Privacy Policy

StoriesBy (“we”, “us”, “our”) is operated by JOCH Ltd, registered in England and Wales. This policy explains what data we collect, why, how we use it, who we share it with, and your rights. We take your privacy seriously — especially because the stories you share with us are personal.

1. Data we collect

Content you create

  • Voice recordings and their transcripts
  • Text you type or edit (polished story text)
  • Photos you upload
  • AI-generated illustrations created from your story
  • Card details: occasion, greeting, sender and recipient names

Contact information

  • Email address (when you provide it for card delivery, email capture, or waitlist)
  • Name (first name, as entered by you)

Payment information

  • Payments are processed entirely by Stripe. We never see, store, or have access to your payment card details. We store only the Stripe session and payment intent identifiers to confirm your purchase.

Usage and analytics data

  • Pages you visit and referring URL
  • Device type and browser (parsed from User-Agent)
  • UTM campaign parameters (if you arrived via a marketing link)
  • Session timing: how long you spend on each step of the experience
  • Whether you edited your polished text
  • Card open timestamp (when a recipient first views a card)

Technical data

  • IP address (used for rate limiting and abuse prevention; not stored long-term)
  • Cookies: we set a small number of functional cookies for authentication and session management (see Section 7)

2. How we use your data

  • To provide the service: transcribe your recording, polish your text, generate an illustration, create and deliver your card
  • To process payments: confirm card purchases via Stripe
  • To send transactional emails: deliver card links, send scheduled questions, confirm actions
  • To improve the experience: understand which prompts resonate, measure completion rates, fix bugs
  • To moderate content: review stories flagged for the public Story Wall (only with your consent)
  • To prevent abuse: rate limiting and fraud detection

We analyse anonymised, aggregated usage patterns — never individual stories — to improve the product. Only short topic labels (e.g. “childhood kitchen”, “first holiday”) are retained for this purpose.

3. Third-party services

To provide StoriesBy, we share specific data with the following services. Each processes data only as needed for its function.

  • Speechmatics(UK) — real-time speech-to-text transcription. Your audio is streamed, transcribed, and not stored or used for training. Speechmatics is trusted by the BBC, UK emergency services, and government institutions.
  • Anthropic / Claude(US) — text polishing, editorial suggestions, and illustration prompting. Your transcript is processed to improve clarity. Anthropic does not retain or train on data sent via their API.
  • fal.ai(US) — AI illustration generation. Story summaries and optional photos are used to generate artwork. Data is not retained after processing.
  • Stripe(US) — payment processing. Stripe handles all payment card data directly. We never see your card number, expiry, or CVV. See Stripe’s privacy policy.
  • Resend(US) — transactional and marketing email delivery. Your email address and the content of emails we send you pass through Resend.
  • Render(US/EU) — application hosting and database. All data is stored on encrypted servers.

4. What we never do

  • We never sell your data to anyone
  • We never share your story without your explicit permission
  • We never use your story content to train AI models
  • We never create an account or profile without your knowledge
  • We never target you with third-party advertising
  • We never share your email address with third parties for marketing

5. Legal basis for processing (GDPR)

If you are in the UK or European Economic Area:

  • Contract: processing your recording and delivering your card is necessary to provide the service you requested
  • Consent: sharing your story on the Story Wall, adding you to marketing emails, and optional analytics
  • Legitimate interest: basic analytics to improve the product, rate limiting to prevent abuse

You can withdraw consent at any time by emailing us.

6. Data retention

  • Cards and stories: retained for as long as the card link is active, so recipients can revisit their card
  • Audio recordings: retained alongside the card for playback; deleted if you request deletion
  • Email addresses: retained until you unsubscribe or request deletion
  • Analytics data: page visit logs are retained for 12 months, then deleted
  • Payment records: Stripe transaction identifiers are retained for 7 years for accounting and legal compliance

You can request deletion of all your data at any time (see Section 8).

7. Cookies & local storage

We use a small number of cookies and one item of browser local storage. We do not use advertising cookies or third-party tracking cookies.

  • Strictly necessary (always on): authentication cookies that keep you logged in during a session, and small functional storage that remembers preferences needed for the service to work.
  • Analytics (opt-in): a single page-visit log helps us understand which prompts resonate and where the experience drops off. We ask for your consent on first visit via a cookie banner. Decline and no analytics data is sent.

You can change your analytics preference at any time by clearing your browser’s local storage for storiesby.app and reloading — the banner will reappear.

8. Your rights

Under GDPR (UK and EU) and CCPA (California), you have the right to:

  • Access: request a copy of all data we hold about you
  • Rectification: correct any inaccurate data
  • Deletion: request we delete all your data (“right to be forgotten”)
  • Portability: receive your data in a machine-readable format
  • Object: object to processing based on legitimate interest
  • Withdraw consent: at any time, without affecting the lawfulness of prior processing
  • Non-discrimination: exercising your rights will not affect the service we provide you (CCPA)

To exercise any right, email hello@storiesby.app. We will respond within 30 days.

9. California residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act. We do not sell personal information. We do not share personal information for cross-context behavioural advertising. You may request disclosure of the categories and specific pieces of personal information we have collected about you. Contact hello@storiesby.app.

10. Children

StoriesBy is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. International data transfers

Some of our third-party services are based in the United States. Where data is transferred outside the UK/EEA, we rely on Standard Contractual Clauses or the service provider’s compliance with relevant data protection frameworks. We only use providers with strong privacy commitments.

12. Security

We use HTTPS encryption for all data in transit, encrypted databases for data at rest, rate limiting to prevent abuse, and access controls to limit who can view your data. No system is perfectly secure, but we take reasonable and appropriate measures to protect your information.

13. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via the app or email. The “last updated” date below always reflects the most recent version.

14. Contact

StoriesBy is made by JOCH Ltd, registered in England and Wales.

For any privacy questions, data requests, or concerns, contact: hello@storiesby.app

Last updated: April 2026

Terms of UseBack to StoriesBy