Story Of The Day Privacy Policy

Quick Overview

Here's what you should know at a glance:

What We Collect

Account Info Email, name, avatar from sign-in providers (Google, Apple, etc.)

Your Preferences Languages, topics, difficulty levels you select

Quiz & Story Activity Answers, scores, favorites, progress tracking

Device & App Info Device model, OS version, app version (for compatibility)

Usage Analytics Screen views, feature usage (aggregated & anonymized)

Crash Reports Error logs to fix bugs and improve stability

Ads Data (Optional) Advertising ID for personalized ads (with consent)

User Content Stories you create or save within the app

How We Use It

✓ Authenticate you and keep your account secure
✓ Personalize stories and quizzes based on your preferences
✓ Track your progress and show your favorites
✓ Improve app features and fix bugs
✓ Understand usage patterns (anonymized data)
✓ Serve optional advertisements (mobile only)
✓ Comply with legal requirements

Your Rights

✓ Access and export your data
✓ Update your preferences anytime
✓ Delete your account and data
✓ Opt out of personalized ads (device settings)
✓ Withdraw consent for analytics (contact us)

Contact: [email protected]

2. Information We Collect

We collect several types of information to provide and improve our services:

2.1 Information You Provide Directly

Data Type	Examples	Purpose
Account Identifiers	Firebase UID, provider ID, internal user ID	Authentication, session management, abuse prevention
Contact Information	Email address, display name, profile picture	Sign-in, account display, support communications
Profile Preferences	Languages, topics, difficulty levels	Personalized content recommendations
Content Interaction	Favorite stories, quiz submissions, answers, scores	Progress tracking, feature functionality
User-Generated Content	Stories you create or save	App functionality, content moderation

2.2 Information Collected Automatically

Data Type	Source/Tool	Purpose
Device Information	`device_info_plus` (mobile)	Device model, OS version, locale for compatibility & troubleshooting
Usage Analytics	`firebase_analytics`	Screen views, feature usage, session duration (aggregated)
Crash Reports	`firebase_crashlytics`	Stack traces, error messages for debugging
Advertising ID	`google_mobile_ads`	Serve personalized ads (mobile only, with consent)
Technical Logs	Backend servers	Request metadata (time, path, status) for security & reliability

2.3 Information from Third Parties

Google Sign-In: Basic profile (email, name, photo) from your Google account
Apple Sign-In: Email and name from your Apple ID
Other OAuth Providers: Similar basic profile information

What We DON'T Collect: Passwords (federated login only), government IDs, sensitive categories (health, religion, political opinions, biometric data).

Purpose	Description
Provide & Maintain Service	Create/manage account, deliver core features, ensure app functions correctly
Personalization	Tailor stories, quizzes, and content based on your preferences and progress
Communication	Send important updates, respond to support requests
Improvement & Analytics	Understand usage patterns, gather feedback, optimize user experience
Security & Fraud Prevention	Monitor for abuse, prevent unauthorized access, protect platform integrity
Advertising (Mobile)	Display relevant ads to support free access (with appropriate consent)
Legal Compliance	Respond to lawful requests, enforce terms of service

4. Legal Bases for Processing (GDPR/EU Law Compliance)

If you're in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, we process your personal data based on the following legal grounds under GDPR Article 6:

Legal Basis	Processing Activities	GDPR Reference
Contract Performance (Art. 6(1)(b))	Account creation and authentication Delivering stories and quizzes Storing your preferences and progress Providing core app functionality	GDPR Art. 6(1)(b)
Legitimate Interests (Art. 6(1)(f))	Service improvement and optimization Security monitoring and fraud prevention Technical operations and bug fixes Aggregated analytics (anonymized) Business administration We conduct legitimate interest assessments (LIAs) to ensure your rights aren't overridden.	GDPR Art. 6(1)(f)
Consent (Art. 6(1)(a))	Personalized advertising (AdMob) Non-essential analytics and tracking Marketing communications (if implemented) Cookie placement (non-essential) Consent is freely given, specific, informed, and can be withdrawn at any time.	GDPR Art. 6(1)(a), Art. 7
Legal Obligation (Art. 6(1)(c))	Compliance with applicable laws Responding to lawful government requests Maintaining legally required records Tax and accounting obligations	GDPR Art. 6(1)(c)

Withdrawing Consent

Where we rely on your consent, you have the right to withdraw it at any time without affecting the lawfulness of processing based on consent before withdrawal. To withdraw consent:

Adjust settings in your device (iOS/Android advertising preferences)
Contact us at [email protected]
Use in-app privacy controls (when available)

Note for EU Users: Under GDPR, you cannot be denied service for refusing optional consent (e.g., personalized ads). Core functionality will remain available even if you withdraw consent for non-essential processing.

