Privacy Policy

Last updated: 3 July 2026

Storykept helps you record and preserve personal and family stories. This policy explains what data we collect, why, and the rights you have over it. Storykept is operated from Austria (EU); the operator's full legal details are in our Impressum.

What we collect

To provide the service, we collect:

  • Account details. If you sign in with Google, we receive your name, email address, and profile picture from your Google account. If you sign in with email, we store your email and a securely hashed password.
  • Your stories. The audio you record, its transcript, the AI-cleaned and edited versions, and details like titles, dates, places, people, and topics that you or the AI add. When you choose to have a story read aloud, we also generate and store narration audio of the written text.
  • Family & sharing. The groups you create or join, who is a member, which stories are shared with them, the people and the family relationships you record to build your family tree, and any share links you create.
  • Usage & diagnostics. Basic, minimal technical data needed to run the service securely and fix problems. If you send feedback, we also store what you wrote, the page you were on, and your browser type to help us reproduce the issue.
  • Payment data (when paid plans launch). Handled by our payment provider, Stripe. Stripe may act as merchant of record for paid subscriptions; for physical books and gifts, Storykept is the seller of record and Stripe processes the card payment. We never see or store your card details.
  • Usage analytics. We use PostHog (hosted in the EU) to understand how the site and app are used. It stays off until you consent via the cookie banner, and we never record your screen or your story content.

Your original recordings are never altered

Your original audio and its first transcript are kept unchanged. When the AI cleans up a story, or you edit it, those are saved as separate versions — so the words your family actually spoke are never overwritten.

Why we use it & our legal basis

  • To provide the service you asked for — recording, transcribing, and storing your stories (contract, GDPR Art. 6(1)(b)).
  • To process your recordings with AI transcription and writing providers, some outside the EU (your consent, GDPR Art. 6(1)(a), given when you record).
  • Where a story touches special-category data — health, religious or political beliefs, ethnicity, sexual orientation — we process it only on your explicit consent (GDPR Art. 9(2)(a)), given when you record or share it.
  • To keep the service secure and working (our legitimate interest, GDPR Art. 6(1)(f)).
  • To measure website visits, only if you accept analytics cookies (consent).

How AI processing works — and what we won't do

When you record a story, your audio is sent to a speech-to-text provider to create a transcript, and the text is sent to a writing AI to suggest follow-up questions and to polish the story. The AI also recognises the people, places, dates, and topics in your story so it can tag and organise it and connect mentions to your family tree. If you ask to hear a story read aloud, its written text is sent to a text-to-speech provider that returns spoken audio in a single neutral narrator voice. These providers process your content only to perform that task for us, under data-processing agreements.

  • We do not use your recordings, transcripts, or photos to train, fine-tune, or improve any AI model — ours or anyone else's.
  • We will never create a voice clone or synthetic likeness of you or anyone in your stories. The optional read-aloud narration uses a single neutral narrator voice — never a recreation of anyone's real voice. This is a permanent commitment, not a setting.
  • We select providers that contractually commit not to train their models on the data we send through their API, and we use their data-retention controls where available. We cannot independently audit a provider's internal systems, so we commit to using providers with these protections, naming them below, and giving notice before adding a materially different one.

A story may touch sensitive topics (health, beliefs, family history). You choose what to record. By recording, you give your explicit consent to that content being processed by the providers below so we can turn it into a story for you.

Who processes your data (sub-processors)

We share data only with the providers needed to run Storykept, each acting on our instructions:

  • Supabase — database, login, and file storage (EU region)
  • Cloudflare R2 — audio recording storage (EU region)
  • Vercel — website and app hosting
  • LiveKit — real-time audio for live recording calls (EU region)
  • Scaleway — speech-to-text transcription for all languages except Bulgarian; processed in the EU (France) and never retained or used for training
  • ElevenLabs — Bulgarian speech-to-text transcription only (USA)
  • OpenAI, Anthropic — story writing, follow-up questions, and transcription fallback (USA)
  • Google — sign-in with Google (only if you choose it), and text-to-speech narration that reads stories aloud (most languages)
  • Microsoft Azure — text-to-speech narration for Bulgarian stories
  • PostHog — usage analytics, hosted in the EU (only if you accept analytics)
  • Resend — sending account and notification emails (EU region)
  • Migadu — receiving email you send to our support addresses (EU region)
  • Stripe (Stripe Payments Europe, Ireland) — payment processing, billing, and tax calculation/collection as applicable; merchant of record for paid subscriptions where Stripe Managed Payments is used
  • Lulu — print and ship physical books (receives your book content and the delivery address you provide), once printed books launch

We do not sell or rent your personal data, and we do not share it for third-party marketing.

