Privacy Policy

How we collect, use, and protect your data

Contact

Last Updated: May 26, 2026

By using Spicy Little Stories, you agree to this Privacy Policy. We take your privacy seriously and are committed to being transparent about how we handle your data.

๐Ÿ“ Written for GDPR (EU/UK)๐Ÿ“ Written for CCPA (California)

Data Controller

The data controller for Spicy Little Stories is Mat Gallacher, United Kingdom. For all privacy enquiries contact mat.gallacher@gmail.com.

1. Information We Collect

1.1 Information You Provide Directly

Waitlist sign-up: Email address and optional first name, collected when you request early access before registering.

Account Registration: Email address and password (encrypted)

When You Create a Story: Story title, scenario, metadata, characters, and all narrative content

Usage Data: Cover image requests, scene generation, user choices, and feedback

1.2 Information Collected Automatically

We automatically collect usage analytics, device information, IP addresses, and cookies. This helps us improve the Service and detect abuse.

2. How We Use Your Information

We use your information to provide the Service, generate content, authenticate you, communicate with you, improve features, and prevent fraud.

All processing is based on contractual necessity, legitimate interest, or your consent (for analytics).

3. Data Sharing & Third Parties

3.1 Grok AI (xAI)

We share your story content and metadata with Grok to generate scenes and cover images. xAI retains this data for 30 days maximum.

3.2 Supabase (Infrastructure)

All your data is stored in Supabase's secure, GDPR-compliant infrastructure.

3.3 Vercel (Hosting)

Our application is hosted on Vercel's GDPR-compliant platform.

๐Ÿ’ก We Do NOT:

  • Sell your personal data
  • Share data with advertisers or marketers
  • Use data brokers

4. Your Privacy Rights

GDPR Rights (EU/UK Users)

  • Right of Access: Request a copy of your data
  • Right to Erasure: Request deletion of your account and data
  • Right to Rectification: Correct inaccurate data
  • Right to Data Portability: Export your data in machine-readable format
  • Right to Object: Opt out of analytics and processing
  • Right to Lodge a Complaint: File a complaint with your data protection authority

CCPA Rights (California Users)

  • Right to Know: What information we collect and how we use it
  • Right to Access: Get a copy of your personal information
  • Right to Delete: Request deletion of your data
  • Right to Non-Discrimination: We won't penalize you for exercising these rights

5. Founding Member & Feedback Data

5.1 Onboarding Survey

When you first sign in we ask four optional questions about how you found us, your reading habits, and the kinds of stories you enjoy. This data is stored in your account profile and used solely to help us prioritise features and understand our audience. You may skip any question.

5.2 In-App Feedback Prompts

After a small number of story scenes we may show a short, non-blocking feedback prompt asking for a star rating and an optional comment. Submitting this prompt sends the following data to us:

  • Your account identifier (so we can associate feedback with a user)
  • The story identifier and scene number
  • Your rating (1โ€“5 stars)
  • Your optional free-text comment

Feedback prompts can be dismissed at any time. Dismissing does not affect your access.

5.3 Community Participation

Founding members will be invited to a private Discord server. Messages you send in that community are subject to Discord's own Privacy Policy. We will read community messages as part of our product research but will not share individual messages or attribute quotes without your permission. You may use a pseudonym in the community.

5.4 How We Use Feedback Data

Feedback data is used exclusively to:

  • Identify and fix product issues
  • Prioritise features and improvements
  • Understand aggregate user satisfaction

We do not: sell feedback data, share it with third parties, or use it to train AI models. Feedback is retained for 24 months and then deleted.

๐Ÿ”’ Your story content is never used for AI training

The scenarios, characters, and scenes you create are sent to xAI's Grok API solely to generate your story. We do not retain story content for training purposes, and xAI's current policy prohibits using API data to train their models. Your stories are private to you.

6. Waitlist & Early Access

When you submit the early-access form we collect your email address and, optionally, your first name. We use this information solely to notify you when your invitation is ready.

Legal basis (GDPR): Consent โ€” you actively submit the form to be contacted.

Retention: Your waitlist entry is kept until we send your invitation or for a maximum of 12 months, whichever comes first. If you want to be removed sooner, email us and we will delete your entry within 7 days.

We do not share waitlist email addresses with any third party, and we will not send you anything unrelated to your early-access invitation.

7. Data Retention

Waitlist Data: Retained until invitation sent or 12 months, whichever is sooner

Active Account Data: Retained while your account is active

Deleted Account Data: Deleted within 30 days of deletion request

Feedback Data: Retained for 24 months then deleted

Analytics: Retained for 12 months (anonymized after 6 months)

Server Logs: Retained for 30 days

Grok Data: Automatically deleted by xAI after 30 days

8. Data Security

We implement industry-standard security measures including TLS encryption, secure password hashing, and Row-Level Security (RLS) on all user data.

โš ๏ธ Important:

No security system is 100% secure. You are responsible for keeping your password confidential. If we detect a breach, we will notify you within 72 hours.

9. Cookies and Tracking

We use essential cookies for authentication and security. Non-essential analytics cookies are optional and will require your consent.

We do not use third-party analytics (Google Analytics, etc.) and do not track you across the web.

10. AI Content Generation Disclosure

Your story content is sent to xAI's Grok API for:

  • Generating story scenes and narrative continuations
  • Generating AI cover images

Grok does not use your content to train models(per xAI's current policy). Your data is deleted after 30 days.

Contact & Questions

If you have questions about this Privacy Policy or want to exercise your privacy rights:

๐Ÿ“ง Email:

mat.gallacher@gmail.com

What to Include:

  • Your full name
  • Email address associated with your account
  • Type of request (Access, Deletion, Export, etc.)

Response Time:

Within 30 days (GDPR) or 45 days (CCPA)

Document Version: 1.0

Last Updated: May 26, 2026

Next Review: May 12, 2027

TermsยทPrivacy