production databases.

8. YOUR RIGHTS & CHOICES

  • Access / Portability – download your data from your dashboard.
  • Deletion – delete your account or email support@xstory.io.
  • Opt-out of marketing – unsubscribe link in every email.
  • Cookie control – browser settings or cookie banner.

We respond to all verified requests within 30 days.

9. SECURITY

  • HTTPS encryption in transit
  • AES-256 encryption at rest for databases
  • Role-based access controls
  • Regular third-party vulnerability scans

No system is perfect, but we take commercially reasonable measures to protect your data.

10. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. If changes are material, we will notify you by email or in-app banner 30 days before they take effect.

Questions?

Contact Support