Storydeck to help you remember
Menu
  • Pricing
  • Join the waitlist
  • Sign in

Storydeck Privacy Policy

Effective: May 9, 2026 · Last updated: May 9, 2026 · Version: 1.0

The short version

Storydeck helps you remember the people, places, moments, and stories that matter to you. To do that well, we have to handle some of your most personal information thoughtfully. Here's the honest summary:

  • Storydeck is for U.S. residents only. We don't offer the service outside the United States.
  • Storydeck does not sell your data or use it for advertising. We do not sell personal information, share it for cross-context behavioral advertising, or build advertising profiles.
  • We use AI providers, and AI processing has limits. Storydeck sends relevant decrypted content to AI providers when you use AI features. We do not intentionally allow AI providers to train on your content, but our providers may retain, process, review, or use limited data under their own API, safety, abuse-monitoring, legal, or security policies. We do not currently have special zero-data-retention agreements with these providers.
  • Your journal entries and life stories are encrypted at rest. When you use AI features, we briefly decrypt the relevant content in server memory so the feature can work. We do not intentionally save decrypted journal entries, except limited security logging described below when our AI firewall detects possible abuse or prompt-injection attempts.
  • You control what you enter. Storydeck is a memory and journaling product. You may choose to enter highly sensitive information, including health, financial, family, identification, relationship, or other personal details. We cannot control what users enter, and we cannot promise that AI systems or software systems will never expose, infer, mishandle, or misinterpret sensitive content.
  • You can request access, correction, export, or deletion. Write to [email protected]. At launch, these requests are handled manually by Storydeck personnel.
  • We use analytics and security tools. We collect first-party usage, security, performance, and product-health data. We may also use Cloudflare analytics, security, bot-detection, and traffic tools. We do not use advertising trackers.
  • No system is perfectly secure. We work hard to protect your memories, but we cannot guarantee perfect security, perfect privacy, or perfect AI behavior.

The detail below covers each of these in full. If you find any of it unclear, write to us at [email protected].

1. Who this policy applies to

This Privacy Policy describes how Storydeck LLC, a Kansas limited liability company ("Storydeck," "we," "us"), collects, uses, and shares information when you use storydeck.co or any related Storydeck-operated service (the "Service").

Storydeck is offered to residents of the United States only. When you create an account, you confirm that you are located in the United States and are at least 18 years old. We do not knowingly accept users outside the U.S. or under 18, and we do not direct the Service to such users. If you are accessing the Service from outside the United States, please do not register an account.

If you do not agree to this Privacy Policy, please don't use the Service.

2. Notice at collection

When you create an account or use Storydeck, we collect the categories of information described in this Privacy Policy, including account information, profile information, memory content, usage records, security logs, email delivery records, payment records, support messages, and technical metadata.

We use this information to provide the Service, operate AI features, secure the Service, process payments, communicate with you, improve product quality, comply with law, and enforce our Terms.

By creating an account, you understand that Storydeck is a journaling and memory product and that you control what information you enter. You should not enter information you are not comfortable having processed by Storydeck, its infrastructure providers, and its AI providers as described in this policy.

3. What we collect

We collect several kinds of information.

3.1 Information you provide directly

  • Account information when you sign up: your email address, name, and authentication credentials. We use Auth0 to handle login — see Section 6.
  • Profile information that you choose to share during onboarding or in your account settings: preferred name, birth date, birth place, current city, family relationships, hobbies, occupation, favorite foods, music, and similar details. You can edit or delete any of this at any time.
  • Memory content you create in the Service: journal entries, knowledge-base entries, people, places, important dates, pets, life stories, flashcards, and other text you choose to store.
  • Beta feedback, if you choose to submit it through the in-app feedback panel.
  • Payment information if you subscribe to a paid plan: handled directly by Stripe; we never see or store your full card number.
  • Support messages when you contact us by email or another support channel.

Because Storydeck is a journaling and memory product, the content you enter may include highly sensitive information. This could include health information, financial information, government identifiers, relationship details, family history, private memories, or other personal details. You decide what to enter. Storydeck does not require you to enter sensitive information, and you should avoid entering information you are not comfortable processing through the Service and its AI features.

3.2 Information generated by your use of the Service

  • Usage records: which features you use, when, and how often. We use this to understand product health and to bill our AI providers correctly. Per-user AI usage records may include token counts, latency, model used, estimated cost, and related operational details.
  • Audit and security logs: records of authentication events, AI-firewall decisions, flagged security events, and administrative actions on your account.
  • Email delivery logs: when we send you a transactional email, such as welcome messages, password resets, account changes, or billing notices, we log that we sent it. Depending on the provider and event type, delivery logs may include recipient, subject, delivery status, bounce status, and related metadata.
  • Server logs: HTTP requests, errors, performance metrics, IP address, User-Agent string, request metadata, and similar technical information.
  • Analytics and product-health data: page views, feature usage, button clicks, session metadata, errors, latency, and related product-performance information.

We do not use this information to build advertising profiles or serve targeted ads.

3.3 Information from third parties

  • Auth0 sends us your verified email and a unique account identifier when you sign in. Auth0 may also send us role information you've been granted, such as admin or beta tester, and metadata about the authentication event itself, such as MFA status.
  • Stripe sends us subscription status, plan, invoice, billing, tax, and payment event records when you subscribe, change your plan, cancel, or have a payment issue. We never receive your full card number.
  • Cloudflare may provide traffic, security, bot-detection, challenge, analytics, and request metadata.
  • Email providers may provide delivery, bounce, complaint, and suppression information.

