STORYTAP
🔒

Your stories are yours.

We built STORYTAP with privacy as a first principle, not an afterthought. Family memories are irreplaceable — we treat them that way.

Last updated: April 6, 2026

Our commitment in plain English

1. Who we are and how to contact us

STORYTAP is the data controller responsible for your personal information under the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and applicable French data protection law (Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés, as amended). We are based in France and are subject to the oversight of the Commission Nationale de l'Informatique et des Libertés (CNIL), 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France. Contact us at: storytap.app@gmail.com Given our current size, we are not required to appoint a Data Protection Officer (DPO). If this changes, we will update this policy and notify you.

2. What personal data we collect

Account data: your name and email address when you register via email, Apple Sign-In, or Google Sign-In. When you use Apple Sign-In or Google Sign-In, we receive only the data those services share with us (name and email). We do not receive your Apple or Google password. Story content: text you type, audio recordings you make, and transcripts generated from those recordings. This is your family's heritage — we treat it accordingly. Usage data: which frameworks you use, session length, and feature interactions. We use this anonymously to improve the product. Device data: device type, operating system version, and a random installation identifier generated on first launch. This identifier is not linked to your identity and resets if you reinstall the app. Subscription data: your active plan tier (free, Story Keeper, or Family Vault). Payment processing is handled entirely by Apple App Store or Google Play — we never see or store your card details.

3. Legal basis for processing (GDPR Article 6)

We rely on the following legal bases under GDPR Article 6: • Contract (Art. 6(1)(b)): processing your account data, story content, and subscription status is necessary to provide the STORYTAP service you have requested. • Legitimate interests (Art. 6(1)(f)): we process anonymised, aggregated usage data to understand how the product is used and improve it. Our legitimate interest is providing a better product; this interest does not override your rights because the data is anonymised and you can opt out at any time. • Consent (Art. 6(1)(a)): when you enable AI transcription or narrative refinement features, you explicitly consent to your audio or text being processed by Google Gemini. You may withdraw this consent at any time by disabling the feature in Settings — this does not affect processing that already occurred. • Legal obligation (Art. 6(1)(c)): we may retain certain records where required by French or EU law.

4. Special category data (GDPR Article 9)

Audio recordings of family stories may naturally contain sensitive information — including references to health, religious beliefs, racial or ethnic origin, or political opinions. Under GDPR Article 9, these are "special category" data requiring a higher standard of protection. We process this data on the basis of your explicit consent (Art. 9(2)(a)), given when you record a story and choose to sync it. You can withdraw this consent at any time by deleting the story or your account. Special category data is never used for advertising, profiling, or any purpose other than providing your personal family archive. It is never shared with third parties except as strictly necessary (see Section 8). Free-tier users: special category data stays entirely on your device and is never transmitted to our servers.

5. Why we collect it and how we use it

To provide the service: storing and syncing your stories across your devices requires holding your content. Legal basis: contract. To personalise: framework recommendations are based on your usage patterns, processed on-device first. Legal basis: contract. To process payments: your subscription status is managed via RevenueCat, which communicates with the App Store or Play Store on our behalf. Legal basis: contract. To improve STORYTAP: aggregated, anonymised analytics help us decide what to build next. We never sell individual data. Legal basis: legitimate interests. AI features (opt-in only): when you enable AI transcription or narrative refinement, your audio or text is sent to Google Gemini API. Legal basis: consent. You can withdraw consent at any time.

6. AI features and automated processing

STORYTAP offers opt-in AI transcription and narrative refinement features, powered by Google Gemini, available to Story Keeper and Family Vault subscribers. This processing is always opt-in and requires your explicit consent before activation. When you use these features, your audio or text is sent to Google's API under a strict data-processing agreement that prohibits Google from using your content to train its models. GDPR Article 22 — automated decision-making: STORYTAP does not make any automated decisions that produce legal or similarly significant effects on you. AI features generate suggestions only; all decisions remain yours. No profiling is carried out for any purpose other than improving your in-app coaching experience. Free tier users' stories are processed entirely on-device. Nothing leaves your phone except the sync to your own Firestore database.

7. Cloud storage and international transfers

Stories you choose to sync are stored in Google Firebase (Firestore and Cloud Storage). Your primary data is stored in the EU (europe-west1, Belgium) by default, meaning transfers within the EEA do not require additional safeguards. Some of our sub-processors operate in the United States. We ensure appropriate safeguards for these transfers: • Google LLC (Firebase, Gemini API): transfers are covered by the EU-US Data Privacy Framework adequacy decision (July 2023) and EU Standard Contractual Clauses (SCCs, June 2021). • RevenueCat Inc. (subscription management): transfers are covered by EU Standard Contractual Clauses. RevenueCat processes only your subscription tier and anonymised purchase events — no story content. • Apple Inc. / Google LLC (payment processing via App Store / Play Store): governed by their own DPA and SCCs. We never receive your payment card details. Local storage: all stories are also saved on your device using SQLite. The app is fully functional offline. Cloud sync is a mirror, not a requirement.

