Storybear LogoStorybear
Log InSign Up

Privacy Policy

Effective date: 11/05/2025

1 · Who We Are

StoryBear  (“StoryBear”, “we”, “us”) is the controller of your personal data under the EU General Data Protection Regulation (GDPR). Address: Schlossparkstraße 13 1, 52072 Aachen, Germany · [email protected]. We are a small organisation and do not carry out large-scale processing of special-category data; therefore a Data-Protection Officer is not required under Article 37 GDPR.

2 · What Data We Collect & Why

CategoryPurposeLegal basis
(Art. 6 GDPR)
Email & hashed passwordCreate and secure your account (Firebase Auth)Contract Art. 6 (1)(b)
Payment tokens / last 4Process payments & issue credits (Stripe)Contract Art. 6 (1)(b)
Plush images you uploadGenerate personalised story imagesConsent Art. 6 (1)(a)
Generated stories & imagesStore & display your stories; share via linkContract Art. 6 (1)(b)
Server logs (IP, UA)Security, abuse prevention, debuggingLegitimate interest Art. 6 (1)(f)
Future analytics cookies*Improve product; measure usageConsent Art. 6 (1)(a)

*Analytics is disabled by default. If enabled we will request your opt-in via a cookie banner.

3 · Processors & Data Sharing

We engage the following processors under GDPR-compliant Data-Processing Agreements:

  • Firebase (Google Cloud) – Authentication, Firestore, Storage
  • Stripe – Payment processing, fraud prevention
  • Cloudflare – CDN, WAF, DDoS protection

4 · Cookies & Analytics

Only essential Firebase session cookies are set today. If we add analytics cookies (e.g. Google Analytics 4) we will request your explicit consent via a banner before any non-essential cookies are stored.

5 · Public Story Links

Stories you create are publicly accessible to anyone with the unique URL. You can delete a story from your Library at any time; deletion is propagated across our servers within 24 hours.

6 · Data Retention & Deletion

We keep account and content data for at least 12 months after creation or your last login. Deleting your account in Settings removes all personal data from live systems within 30 days (including backups).

7 · Security Measures

· All traffic uses TLS/HTTPS. · Plush images require Firebase Auth tokens. · Data stored in ISO 27001-certified Google Cloud data centres. · Cloudflare WAF mitigates DDoS. · Quarterly access-rights reviews.

If a personal-data breach occurs we will notify the German supervisory authority and affected users within 72 hours, per Arts. 33-34 GDPR.

8 · Children Under 13

StoryBear is not directed to children under 13. If we learn we have collected data from a child we will delete it or obtain verifiable parental consent in accordance with COPPA.

9 · International Transfers

Firebase and Stripe may process data outside the EU. Transfers rely on Standard Contractual Clauses and, for US entities, participation in the EU-US Data Privacy Framework.

10 · Your GDPR Rights

  • Access
  • Rectification
  • Erasure (“right to be forgotten”)
  • Restriction of processing
  • Data portability – JSON export available within 30 days on request
  • Objection / withdraw consent

11 · Changes to This Policy

Material updates will be announced via an in-app banner and this page’s “Effective date” will change accordingly.

12 · Contact

StoryBear · Schlossparkstraße 13 1, 52072 Aachen, Germany
Email: [email protected]