6. Third-Party Services & Processors

We use the following third-party services that may collect and process your information:

Service	Purpose	Data Processed	Privacy Policy
Firebase Authentication	User sign-in & identity management	Email, name, provider IDs, auth tokens	Firebase Privacy
Firebase Analytics	Usage analytics (aggregated)	Event names, timestamps, device info	Firebase Privacy
Firebase Crashlytics	Crash reporting & diagnostics	Stack traces, device state, app version	Firebase Privacy
Google AdMob	Mobile advertising (if enabled)	Advertising ID, device signals, context	Google Ads Policy
Google Sign-In	OAuth authentication	Email, name, profile picture	Google Privacy
device_info_plus	Device capability detection (local)	Model, OS version, locale	Package Info
flutter_secure_storage	Secure local storage (on-device only)	Auth tokens (encrypted locally)	Package Info

Note: Data processing locations vary by service (typically USA/global). Standard Contractual Clauses or equivalent safeguards apply where required by law.

7. Data Security

We take security seriously and implement industry-standard technical and organizational measures to protect your information:

7.1 Technical Measures

Encryption: Data in transit uses HTTPS/TLS 1.2+; sensitive data at rest uses AES encryption
Authentication: Firebase token-based verification, no plain-text passwords stored
Access Controls: Least-privilege principle, role-based access control (RBAC)
Secure Storage: flutter_secure_storage for sensitive mobile data (tokens), encrypted databases
Monitoring: Automated alerts for suspicious activity and abuse patterns
Regular Updates: Dependency patches, security audits, vulnerability scanning
Firewall & DDoS Protection: Network security measures to prevent unauthorized access

7.2 Organizational Measures

Limited Access: Only authorized personnel with legitimate business need can access personal data
Confidentiality Agreements: All staff and contractors sign confidentiality agreements
Training: Regular security awareness and data protection training
Incident Response Plan: Documented procedures for handling security incidents
Data Minimization: We collect only necessary data and delete it when no longer needed

7.3 Data Breach Notification (GDPR Art. 33-34)

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify Supervisory Authority: Report the breach to the relevant data protection authority within 72 hours of becoming aware (GDPR Art. 33)
Notify Affected Users: If the breach poses a high risk, we will notify you directly without undue delay (GDPR Art. 34), including:
- Nature of the breach and categories of data affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Contact information for further inquiries
Maintain Records: Document all data breaches (regardless of notification requirement) as required by GDPR Art. 33(5)

Important: No system is 100% secure. If you suspect unauthorized access to your account, please contact us immediately at [email protected].

Responsible Security Disclosure

If you discover a security vulnerability, please report it responsibly:

Email us at [email protected] with details (no public disclosure until we've addressed it)
Avoid data exfiltration beyond proof-of-concept
Give us reasonable time to fix the issue (we aim for 90 days)
We appreciate responsible disclosure and may offer recognition (subject to scope and impact)

Data Type	Retention Period
Active Account Data	While your account exists and you use the service
Deleted Account Data	Removed or anonymized within 30-90 days of deletion request
Quiz & Progress Data	Retained during account lifetime; may be aggregated/anonymized after deletion
Analytics & Logs	Typically 30-90 days (unless needed for investigations or legal requirements)
Backups	Purged on next rotation cycle after deletion event
Legal/Accounting Records	As required by applicable law (varies by jurisdiction)

9. International Transfers (GDPR Chapter V Compliance)

Story Of The Day operates globally. Your data may be processed in countries outside your residence, including the United States and other regions where our service providers operate.

