Privacy Policy

We take your privacy seriously. Here's how we collect, use, and protect your data.

Effective date: 1 November 2025Version: 1.0

Who we are (Data Controller)

StoryBored ("we", "us", "our") provides an e-reader with AI-generated illustrations.

Controller: [Company legal name] (e.g., StoryBored AB)

Address: [Street, Postal code, City, Country]

Contact: privacy@storybored.ai

Data Protection Officer: [Name, contact]

This policy explains how we collect, use, share, and protect your personal data when you use storybored.ai, our apps, and services (collectively, the "Service").

Scope & legal bases

We process personal data under the EU/EEA GDPR and applicable laws. Our legal bases include:

  • Contract (Art. 6(1)(b)): to provide the Service you request.
  • Consent (Art. 6(1)(a)): cookies, marketing, optional features.
  • Legitimate interests (Art. 6(1)(f)): security, fraud prevention, product improvement.
  • Legal obligation (Art. 6(1)(c)): tax, accounting, compliance.

We do not intentionally collect special categories of data (e.g., health, religion).

Data we collect

a) Data you provide

  • Account & profile: name, email, password or SSO ID, avatar (optional).
  • Content: the books you import (e.g., EPUB without DRM), selected text, prompts, generated images, styles, "favorites," and metadata.
  • Support: messages, feedback, bug reports.
  • Billing: country, VAT ID, transaction identifiers (we don't store full card numbers—our payment processor does).

b) Data we collect automatically

  • Usage & device: pages viewed, clicks, feature usage, language, browser/OS, device type, approximate region, timestamps, referral source.
  • Logs: IP address, error logs, performance data.
  • Cookies/SDKs: essential cookies for sign-in; optional analytics/marketing cookies only with your consent.

c) Data from third parties

  • SSO/auth providers (if used): your verified email and profile basics.
  • Payments: confirmation of payment status from our processor.
  • Referrals/partners: campaign attribution.

How we use your data (purposes)

  • Provide the Service: render books, generate illustrations, manage your Ink balance, save your library, and sync settings. (Contract)
  • Improve and secure: fix bugs, measure performance, combat fraud/abuse, maintain availability. (Legitimate interests)
  • Communicate: account notices, feature updates, onboarding tips; marketing only with your consent and opt-out anytime. (Contract/Legitimate interests/Consent)
  • Billing & compliance: issue invoices, handle taxes, meet legal duties. (Legal obligation)

AI features & your content

  • Your control: You choose what text to illustrate. You can delete prompts, images, or entire books from your library at any time.
  • Training: We do not sell your content. We do not use your books, prompts, or images to train public foundation models. Where our model providers expose settings, we configure them to opt-out of training on your data.
  • Quality analytics: We may use aggregate, de-identified metrics (e.g., success/failure rates, generation time, feature usage) to improve the Service.
  • Safety: Content may pass through automated moderation filters to prevent abuse or illegal content.

Cookies & similar technologies

  • Essential: sign-in, security, load balancing.
  • Preferences: theme, language.
  • Analytics (optional): product usage to improve UX.
  • Marketing (optional): only if you consent.

Manage preferences anytime via the Cookie Settings link in the footer. See our Cookie Policy for details.

Sharing your data

We share personal data only with:

  • Service providers / processors (hosting, CDNs, analytics, customer support, payments, email). They act on our instructions under Data Processing Agreements.
  • Model providers solely to execute your prompts and return images, under contractual safeguards.
  • Legal/Compliance: if required by law or to protect rights, safety, and the Service.
  • Business transfers: as part of a merger, acquisition, or asset sale, with appropriate safeguards and notice.

We do not sell personal data or share it with third parties for their independent advertising.

International transfers

Where data is transferred outside the EEA/UK (e.g., to processors or model providers), we use approved safeguards such as the EU Standard Contractual Clauses (SCCs) and complementary measures. We aim to host primary data in [EEA region—e.g., EU-based cloud] where feasible. Some CDNs may transiently cache globally.

Data retention

We keep data only as long as needed:

  • Account data: for your account lifetime; delete upon request or account closure.
  • Books & prompts & images: until you delete them or your account; cache may persist briefly in backups.
  • Analytics logs: [e.g., 12–24 months] aggregated thereafter.
  • Billing/Invoices: 7 years (or as required by applicable tax law).
  • Support tickets: [e.g., 24 months].

Backups are rotated on a fixed schedule; deletion propagates on the next cycle.

Security

We apply industry-standard safeguards: encryption in transit, encryption at rest for core systems, role-based access, least-privilege, audit logging, and regular vulnerability management. No method is 100% secure; please use a strong, unique password and enable available protections.

Security questions? security@storybored.ai

Responsible disclosure: email us; we welcome good-faith reports.

Your rights (EEA/UK and similar jurisdictions)

Subject to law, you can:

  • Access your data and get a copy.
  • Rectify inaccurate data.
  • Erase data ("right to be forgotten").
  • Restrict or object to certain processing.
  • Port data to another service.
  • Withdraw consent at any time (it won't affect prior lawful processing).

To exercise rights: email privacy@storybored.ai .

You also have the right to lodge a complaint with your local authority. In Sweden: Integritetsskyddsmyndigheten (IMY).

Children

The Service is not intended for children under 13 (or the minimum age required in your country). We do not knowingly collect data from children. If you believe a child has provided data, contact us and we'll delete it.

Automated decision-making

We don't make decisions with legal or similarly significant effects based solely on automated processing. We use automation for service functionality (e.g., queueing, content filtering).

Third-party links

Our site may link to third-party sites or services. Their privacy practices are their own; review their policies before providing personal data.

Changes to this policy

We may update this policy from time to time. We'll post the new version here and adjust the "Effective date". If changes are material, we'll provide additional notice (e.g., email or in-app).

Contact us

Questions or requests about privacy?

Email: privacy@storybored.ai
Postal: [Company legal name], [Address]

Annex A – Subprocessors (examples / placeholders)

Publish a living list on a separate page and link it here.

  • Cloud hosting & DB: [e.g., AWS EU-region / GCP EU-region]
  • CDN & edge security: [e.g., Cloudflare]
  • Email delivery/support: [e.g., Postmark, Intercom]
  • Payments & billing: [e.g., Stripe / Paddle / LemonSqueezy]
  • Analytics (consent-based): [e.g., Plausible (EU), PostHog (self-hosted EU)]
  • AI model providers: [e.g., OpenAI API (training opt-out), Stability/Replicate]

Annex B – Cookie Summary (sample)

  • Essential: session, CSRF, cookie-consent.
  • Preferences: theme, font, reader settings.
  • Analytics (opt-in): pageviews, events.
  • Marketing (opt-in): campaign attribution.

Optional clauses you can toggle based on product decisions

  • Rollover: "Unused Ink on paid plans rolls over for up to 2 months."
  • Commercial use: "Personal/educational by default; add-on enables commercial licensing."
  • Data residency: "Primary storage in the EEA."
  • BYO model keys: "Not supported during public beta. If enabled later, your provider will act as an independent controller for those calls."