Storybox — Privacy Policy

Effective date: 20 April 2026

Last updated: 20 April 2026

Who we are

Storybox is an iOS app operated by Kyle Sullivan, an individual developer ("Storybox," "we," "us"). You can reach us at privacy@mystorybox.xyz.

What this policy covers

This policy describes what personal data the Storybox iOS app collects, how we use it, where it's stored, and the choices you have. It applies only to the Storybox app and the services that directly support it.

The short version

• We collect the information you need to sign in (your email address) and the content you choose to create in the app (the photos and audio you record).
• We store that content in Google Firebase so it's available to you across reinstalls of the app.
• We do not sell your data, do not share it with advertisers, and do not include any analytics or tracking SDKs.
• You can delete your stories, reset your account, or permanently delete your account and all associated data from inside the app at any time.

What we collect

1. Account information. - If you sign up with email and password, we store your email address. - If you sign in with Apple, we receive the email address Apple provides. If you chose "Hide My Email," this will be an @privaterelay.appleid.com forwarding address — that's the only email we see or store. - We never see or store your password; authentication is handled by Firebase Authentication.
2. Content you create. - Photos you select from your device's Photo Library to attach to a story. We convert the photo to a JPEG and also generate a 512-pixel thumbnail. Both are uploaded to our storage. - Audio recordings you make in the app (up to 10 minutes per story), stored as AAC .m4a files. - Optional story title text and the photo's capture date (EXIF) if present in the source image. - The date the story was created.
3. Technical information handled by the operating system. - When you grant microphone or photo-library access, that permission is handled by iOS. We do not collect or transmit the permission decision itself.

What we do not collect

• No device advertising identifier (IDFA).
• No location data.
• No analytics events, screen-view tracking, heatmaps, or behavioural tracking of any kind.
• No contacts, calendar, or any other personal information outside what you explicitly provide.
• No data from third-party sources.

Storybox does not track you across other companies' apps or websites. No App Tracking Transparency prompt is shown because there's nothing to prompt about.

How we use your data

We use the information above solely to:

• Authenticate you and keep your account signed in.
• Store your stories (photos + audio) so they persist across devices and reinstalls.
• Render your stories inside the app and allow you to export a single story as an .mp4 to your device.

We do not use your data for advertising, for profiling, or to train any machine-learning model.

Where your data lives

Your account and content are stored in a Google Firebase project we control:

• Firebase Authentication — manages sign-in and stores a hashed credential on Google's infrastructure.
• Cloud Firestore — stores a small metadata document per story (title, created date, photo capture date if present).
• Firebase Storage — stores the JPEG full-resolution photo, 512-pixel thumbnail, and audio recording for each story.

Firebase is operated by Google LLC and acts as a data processor on our behalf. Google's privacy practices are described at https://firebase.google.com/support/privacy.

Data is processed in Google Cloud regions selected for the project; it may be stored in the United States.

Who we share data with

• Google Firebase, as a processor, to provide the storage and authentication services described above.
• Apple, to the extent required to operate Sign in with Apple. Apple's handling is described at https://www.apple.com/legal/privacy/.

We do not sell personal data, we do not share it with advertisers or data brokers, and we do not share it with any other third party.

How long we keep your data

• Your content and account data are retained for as long as your account exists.
• When you delete a story inside the app, its photo, thumbnail, and audio are deleted from our storage, and its metadata document is deleted from Firestore.
• When you Reset Account inside the app, all of your stories and their associated files are deleted; your account itself remains.
• When you Delete Account inside the app, all of your stories, all associated files, your user document, and your authentication record are deleted.

Deletion is immediate and irreversible. We do not retain backup copies beyond Google Cloud's standard operational backups, which are eventually expired by Google.

Your rights

You can at any time:

• See your content — it's always visible inside the app when you're signed in.
• Edit a story by re-recording its audio.
• Delete an individual story from the Story Detail screen or via swipe-to-delete on the list.
• Reset your account (wipe all stories, keep the account) from Settings → Danger Zone.
• Delete your account entirely from Settings → Danger Zone.
• Change your password from Settings → Security (email/password accounts only).

If you're in the EU/UK and want to exercise your GDPR rights (access, rectification, erasure, portability, objection) outside of the in-app controls, email us at gdpr@mystorybox.xyz and we will respond within 30 days.

If you're in California, you have equivalent rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of "sale" or "sharing" of personal information. Storybox does not sell or share personal information within the meaning of those laws.

Security

• All network traffic between the app and Firebase is encrypted in transit (TLS).
• Data at rest in Firebase is encrypted using Google Cloud's default encryption.
• Access to your stories is restricted server-side by Firebase Security Rules — no other user of Storybox can read or modify your data.

No system is perfectly secure. If we learn of a breach affecting your data, we will notify affected users as required by applicable law.

Children

Storybox is not directed to children under 13 (or the equivalent minimum age in your jurisdiction, e.g. 16 in parts of the EU). We do not knowingly collect personal information from children. If you believe a child has created an account, email privacy@mystorybox.xyz and we will delete the account.

Changes to this policy

We may update this policy from time to time. Material changes will be reflected by updating the "Last updated" date above and, where appropriate, by an in-app notice on next launch.

Contact

General privacy questions: privacy@mystorybox.xyz

GDPR / EU data-subject requests: gdpr@mystorybox.xyz