9.1 Transfers from EU/EEA to Third Countries

When we transfer personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries that do not have an adequacy decision from the European Commission, we implement appropriate safeguards as required by GDPR Article 44-50:

Safeguard Mechanism	Description	GDPR Reference
Standard Contractual Clauses (SCCs)	We use EU Commission-approved Standard Contractual Clauses (2021 version) with our data processors and service providers to ensure adequate data protection.	GDPR Art. 46(2)(c)
Adequacy Decisions	Where available, we rely on European Commission adequacy decisions for specific countries (e.g., UK under the UK GDPR transition, Switzerland, Japan).	GDPR Art. 45
Processor Agreements	All third-party processors (Firebase, Google Cloud, AdMob) have Data Processing Agreements (DPAs) in place with appropriate safeguards.	GDPR Art. 28
Supplementary Measures	In accordance with Schrems II ruling, we assess transfer risks and implement technical measures (encryption, access controls, data minimization) where necessary.	CJEU C-311/18

9.2 Countries of Processing

Your data may be processed in the following regions:

United States: Firebase/Google Cloud infrastructure (protected by Google's SCCs and supplementary measures)
European Union: Where EU-region data centers are selected
Other Google Cloud Regions: Depending on service configuration

9.3 Your Rights Regarding International Transfers

You have the right to:

Obtain information about the safeguards we use for international transfers
Request a copy of the Standard Contractual Clauses (where applicable)
Object to transfers if you believe adequate safeguards are not in place

For questions about international transfers or to request documentation, contact us at [email protected].

Important: We regularly review our international data transfers to ensure compliance with evolving EU data protection requirements, including guidance from the European Data Protection Board (EDPB).

10. Your Rights & Choices

Depending on your location, you may have the following rights. EU/EEA, UK, and Swiss residents have comprehensive rights under GDPR and equivalent laws:

10.1 Right of Access (GDPR Art. 15)

Request confirmation of whether we process your personal data and obtain a copy of your data, including:

Categories of data we hold about you
Purposes of processing
Recipients or categories of recipients
Retention periods (or criteria for determining them)
Your rights (rectification, erasure, restriction, objection)
Right to lodge a complaint with a supervisory authority
Source of data (if not collected from you)
Existence of automated decision-making (if applicable)

Response time: Within 1 month (may be extended by 2 months for complex requests, with notification).

10.2 Right to Rectification (GDPR Art. 16)

Correct inaccurate or incomplete personal information. You can also update most data directly in app settings.

10.3 Right to Erasure / "Right to be Forgotten" (GDPR Art. 17)

Request deletion of your account and associated personal data when:

Data is no longer necessary for the purposes it was collected
You withdraw consent (where consent was the legal basis)
You object to processing and there are no overriding legitimate grounds
Data has been unlawfully processed
Data must be erased for legal compliance

Note: Certain data may be retained if required for legal obligations, exercising legal claims, or public interest.

10.4 Right to Restriction of Processing (GDPR Art. 18)

Request that we limit how we process your data when:

You contest the accuracy of data (during verification)
Processing is unlawful but you prefer restriction over erasure
We no longer need the data but you need it for legal claims
You've objected to processing (pending verification of legitimate grounds)

10.5 Right to Object (GDPR Art. 21)

Object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

10.6 Right to Data Portability (GDPR Art. 20)

Receive your personal data in a structured, commonly used, machine-readable format (e.g., JSON, CSV) and transmit it to another controller where:

Processing is based on consent or contract, AND
Processing is carried out by automated means

10.7 Right to Withdraw Consent (GDPR Art. 7(3))

For consent-based processing (ads, non-essential analytics), you can withdraw consent anytime without affecting the lawfulness of processing before withdrawal.

10.8 Right to Lodge a Complaint (GDPR Art. 77)

File a complaint with your local data protection supervisory authority (DPA/ICO). EU residents can contact their national authority:

Germany: BfDI
France: CNIL
UK: ICO
Find your authority: EDPB Members

10.9 Automated Decision-Making & Profiling (GDPR Art. 22)

We do not currently use automated decision-making or profiling that produces legal or similarly significant effects. If this changes, we will:

Notify you explicitly
Obtain your explicit consent where required
Provide information about the logic involved
Allow you to contest decisions and request human intervention

