StoryShots Complete Privacy Policy – Final Version

StoryShots

Complete Privacy Policy

Effective Date: August 1, 2018

Last Updated: May 29, 2025

Version: 3.0 – Complete Mobile Compliance

Document Summary

This comprehensive privacy policy addresses all data collection across StoryShots’ website, iOS app, Android app, and Flutter components. It includes complete SDK disclosure, mobile permissions, cross-platform tracking, and international compliance requirements.

1. INTRODUCTION AND SCOPE

1.1 Privacy Commitment

Parsida AB (“we,” “us,” “our”) is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, process, and protect your information when you use StoryShots services across all platforms.

1.2 Data Controller

Data Controller: Parsida AB

Address: Kindstugatan 3, 111 31 Stockholm, Sweden

Contact Email: support@getstoryshots.com

Organization Number: 5568563075

1.3 Platform Coverage

This policy applies to all StoryShots services including:

  • Website: getstoryshots.com and all subdomains
  • iOS Application: Native iOS app with extensive SDK integrations
  • Android Application: Native Android app with comprehensive tracking
  • Flutter Components: Cross-platform UI modules and features
  • Hybrid Architecture: Cross-platform data synchronization and analytics

2. INFORMATION WE COLLECT

2.1 Information You Provide

  • Account Information: Email address, name, password, profile picture
  • Authentication Data: Social login credentials (Facebook, Google)
  • Payment Information: Billing details, subscription preferences (processed by third parties)
  • Communications: Support messages, feedback, survey responses
  • User Content: Reviews, comments, bookmarks, reading preferences, notes
  • Preferences: App settings, notification preferences, content customization

2.2 Automatically Collected Information

Website Data Collection

  • Usage Data: Pages viewed, time spent, features used, session duration
  • Device Information: Browser type, operating system, IP address
  • Analytics Data: Google Analytics, Amplitude behavioral tracking
  • Cookie Data: Essential, analytics, and marketing cookies

Mobile App Data Collection

  • App Analytics: Screen views, feature usage, session patterns, user flows
  • Performance Data: App crashes, load times, memory usage, battery impact
  • Device Identifiers: IDFA (iOS), Google Advertising ID (Android), device fingerprints
  • Location Data: Approximate location (country/region) for content localization
  • Media Consumption: Audio playback analytics, reading speed, completion rates
  • Network Data: Connectivity status, download patterns, sync behavior

Android-Specific Data Collection

  • Device State: Phone state information, network status
  • Storage Access: Cached files, downloaded content, offline summaries
  • Background Activity: Foreground service data, boot completion events
  • System Integration: Content sharing patterns, external app interactions

iOS-Specific Data Collection

  • App Tracking: Cross-app advertising data, user attribution
  • System Integration: Siri shortcuts usage, iOS widget interactions
  • Media Access: Audio processing data, video interaction analytics
  • Notification Data: Push notification engagement, delivery status

2.3 Third-Party Information Sources

  • Social Media: Facebook, Google profile information (when connected)
  • Payment Processors: Transaction data from Stripe, Apple, Google
  • Analytics Partners: Behavioral data from Firebase, Amplitude
  • Advertising Networks: Ad interaction data from AdMob, Facebook Audience Network
  • Customer Support: Conversation data from Zendesk
  • Email Marketing: Engagement data from Mailchimp

3. PLATFORM-SPECIFIC DATA COLLECTION

3.1 Website Data Collection

Service Data Collected Purpose Legal Basis Retention
Google Analytics IP address, page views, browser type, referral source Website performance analysis Legitimate Interest 26 months
Amplitude User interactions, session data, behavioral patterns User experience optimization Legitimate Interest 2 years
Mailchimp Email address, name, subscription preferences Email marketing and newsletters Consent Until unsubscribe + 1 year
Zendesk Support messages, contact information Customer support Legitimate Interest 3 years after case closure
Stripe Payment information, billing address Payment processing Contract Performance 7 years (legal requirement)

3.2 iOS Application Data Collection

SDK/Service Data Collected Purpose Tracking
Firebase Analytics User events, screen views, custom parameters, user properties App analytics, user behavior analysis Yes
Amplitude Behavioral events, user properties, session data Advanced behavioral analytics Yes
Google AdMob Advertising ID, ad interactions, device info Advertising and monetization Yes
Facebook Audience Network Device identifiers, ad performance data Advertising mediation Yes
RevenueCat Purchase data, subscription status, revenue events Subscription management Yes
Firebase Crashlytics Crash reports, device state, stack traces App stability monitoring No

