Privacy Policy

Effective: [TODO: insert effective date]
Last updated: [TODO]

⚠️ DRAFT — NOT YET LEGAL. This page accurately describes the StoryEntry app's data flows but has not been reviewed by a lawyer. Replace these placeholders before publishing publicly.

Who we are

StoryEntry is operated by [TODO: legal entity name], reachable at [TODO: privacy email]. This policy describes what data we collect when you use the StoryEntry mobile app, why, and your choices.

What we collect

Information you give us directly

• Phone number. Used to authenticate you and let your friends and family find you.
• Display name. Shown to people you have conversations with.
• Voice and video recordings. Stored in our hosted storage so you and the people you share with can play them back.
• Custom prompt text when you write your own.
• Reports against other users or content for moderation review.

Information collected automatically

• Contacts (with permission). Phone numbers are sent to our server only to find existing StoryEntry users. We do not store your contacts on our servers.
• Anonymized usage analytics. Screens visited, recordings started, prompts sent. No content of recordings or messages.
• Crash reports. Device model and technical crash details, no personal content.

What we do NOT collect

• We do not collect your email address. Sign-up is by phone only.
• We do not store your contacts list. Phone numbers are checked for matches but never persisted.
• We do not transmit recording or message content to analytics services.
• We do not sell or share your data with advertisers.

How we use your information

• To run the app: send SMS verification, store and serve recordings, deliver prompts and answers.
• To moderate the platform: review reports of objectionable content.
• To improve the product: anonymized analytics tell us which features people use.
• To comply with the law when legally required.

Service providers

• Supabase (database, auth, storage) — receives your phone number, display name, recordings, prompts, reports.
• Twilio (SMS) — receives your phone number to send verification codes.
• PostHog (analytics) — receives anonymized usage events. No recording content. No phone numbers.
• OpenAI (transcription) — voice and video recordings are sent to OpenAI's Whisper API for speech-to-text. OpenAI's API does not retain submitted content for training.

Your choices and rights

• See your data: in-app library and conversations.
• Delete your account and all data: "You" tab → Delete my account.
• Block other users: in any conversation, ⋯ menu → Block.
• Disable contacts permission: iOS Settings → Privacy & Security → Contacts → StoryEntry.

For specific data rights (GDPR, CCPA, etc.), email [TODO: privacy email].

Children

StoryEntry is intended for users 13 and older. We do not knowingly collect data from children under 13.

Security

We use industry-standard encryption in transit (TLS) and at rest. No system is perfectly secure; in the event of a breach, we will notify affected users as required by law.

Changes to this policy

We may update this policy. Material changes will be communicated in-app. Continued use after the effective date of an updated policy means you accept it.

Contact

For privacy questions: [TODO: privacy email].