10.10 Advertising & Analytics Controls

Mobile Ad Personalization: Opt out via device settings:
- iOS: Settings → Privacy & Security → Tracking / Apple Advertising
- Android: Settings → Privacy → Ads → Delete advertising ID or opt out
Analytics: Contact us to opt out of non-essential analytics
In-App Settings: Future updates will include consent management directly in the app

How to Exercise Your Rights

Email [email protected] with your request
Specify which right(s) you're invoking (access, deletion, portability, etc.)
Provide sufficient account details to verify your identity (we may request additional verification)
We'll respond within 1 month (GDPR requirement; may extend by 2 months for complex requests with notification)
All requests are handled free of charge unless manifestly unfounded or excessive

EU Users: These rights are guaranteed under GDPR. We will not discriminate against you for exercising these rights. If you're unsatisfied with our response, you have the right to lodge a complaint with your supervisory authority.

11. Cookies & Tracking Technologies (ePrivacy Directive Compliance)

11.1 Web Application

The backend does not set marketing or tracking cookies. Session/authentication is handled via Firebase tokens and standard HTTP headers. Essential cookies (if any) are used solely for functionality and do not require consent under the ePrivacy Directive.

Essential Cookies Only: We only use strictly necessary cookies required for core functionality (authentication, security). These do not require consent under EU ePrivacy Directive Article 5(3) and GDPR Recital 30.

11.2 Mobile Application

We use the following SDKs and technologies (mobile app identifiers are similar to cookies for tracking purposes):

Technology	Type	Consent Required (EU)?	Purpose
Firebase Authentication	Essential	No (strictly necessary)	User authentication and session management
Firebase Analytics	Performance/Analytics	Yes (unless anonymized)	Screen views, feature usage, session duration
Firebase Crashlytics	Functional	Debatable (legitimate interest possible)	Crash reports and error diagnostics
Google AdMob	Advertising	Yes (behavioral advertising)	Personalized advertisements
flutter_secure_storage	Essential (local only)	No (on-device storage)	Encrypted token storage

11.3 Consent Management (EU ePrivacy & GDPR Compliance)

For users in the EU/EEA, we implement consent mechanisms compliant with:

ePrivacy Directive (2002/58/EC): Consent required before storing/accessing information on devices (cookies, identifiers)
GDPR Article 7 & Recital 32: Consent must be freely given, specific, informed, unambiguous, and as easy to withdraw as to give
EDPB Guidelines 05/2020: Consent for cookies and tracking technologies

Consent Mechanisms:

First Launch: Mobile app requests consent for non-essential tracking (analytics, personalized ads) before SDK initialization
Granular Choices: Users can accept/reject different categories (analytics, advertising) separately
Easy Withdrawal: Consent can be withdrawn anytime via:
- Device settings (iOS/Android privacy controls)
- Contacting us at [email protected]
- In-app privacy settings (future implementation)
No Cookie Walls: We do not deny service if you refuse non-essential cookies/tracking

11.4 Third-Party Tracking

We do not allow third-party advertising networks to place tracking cookies on our web application. Mobile SDKs (Firebase, AdMob) are configured to respect user consent preferences.

EU Users: Under the ePrivacy Directive and GDPR, you have the right to refuse cookies and tracking technologies. We respect "Do Not Track" signals and consent preferences. Essential functionality will remain available regardless of consent choices.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

New features or services
Changes in laws or regulations
Improvements to our data practices

Notification: We'll notify you of material changes by:

Updating the "Last Updated" date at the top of this page
Posting a notice in the app (for significant changes)
Sending an email to your registered address (where appropriate)

Continued use of Story Of The Day after changes indicates acceptance of the updated policy.

Version History

Date	Version	Changes
13 Oct 2025	2.1	Enhanced EU/GDPR Compliance: Added detailed legal bases (Art. 6), comprehensive user rights (Art. 15-22), international transfer safeguards (SCCs, Art. 44-50), data breach notification procedures (Art. 33-34), ePrivacy Directive compliance, DPA contact information, automated decision-making disclosures
13 Oct 2025	2.0	Unified web & mobile privacy policies; added comprehensive mobile SDK disclosures; enhanced user-friendly formatting
13 Oct 2025	1.2	Added Third-Party Processors section
13 Oct 2025	1.1	Added mobile analytics, crash reporting, advertising details
13 Oct 2025	1.0	Initial detailed privacy policy