Legal

Privacy Policy

How we collect, use, and protect your information. Your privacy matters to us.

Effective: February 14, 2026

Stories for Life is operated by Fillipe Massuda. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web application at storiesforlife.app. Please read it carefully.

1. Information We Collect

1.1 Information you provide

Account data: When you register, we collect your email address and a hashed password. If you sign in with Google, we receive your name, email address, and profile picture URL from Google OAuth 2.0.
Story content: The journal entries you write, including the text and the date you assign to each entry.

1.2 Information collected automatically

Timezone: We store your browser's IANA timezone string in a first-party cookie so we can correctly determine “today” in your local time.
Authentication cookies: Session cookies managed by Supabase Auth to keep you signed in.
Server logs: Our hosting provider (Vercel) automatically collects IP addresses, browser type, referring URLs, pages visited, and timestamps.

1.3 Information we do not collect

We do not use tracking cookies, advertising pixels, or fingerprinting.
We do not collect location data beyond your timezone.
We do not collect payment or financial information.

2. How We Use Your Information

Purpose	Legal basis (GDPR)
Provide, maintain, and improve the Service	Contract performance
Authenticate you and secure your account	Contract performance
Send transactional emails (signup, password reset)	Contract performance
Understand aggregated usage to improve reliability	Legitimate interest
Respond to support requests	Legitimate interest
Comply with legal obligations	Legal obligation

We do not use your story content for advertising, marketing, profiling, or training AI/ML models.

3. How We Share Your Information

We do not sell, rent, or trade your personal data. We share data only with:

Provider	Purpose	Data shared
Supabase (AWS US)	Database, authentication	Account data, story content
Vercel	Hosting, edge delivery	Server logs, static assets
Google OAuth	Optional sign-in	Auth tokens (if you choose Google)
Resend	Transactional email	Your email address, email content

We may also disclose your information if required by law, court order, or governmental regulation, or if necessary to protect our rights, safety, or property.

4. Data Storage and Security

Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256 via Supabase/AWS).
Row Level Security: Database policies ensure that only you can read, create, update, or delete your own stories.
Hashed passwords: Passwords are hashed using bcrypt; we never store plaintext passwords.
Access control: We follow least-privilege principles. Only the minimum personnel necessary have access to production infrastructure.

While we implement industry-standard safeguards, no system is 100% secure. We encourage you to use a strong, unique password and enable Google sign-in for additional security.

5. Data Retention

Active accounts: We retain your data for as long as your account is active.
Deleted content: When you delete a story, it is permanently removed from our database. Backups containing deleted data are purged within 30 days.
Deleted accounts: Upon account deletion, all your data is permanently removed within 30 days, subject to any legal retention requirements.
Server logs: Retained by Vercel per their standard retention period (typically 30 days).

6. Cookies and Local Storage

Name	Type	Purpose	Duration
sb-*-auth-token	Essential	Authentication session	Session / 1 year
timezone	Essential	Correct "today" detection	1 year
theme (localStorage)	Functional	Color palette preference	Persistent

We do not use any third-party tracking cookies, advertising cookies, or analytics cookies.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

All users

Access: View all your stories and account data within the app.
Edit: Modify any of your stories at any time.
Delete: Delete individual stories or your entire account.
Export: Request a machine-readable copy of your data by emailing us.

European Economic Area (GDPR)

Right to rectification: Correct inaccurate data.
Right to erasure: Request deletion of your personal data.
Right to restriction: Request we limit processing of your data.
Right to data portability: Receive your data in a structured format.
Right to object: Object to processing based on legitimate interests.
Right to withdraw consent: Where processing is based on consent.
Lodge a complaint with your local supervisory authority.

California (CCPA/CPRA)

We do not sell or share personal information for cross-context behavioral advertising.
You have the right to know what personal information we collect and how it is used.
You have the right to request deletion of your personal information.
We will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, email us at hello@storiesforlife.app. We will respond within 30 days (or sooner where required by law).

8. International Data Transfers

Your data is processed and stored in the United States (via Supabase on AWS and Vercel). If you are accessing the Service from outside the United States, your information will be transferred to, stored, and processed in the US. We rely on Standard Contractual Clauses and the data processing agreements of our sub-processors to ensure adequate data protection for international transfers.

9. Children's Privacy

The Service is not intended for anyone under the age of 13 (or 16 in the EEA). We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without parental consent, we will delete it promptly. If you believe a child has provided us with personal data, please contact us.

10. Data Breach Notification

In the event of a data breach that poses a risk to your rights, we will notify affected users by email within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33. We will also notify the relevant supervisory authority where required.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-app notice at least 30 days before they take effect. The “Effective date” at the top of this page will be updated accordingly. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Email: hello@storiesforlife.app

Data controller: Fillipe Massuda, Langley, BC, Canada