3.3 Android Application Data Collection

SDK/Service Data Collected Android Permission Shared with Third Parties
Firebase Suite Analytics, performance, messaging, auth data INTERNET, WAKE_LOCK Google/Firebase
Google Play Services Ads Advertising ID, ad interactions, device data AD_ID Google Ad Network
Amplitude Android User events, session tracking, device info INTERNET, ACCESS_NETWORK_STATE Amplitude Analytics
Facebook SDK Login data, app events, social sharing INTERNET Meta/Facebook
File System Access Cached content, downloaded summaries, user files READ/WRITE_EXTERNAL_STORAGE Cloud storage providers
Device State Access Phone state, network info, device IDs READ_PHONE_STATE Analytics providers

3.4 Flutter Module Data Collection

Cross-Platform Components:

  • Local Storage: shared_preferences, SQLite, Hive encrypted storage
  • Network Caching: cached_network_image, flutter_cache_manager
  • Analytics Integration: firebase_analytics, firebase_remote_config
  • Authentication: firebase_auth, cloud_firestore user data
  • Content Processing: markdown_widget, html parsing
  • Font Analytics: google_fonts usage tracking

4. ANDROID PERMISSIONS FRAMEWORK

4.1 Permission Categories and Data Access

Permission Data Accessed Purpose Data Sharing
READ_PHONE_STATE Device identifiers, network status, phone state Analytics, fraud prevention, device fingerprinting Firebase, Amplitude, advertising partners
WRITE_EXTERNAL_STORAGE Cached content, downloaded summaries, user files Offline functionality, content storage Cloud storage providers, analytics
READ_EXTERNAL_STORAGE Stored content, cache files, user data Content access, app functionality Analytics providers, performance monitoring
FOREGROUND_SERVICE_DATA_SYNC Background sync patterns, data usage Continuous data synchronization Firebase, analytics providers
FOREGROUND_SERVICE_MEDIA_PLAYBACK Audio playback data, media consumption patterns Background audio playback Media analytics, usage tracking
WAKE_LOCK Device wake patterns, background activity Background processing, notifications Performance monitoring, analytics
POST_NOTIFICATIONS Notification delivery status, engagement data Push notifications, user engagement Firebase Messaging, engagement analytics

5. LEGAL BASIS AND PURPOSE OF PROCESSING

5.1 GDPR Legal Basis

  • Contract Performance: Providing services, account management, payment processing, subscription management
  • Legitimate Interest: Service improvement, security, analytics, marketing to existing users, fraud prevention
  • Consent: Marketing communications, advertising tracking, optional features, non-essential cookies
  • Legal Obligation: Compliance with laws, legal requests, safety requirements, financial record keeping

5.2 Processing Purposes

Core App Functionality

  • Providing and maintaining StoryShots services
  • User authentication and account management
  • Content delivery and personalization
  • Cross-platform data synchronization

Business Operations

  • Processing payments and managing subscriptions
  • Customer support and communication
  • Legal compliance and safety
  • Business analytics and optimization

Analytics and Improvement

  • Analyzing usage patterns and user behavior
  • App performance monitoring and optimization
  • A/B testing and feature development
  • Security monitoring and fraud prevention

Marketing and Advertising

  • Personalized advertising and content
  • Email marketing and communications
  • Cross-app advertising attribution
  • Revenue optimization and monetization

6. DATA SHARING AND INTERNATIONAL TRANSFERS

6.1 Third-Party Service Providers

Category Service Providers Data Shared Purpose
Cloud Infrastructure Firebase (Google), AWS User data, app content, analytics Service hosting, data storage, performance
Analytics Google Analytics, Firebase Analytics, Amplitude Usage patterns, behavioral data, device info App optimization, user experience improvement
Advertising Google AdMob, Facebook Audience Network Advertising IDs, interaction data, preferences Personalized advertising, revenue generation
Payment Processing Stripe, Apple App Store, Google Play, RevenueCat Transaction data, billing info, subscription status Payment processing, subscription management
Communication Mailchimp, Zendesk, Firebase Messaging Contact info, communication preferences Email marketing, customer support, notifications
Social Integration Facebook, Google Profile data, authentication tokens Social login, content sharing, authentication

6.2 International Data Transfers

Transfer Mechanisms:

  • EU Adequacy Decisions: United Kingdom, Switzerland, and other countries with adequate protection
  • Standard Contractual Clauses (SCCs): 2021 EU Commission SCCs for transfers to third countries
  • Data Processing Agreements: All major vendors required to sign DPAs with appropriate safeguards
  • Transfer Impact Assessments: Conducted for all high-risk data transfers

6.3 Specific Vendor Transfer Details

Vendor Location Transfer Mechanism Additional Safeguards
Google (Firebase/Analytics) USA SCCs + Additional Safeguards EU data residency options, encryption
Amazon (AWS) USA/EU SCCs + Data Residency EU regions available, encryption at rest
Amplitude USA SCCs Data processing limitations, anonymization
Meta/Facebook USA SCCs Limited data processing, user controls

7. DATA RETENTION

7.1 Platform-Specific Retention Periods

Data Category Retention Period Legal Basis Deletion Trigger
Account Data Active period + 3 years after closure Legitimate interest, legal obligation User deletion request or retention expiry
Payment Data 7 years Legal obligation (accounting) Legal retention period expiry
Website Analytics 26 months (Google Analytics), 2 years (Amplitude) Legitimate interest Automated deletion by service provider
Mobile App Analytics 2 years (personal data), indefinite (aggregated) Legitimate interest Anonymization or deletion
Advertising Data 90 days to 2 years (varies by partner) Consent Consent withdrawal or partner deletion
Support Communications 3 years after case closure Legitimate interest Support case resolved + retention period
Marketing Data Until consent withdrawn + 1 year Consent Unsubscribe or consent withdrawal

7.2 Automated Deletion Processes

We implement both automated and manual processes to ensure data is deleted when retention periods expire:

  • Automated Systems: Scheduled deletion scripts for expired data
  • Manual Reviews: Quarterly audits of data retention compliance
  • User-Initiated: Immediate processing of valid deletion requests
  • Legal Holds: Suspension of deletion when legally required

8. YOUR PRIVACY RIGHTS

8.1 Universal Rights (All Users)

Access Rights

Request information about data we hold about you, including data sources and processing purposes.

Correction Rights

Request correction of inaccurate personal data and completion of incomplete data.

Deletion Rights

Request deletion of your personal data when processing is no longer necessary.

Opt-out Rights

Unsubscribe from marketing communications and withdraw consent for optional processing.

8.2 GDPR Rights (EU/EEA Users)

  • Data Portability: Receive your data in machine-readable format for transfer to another service
  • Restriction: Limit processing of your personal data under specific circumstances
  • Objection: Object to processing based on legitimate interest or direct marketing
  • Withdraw Consent: Withdraw consent for consent-based processing at any time
  • Lodge Complaint: File complaints with your local data protection authority
  • Automated Decision-Making: Right not to be subject to automated decision-making with legal effects

8.3 CCPA Rights (California Users)

California Consumer Rights:

  • Know: Right to know what personal information is collected, used, shared, and sold
  • Delete: Right to delete personal information held by businesses
  • Opt-out: Right to opt-out of sale of personal information
  • Non-discrimination: Right to non-discriminatory treatment for exercising privacy rights
  • Correct: Right to correct inaccurate personal information
  • Limit: Right to limit use and disclosure of sensitive personal information

Note: We do not sell personal information to third parties.

8.4 Exercising Your Rights

How to Contact Us:

  • Email: support@getstoryshots.com
  • Subject Line: “Privacy Rights Request”
  • In-App Controls: Privacy settings within the StoryShots app
  • Response Time: Within 30 days (GDPR) or 45 days (CCPA)

8.5 Mobile Platform Privacy Controls

iOS Privacy Controls

  • App Tracking: Settings → Privacy & Security → Tracking → StoryShots
  • Location Services: Settings → Privacy & Security → Location Services → StoryShots
  • Apple Advertising: Settings → Privacy & Security → Apple Advertising
  • App Privacy Report: Settings → Privacy & Security → App Privacy Report

Android Privacy Controls

  • App Permissions: Settings → Apps → StoryShots → Permissions
  • Google Ads: Settings → Google → Ads → Opt out of Ads Personalization
  • Location Services: Settings → Location → App-level permissions
  • Privacy Dashboard: Settings → Privacy → Privacy Dashboard

