Privacy Policy

Last updated: 22 February 2026

This application exists to help people share their stories and discover that they are not alone. We understand that some experiences may be deeply personal or painful. Protecting your privacy is a core priority.

1. Purpose of this Policy

This Privacy Policy explains what information we collect, how we use it, who we share it with, and the rights you have over your data. It applies to all users of Our Shared Stories.

2. Who We Are

Our Shared Stories is the data controller responsible for your personal data. If you have questions about how your data is handled, you can contact us at: contact@oursharedstories.org.

3. Information We Collect

3.1 Account Information

When you accept an invitation and create your account, we collect:

  • Email address (used for login, password resets, and account communication)
  • Password (securely hashed using bcrypt; never stored in plain text)
  • Handle or display name (visible to other users instead of your real name)
  • Country (optional)
  • Gender (optional)
  • Year of birth (optional)
  • Preferred language

3.2 Passkey Data

If you choose to set up passkey authentication (WebAuthn), we store a public key and credential identifier on our server. Your biometric data (such as a fingerprint or face scan) never leaves your device — only a cryptographic key is stored with us.

3.3 Story Data

  • The stories you write, including title, text, and visibility setting
  • Embeddings generated from your story text (numerical representations used to find similar stories)
  • Story metadata such as timestamps, language, and publication status

3.4 Interaction Data

When you use the app, we record:

  • Which stories you have viewed and when
  • Stories you have appreciated (liked)
  • Stories you have bookmarked
  • Reports you have submitted about other stories

3.5 Technical and Security Data

  • IP address at login and after failed login attempts (stored on your account for security monitoring)
  • Basic browser and device information (used for session security)
  • Failed login attempt counts and account lock status
  • Log data for security and reliability (e.g., errors, suspicious activity)
  • Time and date of interactions with the service

3.6 Invitation Data

When someone invites you, we store your email address and the inviter's identity before you create an account. This data is used solely to facilitate your invitation and is associated with your account once you accept.

4. Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), we rely on the following legal bases to process your data:

  • Contract performance — Processing your account information, stories, and interaction data is necessary to provide the service you signed up for.
  • Legitimate interest — We process security data (such as IP addresses and failed login attempts) and analytics data to protect the service and its users. We also generate AI embeddings as a core feature to help users discover similar stories.
  • Legal obligation — We may process data when required to comply with applicable laws.
  • Consent — Where you include sensitive personal data in your stories (such as information about your health or mental health), we rely on your explicit consent, given when you choose to write and publish your story.

5. How We Use Your Information

  • To operate your account and secure your login
  • To save, display, and manage your stories
  • To generate AI-based similarity suggestions by creating embeddings from your story text
  • To track your interactions (views, appreciations, bookmarks) so you can revisit content
  • To improve the safety and performance of the app
  • To communicate with you about account-related matters (password resets, invitations)
  • To moderate content and respond to reports of harmful material

6. Story Visibility and Control

You decide how each story is shared:

  • Private – only you can see it
  • Members only – only logged-in users can see it
  • Public – visible to anyone

You may edit or delete your stories at any time. Changing a story's visibility takes effect immediately.

7. AI and Embeddings

The app uses AI to convert your story into an embedding — a numerical representation that captures thematic patterns in your text. Embeddings are used to suggest stories with similar themes. They do not contain your identity or personal information, and they cannot be used to reconstruct your original story.

To generate embeddings, your story text (title and body) is sent to OpenAI's embedding API. OpenAI processes this data solely to return the embedding vector and, under their API data usage policy, does not use it to train their models. No other personal information is included in this request.

If a story is private, it will not be sent for embedding generation or used to suggest content to other users.

