XSTORY.IO – PRIVACY POLICY

Last updated: May 13, 2025

Welcome to xstory.io ("XStory", "we", "our", or "us"). We respect your privacy and are committed to protecting it through this policy ("Privacy Policy"). It explains what personal data we collect, how we use and share it, and the choices you have. By using our website, mobile application, or related services (collectively, the "Service"), you agree to the practices described here.

Summary – We collect only what we need to operate an 18‑plus interactive‑story platform, run analytics, process payments, and send you updates if you opt in. Prompts you type are not stored on our servers, and generated stories become public only when you choose to publish them.

1. WHO WE ARE & HOW TO CONTACT US

XStory.io

We do not currently have an EU/UK GDPR representative because we do not actively target EU/UK users. If this changes, we will update this section.

2. AGE RESTRICTIONS

The Service is intended only for individuals 18 years of age or older. We do not knowingly collect personal information from anyone under 18 or permit under‑18 registration. If you believe a minor has provided us personal data, contact us and we will delete it.

3. INFORMATION WE COLLECT

CategoryExamplesCollected?Purpose
Account IdentifiersEmail, username, social‑login IDAccount creation, login, security
Payment InformationTokenized card data via Stripe✔ (handled by Stripe; we never see full card)Subscription billing
Device & Usage DataIP address, browser type, referrer, session duration, clickstream✔ (via Google Analytics & server logs)Service analytics, security, fraud prevention
Marketing DataEmail preferences, newsletter sign‑ups✔ (future)Send updates & offers with consent
Cookies / Similar IDsFirst‑party session cookies; Google Analytics cookiesRemember login state, measure traffic
Prompt TextThe text you type to instruct the AI✖ (only cached on your device; not stored server‑side)Generate requested content
AI‑Generated ContentStories or images output by our model✔ (only if you publish)Display to public readers
Sensitive DataBiometric, health, precise locationN/A

4. HOW WE USE YOUR INFORMATION

We use personal data only when we have a lawful basis (typically contract or consent) and to:

  1. Provide the Service – set up your account, generate AI stories, enforce our Terms of Use.
  2. Process payments – via Stripe for XStory Pro subscriptions.
  3. Measure & improve – monitor performance, aggregate statistics.
  4. Communicate – send service announcements, newsletters (opt‑in), and respond to inquiries.
  5. Protect the Service – detect fraud, abuse, or violations of law.
No model training: We do not feed your prompts, usage data, or AI outputs back into model fine‑tuning.

5. COOKIES & TRACKING TECHNOLOGIES

We use:

  • Essential cookies – keep you logged in, remember settings.
  • Analytics cookies – Google Analytics to understand traffic patterns.

We do not use behavioral advertising or retargeting cookies.

You can manage cookies in your browser settings or via our in‑app cookie banner.

6. DATA SHARING & PROCESSORS

We share data only with trusted service providers who process it on our behalf and under confidentiality agreements:

  • Hosting & Serverless: Vercel, Supabase (U.S.)
  • Analytics: Google Analytics (U.S.)
  • Payments: Stripe (U.S.) – receives billing name, email, payment token
  • AI Model Host(s): Proprietary U.S.‑based vendor (name withheld for security/commercial reasons)

We do not sell or rent your personal data.

7. INTERNATIONAL TRANSFERS

Our servers are located in the United States. If you access the Service from outside the U.S., your data will be transferred to the U.S., where privacy laws may differ. For EU personal data (should we later process any) we will rely on Standard Contractual Clauses or the EU–U.S. Data Privacy Framework.

8. DATA RETENTION

Data typeRetention period
Account & billing recordsWhile account is active + 1 year for audit/compliance
Server logs (IP, user‑agent)30 days rolling, unless investigating abuse
Published AI stories & commentsUntil deleted by user or account closure
Back‑upsEncrypted backups retained for 6 months, then purged

You may delete your account at any time; deletion is instant in production databases and propagates from backups during the next scheduled purge.

9. YOUR RIGHTS & CHOICES

  • Access / Portability – download your data from your dashboard.
  • Deletion – delete your account or email support@xstory.io.
  • Opt‑out of marketing – unsubscribe link in every email.
  • Cookie control – browser settings or cookie banner.

We respond to all verified requests within 30 days.

10. SECURITY

  • HTTPS encryption in transit
  • AES‑256 encryption at rest for Supabase databases
  • Role‑based access controls; staff access limited to need‑to‑know
  • Regular third‑party vulnerability scans (no formal bug‑bounty yet)

No system is perfect, but we take commercially reasonable measures to protect your data.

11. AI‑GENERATED & MATURE CONTENT DISCLOSURE

  • AI outputs may contain factual inaccuracies or "hallucinations." Treat stories as fictional entertainment, not advice.
  • Mature or explicit themes may appear. We label age‑restricted content and require users to confirm they are 18+.
  • Users own the AI content they publish, subject to our Terms of Use. XStory may display such content publicly and showcase excerpts for marketing with attribution.

12. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. If changes are material, we will notify you by email or in‑app banner 30 days before they take effect. The "Last updated" date at the top will also change.

13. DISPUTE RESOLUTION

Privacy‑related disputes follow the same arbitration process described in our Terms of Use (Wilmington, Delaware, JAMS). If you have concerns, please contact us first so we can try to resolve them informally.


Questions? Email support@xstory.io. We're here to help.