9. SECURITY MEASURES

9.1 Technical Safeguards

Encryption

  • Data encrypted in transit (TLS 1.3)
  • Data encrypted at rest (AES-256)
  • Database encryption
  • Mobile app data encryption

Access Controls

  • Multi-factor authentication
  • Role-based access control
  • Regular access reviews
  • Principle of least privilege

Monitoring

  • Security incident monitoring
  • Automated threat detection
  • Regular security assessments
  • Penetration testing

Development

  • Secure development practices
  • Code review processes
  • Vulnerability scanning
  • Regular security updates

9.2 Organizational Measures

  • Employee Training: Regular privacy and security training for all staff
  • Data Processing Agreements: Contractual safeguards with all third-party processors
  • Incident Response: Documented procedures for security and privacy incidents
  • Regular Audits: Internal and external compliance audits
  • Privacy by Design: Privacy considerations integrated into all new features and services

9.3 Breach Notification

In case of a data breach affecting personal data, we will:

  • Notify affected users within 72 hours if high risk to rights and freedoms
  • Notify relevant supervisory authorities within 72 hours (GDPR)
  • Provide clear information about the nature and impact of the breach
  • Offer practical steps users can take to protect themselves

10. COOKIES AND TRACKING TECHNOLOGIES

10.1 Website Cookies

Type Purpose Legal Basis Duration
Essential Service functionality, security, session management Legitimate Interest Session/1 year
Analytics Usage analysis, performance monitoring Consent 2 years
Marketing Advertising, remarketing, personalization Consent 90 days – 2 years
Functional Enhanced user experience, preferences Consent 1 year

10.2 Mobile App Tracking

iOS Tracking Technologies

  • Identifier for Advertisers (IDFA)
  • App Tracking Transparency framework
  • Apple attribution APIs
  • Local storage and preferences

Android Tracking Technologies

  • Google Advertising ID
  • Android Analytics SDKs
  • Shared preferences and databases
  • Device fingerprinting

10.3 Cookie and Tracking Controls

How to Control Tracking:

  • Browser Settings: Cookie controls and privacy preferences
  • Our Cookie Banner: Granular consent management on website
  • Mobile App Settings: In-app privacy controls and opt-outs
  • Third-Party Opt-Out: NAI, DAA, and partner-specific opt-out tools
  • Email Preferences: Unsubscribe links and preference centers

11. CHILDREN’S PRIVACY

11.1 Age Restrictions

Important: StoryShots is not intended for children under 13 years old (or 16 in the EU). We do not knowingly collect personal information from children under these ages.

11.2 Parental Controls and Notifications

  • If you believe a child has provided personal information, contact us immediately at support@getstoryshots.com
  • We will promptly investigate and delete any confirmed children’s data
  • Parents can request information about data we may have collected from their children
  • We implement age verification measures where legally required

12. POLICY UPDATES

12.1 Notification Process

We will notify users of material privacy policy changes through:

  • Email Notification: Sent to all registered users with active accounts
  • In-App Notifications: Push notifications and in-app banners
  • Website Banners: Prominent notices on getstoryshots.com
  • Updated Date: “Last modified” date prominently displayed

12.2 Consent for Material Changes

For material changes affecting consent-based processing, we will obtain new consent where required by law. Users will have the opportunity to review changes and make informed decisions about continued use of our services.

13. CONTACT INFORMATION

General Contact

Email: support@getstoryshots.com

Subject Lines:

  • Privacy Rights Request
  • Data Protection Inquiry
  • Security Concern
  • General Privacy Question

Company Information

Parsida AB

Kindstugatan 3, 111 31 Stockholm, Sweden

Organization Number: 5568563075

EU Representative: Contact support@getstoryshots.com for details

13.1 Regulatory Contacts

For EU Users – Supervisory Authority:

You have the right to lodge complaints with your local data protection authority if you believe your privacy rights have been violated.

For California Users – Attorney General:

You may file complaints regarding CCPA compliance with the California Attorney General’s office.

13.2 Response Times

  • General Inquiries: 5 business days
  • Privacy Rights Requests: 30 days (GDPR) / 45 days (CCPA)
  • Security Incidents: 24-72 hours
  • Data Breach Notifications: 72 hours (where required)

Comprehensive Legal Framework

This document represents a complete privacy framework for StoryShots operations across all platforms and jurisdictions.

Document Version: 3.0 – Complete Mobile Compliance

Last Updated: May 29, 2025

Next Review: November 29, 2025