8. Sharing of Your Information

We do not sell your data. We do not use your data for advertising. We may share limited information only when necessary:

  • OpenAI — Story text (title and body) is sent to OpenAI's embedding API to generate similarity suggestions. No personal or account information is included in these requests.
  • Postmark — Your email address is shared with Postmark, our email delivery provider, to send account-related emails such as password resets, invitations, and welcome messages.
  • Render — Our hosting provider stores and processes all application data, including your account and stories, on managed infrastructure.
  • Cloudflare — Provides DDoS protection and content delivery. Your IP address is processed by Cloudflare when you access the service.
  • When required by law or to comply with legal process
  • To prevent harm or address security issues

9. International Data Transfers

Our service providers (Render, OpenAI, Postmark, and Cloudflare) are based in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your data is transferred to and processed in the United States.

These transfers are protected by appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission, and our service providers' own data protection commitments. You can request more information about these safeguards by contacting us.

10. Data Retention

We keep your data only as long as necessary for the purposes described in this policy:

  • Account data — Retained for as long as your account is active. When you request account deletion, all associated data (stories, interactions, credentials) is permanently removed from our database.
  • Stories and embeddings — Retained until you delete them or delete your account.
  • Security logs — IP addresses and login records on your account are retained for as long as your account exists. Server logs are managed by our hosting provider and retained according to their policies.
  • Invitation data — Unused invitation tokens expire after 3 days. Invitation records are retained as part of the invitee's account data.

11. Data Security

We use industry-standard security measures including HTTPS encryption in transit, encrypted storage at rest, secure password hashing (bcrypt), CSRF protection, rate limiting, and continuous monitoring for suspicious activity. No system is completely risk-free, but we take reasonable steps to protect your information.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected users without undue delay, as required by the GDPR.

Learn more about security

12. Your Rights

Under the GDPR, you have the following rights over your personal data:

  • Access — You can request a copy of the personal data we hold about you.
  • Rectification — You can update your handle, country, gender, year of birth, and language at any time through your profile settings. Email addresses cannot be changed directly for security reasons; please contact us if you need to update your email.
  • Erasure — You can delete individual stories at any time. You can also request permanent deletion of your entire account and all associated data.
  • Restriction of processing — You can request that we limit how we process your data in certain circumstances.
  • Data portability — You can request a copy of your data in a structured, commonly used, machine-readable format.
  • Objection — You can object to processing based on our legitimate interest. We will stop processing unless we have compelling legitimate grounds.
  • Withdraw consent — Where we rely on your consent (such as for sensitive data in your stories), you can withdraw it at any time by deleting the relevant story or your account.

To exercise any of these rights, please contact us at contact@oursharedstories.org. We will respond within 30 days.

13. Sensitive Personal Data

Stories on this platform may contain sensitive personal data, including information about your health, mental health, or other experiences that qualify as special category data under the GDPR. By choosing to write and publish such content, you give your explicit consent for us to store and display it according to your chosen visibility settings.

You can withdraw this consent at any time by changing your story's visibility to private, deleting the story, or deleting your account.

14. Content Moderation

To maintain a safe environment, users can report stories they find harmful or inappropriate. Reports are reviewed by a small number of authorised administrators.

When a story is reported, we store the report reason and the reporter's identity. The reporter's identity is only visible to administrators and is never shared with the story author. Administrators may hide or remove stories and suspend accounts that violate our Terms of Use. All moderation actions are logged.

15. Children

This service is intended for adults only. You may not use this application if you are below the age of digital consent or adulthood as defined by the laws of your country. Children and minors are not permitted to use Our Shared Stories under any circumstances, including with the supervision or involvement of an adult.

16. Cookies and Analytics

We use a session cookie to keep you logged in. This cookie is essential for the service to function and does not track you across other websites.

We use Plausible Analytics, a privacy-friendly analytics tool, to understand how people use the service. Plausible does not use cookies, does not track individual users, and does not collect personal data. All analytics data is aggregated and anonymous.

We do not use advertising trackers, marketing cookies, or third-party profiling tools such as Google Analytics or Facebook Pixel.

17. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes that affect your rights, we will notify you through the app or by email before the changes take effect. The date at the top of this page shows when the policy was last updated.

18. Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection supervisory authority. In the EU, you can find your local authority at edpb.europa.eu.

19. Contact

If you have questions about your privacy or how we use your data, please contact us at: contact@oursharedstories.org.