8. Who we share data with

We share your data only with the following categories of processors, each bound by a data-processing agreement: • Google LLC (Firebase / Gemini) — cloud storage and optional AI features • RevenueCat Inc. — subscription status management • Apple Inc. / Google LLC — payment processing via App Store / Play Store We do not sell, rent, or share your personal data with advertisers, data brokers, or any third party for marketing purposes. Full stop. We may disclose personal data if required to do so by French or EU law, court order, or to protect the rights and safety of our users, provided we take reasonable steps to notify you unless prohibited by law.

9. Your rights under GDPR

If you are in the European Economic Area, United Kingdom, or Switzerland, you have the following rights: • Right of access (Art. 15): request a copy of all personal data we hold about you. • Right to rectification (Art. 16): request correction of inaccurate data. • Right to erasure (Art. 17): request deletion of your account and all associated personal data. • Right to data portability (Art. 20): receive your stories in a machine-readable format (JSON or CSV) — this export is always free. • Right to restrict processing (Art. 18): request that we limit how we use your data. • Right to object (Art. 21): object to processing based on legitimate interests. • Right to withdraw consent (Art. 7(3)): where we rely on consent (e.g., AI features), you may withdraw it at any time via the app settings. Withdrawal does not affect the lawfulness of processing before withdrawal. • Right to lodge a complaint: you have the right to complain to the Commission Nationale de l'Informatique et des Libertés (CNIL) at www.cnil.fr, or to the supervisory authority in your EU member state of habitual residence. To exercise any right, email storytap.app@gmail.com. We will respond within 30 days, extendable by 60 days for complex requests with notice.

10. Cookies and tracking identifiers

STORYTAP is a mobile application and does not use browser cookies. We use a random installation identifier generated on your device at first launch. This identifier: • Is not linked to your name, email, or any external identity • Is used solely to distinguish anonymous sessions for crash reporting and analytics • Resets if you uninstall and reinstall the app • Is not shared with advertising networks Firebase Analytics collects anonymised usage events (screen views, feature interactions). These are processed in the EU where possible. You can opt out of analytics in your device's privacy settings (iOS: Settings → Privacy & Security → Apple Advertising; Android: Settings → Google → Ads). We do not use cross-app or cross-website tracking. NSPrivacyTracking is set to false in our Apple Privacy Manifest.

11. Data retention

Your stories are kept for as long as your account is active. If you delete a story: it is removed from our servers within 30 days. If you delete your account: all personal data associated with your account is purged within 90 days. A confirmation email will be sent when deletion is complete. Subscription records: RevenueCat and Apple/Google may retain anonymised purchase records as required by their own legal obligations and tax law. We retain no payment card data. Anonymised, aggregated analytics data (with no link to any individual) may be retained indefinitely.

12. Children's privacy

STORYTAP is designed for users aged 15 and over. In France, 15 is the minimum age for providing consent to digital services under Article 45 of the Loi Informatique et Libertés (as amended by Loi n° 2018-493). We do not knowingly collect personal data from children under 15. If you are under 15, a parent or guardian must create and manage the account and provide consent on your behalf. If you believe a child under 13 has created an account without parental consent, please contact us immediately at storytap.app@gmail.com and we will delete the account and all associated data promptly.

13. Security

We apply the following technical and organisational measures: • Encryption in transit: TLS 1.3 for all data transmitted between the app and our servers. • Encryption at rest: Firebase Storage and Firestore encrypt data at rest using AES-256. • Access controls: Firebase Security Rules ensure that only authenticated users can read or write their own data. No STORYTAP employee can access your story content. • Credential security: authentication credentials are never stored in plain text. No system is perfectly secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the CNIL within 72 hours and notify you without undue delay, as required by GDPR Article 33–34.

14. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in the law, our data practices, or the app's features. For material changes: we will notify you via in-app notification and email at least 14 days before the change takes effect. For minor changes (e.g., clarifications, contact detail updates): we will update the "Last updated" date. Continued use of STORYTAP after a material change takes effect constitutes acceptance of the updated policy. If you do not agree, you may delete your account before the change takes effect.

15. Contact and complaints

For any privacy question, data subject request, or concern: Email: storytap.app@gmail.com For urgent data concerns, include "URGENT DATA REQUEST" in the subject line. If you are not satisfied with our response, you have the right to lodge a complaint with: Commission Nationale de l'Informatique et des Libertés (CNIL) 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France www.cnil.fr You may also contact the supervisory authority in your EU member state of habitual residence or place of work.