By using Spicy Little Stories, you agree to this Privacy Policy. We take your privacy seriously and are committed to being transparent about how we handle your data.
The data controller for Spicy Little Stories is Mat Gallacher, United Kingdom. For all privacy enquiries contact mat.gallacher@gmail.com.
Waitlist sign-up: Email address and optional first name, collected when you request early access before registering.
Account Registration: Email address and password (encrypted)
When You Create a Story: Story title, scenario, metadata, characters, and all narrative content
Usage Data: Cover image requests, scene generation, user choices, and feedback
We automatically collect usage analytics, device information, IP addresses, and cookies. This helps us improve the Service and detect abuse.
We use your information to provide the Service, generate content, authenticate you, communicate with you, improve features, and prevent fraud.
All processing is based on contractual necessity, legitimate interest, or your consent (for analytics).
We share your story content and metadata with Grok to generate scenes and cover images. xAI retains this data for 30 days maximum.
All your data is stored in Supabase's secure, GDPR-compliant infrastructure.
Our application is hosted on Vercel's GDPR-compliant platform.
๐ก We Do NOT:
When you first sign in we ask four optional questions about how you found us, your reading habits, and the kinds of stories you enjoy. This data is stored in your account profile and used solely to help us prioritise features and understand our audience. You may skip any question.
After a small number of story scenes we may show a short, non-blocking feedback prompt asking for a star rating and an optional comment. Submitting this prompt sends the following data to us:
Feedback prompts can be dismissed at any time. Dismissing does not affect your access.
Founding members will be invited to a private Discord server. Messages you send in that community are subject to Discord's own Privacy Policy. We will read community messages as part of our product research but will not share individual messages or attribute quotes without your permission. You may use a pseudonym in the community.
Feedback data is used exclusively to:
We do not: sell feedback data, share it with third parties, or use it to train AI models. Feedback is retained for 24 months and then deleted.
๐ Your story content is never used for AI training
The scenarios, characters, and scenes you create are sent to xAI's Grok API solely to generate your story. We do not retain story content for training purposes, and xAI's current policy prohibits using API data to train their models. Your stories are private to you.
When you submit the early-access form we collect your email address and, optionally, your first name. We use this information solely to notify you when your invitation is ready.
Legal basis (GDPR): Consent โ you actively submit the form to be contacted.
Retention: Your waitlist entry is kept until we send your invitation or for a maximum of 12 months, whichever comes first. If you want to be removed sooner, email us and we will delete your entry within 7 days.
We do not share waitlist email addresses with any third party, and we will not send you anything unrelated to your early-access invitation.
Waitlist Data: Retained until invitation sent or 12 months, whichever is sooner
Active Account Data: Retained while your account is active
Deleted Account Data: Deleted within 30 days of deletion request
Feedback Data: Retained for 24 months then deleted
Analytics: Retained for 12 months (anonymized after 6 months)
Server Logs: Retained for 30 days
Grok Data: Automatically deleted by xAI after 30 days
We implement industry-standard security measures including TLS encryption, secure password hashing, and Row-Level Security (RLS) on all user data.
โ ๏ธ Important:
No security system is 100% secure. You are responsible for keeping your password confidential. If we detect a breach, we will notify you within 72 hours.
Your story content is sent to xAI's Grok API for:
Grok does not use your content to train models(per xAI's current policy). Your data is deleted after 30 days.
If you have questions about this Privacy Policy or want to exercise your privacy rights:
๐ง Email:
mat.gallacher@gmail.comWhat to Include:
Response Time:
Within 30 days (GDPR) or 45 days (CCPA)
Document Version: 1.0
Last Updated: May 26, 2026
Next Review: May 12, 2027