Data sent outside the EU

Some AI providers process data in the United States. Where that happens, the transfer is covered by the European Commission's Standard Contractual Clauses or an equivalent safeguard, and by your consent given when you record. You can use the service without recording if you prefer not to have content processed this way.

Stories about other people, and recordings

Stories often mention — or record the voice of — family members. If you invite someone to record, or record a story about another person, you confirm you have their agreement, and that you have told everyone being recorded. When you add people and relationships to build your family tree, you may record basic details — such as names, relationships, and life dates — about relatives, including some who do not use Storykept themselves; we process this for the legitimate interest of preserving family history (GDPR Art. 6(1)(f)). Anyone whose personal data appears in Storykept can contact us to access or remove it.

Content you choose to share

Storykept is private by default. If you create a public share link for a story, you are instructing us to make that story — and any personal data within it, which may include the names, voices, images, or sensitive details of you and others — accessible to anyone who has the link. This is your decision and your explicit consent under GDPR Art. 6(1)(a) and, for any sensitive details, Art. 9(2)(a). A shared story is no longer protected by your account's access controls until you revoke the link. Share links are not indexed by search engines. You can revoke a link at any time; we cannot retrieve copies already viewed or downloaded while it was active.

How long we keep it

We keep your stories for as long as your account is active, because preserving them is the point of the service. When you delete your account, we begin deletion and erase your data within 30 days, except where the law requires us to keep limited records (for example, payment records).

One honest exception: stories you contributed to a shared circle. Deleting your account erases everything in your private space and in circles only you own, and removes your name from contributions you made to shared stories — but the recordings and words themselves stay with that circle, because erasing them would tear holes in other people's family history. If you want your voice removed from shared stories entirely, remove those contributions before deleting your account, or email privacy@storykept.app and we will remove them for you.

After you're gone

Storykept is built to outlast its users. EU data-protection law does not, by itself, protect the personal data of people who have died, so what happens to your vault is set out in our Terms: where available you can name a legacy contact, and otherwise we respond to verified requests from your estate under the inheritance law that applies.

Your rights

Under the GDPR you have the right to:

  • Access — get a copy of your data
  • Portability — receive it in a machine-readable format
  • Rectification — correct anything inaccurate
  • Erasure — delete your data and account
  • Object / withdraw consent — at any time, without affecting past processing

You can export or delete your account from your settings, or email us at privacy@storykept.app. We respond within 30 days.

Reporting illegal content

Your vault is private and we do not monitor its contents. If you believe content on Storykept — including something shared with you via a link — is illegal, tell us at privacy@storykept.app and we will act promptly, in line with the EU Digital Services Act. See our Terms for details.

Security

Your data is stored in the EU with access controls so that you and the family members you choose are the only people who can see your stories. Connections are encrypted, and audio links are private and time-limited.

No online service can guarantee that a breach is impossible. If a personal-data breach occurs that is likely to result in a risk to your rights, we will notify the competent supervisory authority within 72 hours as required by the GDPR, and we will inform you without undue delay where the law requires it — telling you what happened, what data was involved, and what we are doing about it.

Children

Storykept is not intended for children under 16. If a child's story is recorded, it should be done by a parent or guardian who consents on their behalf.

Changes & complaints

We will update this policy as the service grows and tell you about material changes. If you believe we have mishandled your data, you can complain to the Austrian Data Protection Authority (Datenschutzbehörde) at dsb.gv.at.

Contact

Questions about this policy or your data: privacy@storykept.app

Privacy Policy — Storykept