We do not buy data about you from data brokers, advertising networks, or other third-party data sources.

4. How we use your information

We use the information described above to:

  • Run the Service. Authenticate you, store your memories, render them back to you, generate AI responses you ask for, send you transactional emails, and charge you correctly if you're on a paid plan.
  • Operate AI features. Retrieve relevant memory content, generate embeddings, produce AI responses, create titles, extract entities, generate flashcards, and provide similar AI-assisted features.
  • Improve the Service. Diagnose bugs, understand product health, plan features, measure performance, and improve usability.
  • Protect the Service. Detect abuse, prevent attacks, identify bots, enforce rate limits, investigate prompt-injection attempts, comply with security obligations, and preserve forensic evidence.
  • Communicate with you. Send account-related notifications, security alerts, billing notices, and important product changes. You can't opt out of essential transactional emails for as long as your account is active. If we add a marketing newsletter, it will be opt-in.
  • Comply with legal obligations. Respond to lawful subpoenas, court orders, and law-enforcement requests; keep records required by law; and enforce our Terms of Service.

We do not sell your information, share it for cross-context behavioral advertising, or use it to build advertising profiles.

5. Analytics, cookies, and tracking

Storydeck uses analytics and logging to understand whether the Service is working, improve product quality, detect abuse, measure performance, and operate paid features.

We may collect:

  • pages or features used,
  • button clicks or product events,
  • account and session metadata,
  • IP address,
  • browser and device metadata,
  • referral or campaign source,
  • approximate location derived from IP address,
  • errors, latency, and performance metrics,
  • AI usage metrics such as token counts, model used, latency, and estimated cost.

We do not use this information to build advertising profiles or serve targeted ads.

Some privacy laws use words like "tracking," "sharing," or "sale" in specific ways. In this policy:

  • Analytics means measuring how the product is used and performing.
  • Security tracking means detecting abuse, attacks, fraud, bots, and suspicious traffic.
  • Advertising tracking means following users across sites or apps to build ad profiles or target ads.

Storydeck may use analytics and security tracking. Storydeck does not use advertising tracking.

Some providers, including Cloudflare, may use cookies, browser signals, request metadata, or similar technologies for security, bot detection, traffic management, analytics, or abuse prevention. We do not use these tools for targeted advertising.

6. AI processing — the honest version

This is the section that matters most for a journaling product, so it gets its own page.

6.1 What "AI features" means in Storydeck

AI features may include:

  • Chat with your memories: you type a question; we search your content, decrypt relevant matches, send those matches and your question to an AI provider, and show you the answer.
  • Automatic titles for journal entries you didn't title.
  • Entity extraction: scanning a journal entry to suggest people, places, dates, pets, and other details that may match your knowledge base, so you can confirm and link them.
  • Memory-powered flashcards: generating practice cards from your knowledge base content.
  • Embeddings for search: when you save a journal entry or story, we generate a numerical "embedding" so we can later find related content. The embedding itself is not human-readable text, but it is derived from your content.
  • Safety and abuse review: scanning AI-bound requests for prompt-injection, jailbreak attempts, and similar adversarial content.

6.2 Where your content goes

  • Anthropic (Claude) receives relevant decrypted content and your prompt for chat, titles, entity extraction, flashcards, and related AI features.
  • OpenAI receives relevant decrypted content for embedding generation and search-related features.

We do not intentionally permit these providers to train models on Storydeck user content. However, Storydeck currently uses standard API access and does not have special zero-data-retention or custom retention agreements with these providers. That means AI providers may retain, process, review, or use limited data under their own API terms, safety policies, abuse-monitoring policies, legal obligations, or security practices.

Provider policies may change, and provider-specific retention may vary by feature, endpoint, model, account type, or agreement. If this level of AI-provider processing is not acceptable to you, you should not use Storydeck's AI features.

6.3 The encryption story, told honestly

Your journal entries and life stories are encrypted at rest using AES-256. When you use an AI feature, Storydeck decrypts the relevant content in server memory, sends it to the AI provider over an encrypted connection, receives the response, and discards the decrypted copy from ordinary application flow.

We do not intentionally save decrypted journal entries to disk or ordinary logs. The limited exception is security logging described in Section 7.4, where our AI firewall may log flagged text and a small amount of surrounding context when content appears to contain prompt-injection, jailbreak, abuse, or similar adversarial material.

6.4 How we hold encryption keys

Each user has a personal encryption key. We never store that key in plaintext in our database. Instead, we store it wrapped, meaning re-encrypted, by a master key managed through Amazon Web Services Key Management Service (AWS KMS).

To decrypt your content, our application calls AWS to unwrap your key, holds the unwrapped key in memory only as long as needed, and then discards it. A compromise of our database alone should not be enough to read encrypted memory content; an attacker would also need to compromise the systems or access controls needed to unwrap keys. Key-management events may be logged for investigation and security review.

6.5 What Storydeck does not intentionally do

  • We do not sell your content.
  • We do not use your content for advertising.
  • We do not intentionally allow AI providers to train models on your Storydeck content.
  • We do not share your content with data brokers.
  • We do not read journal entries as part of ordinary operations.

However, because Storydeck uses AI providers and internet-based infrastructure, we cannot promise perfect confidentiality, perfect security, or that AI systems will never expose, infer, misread, or mishandle information. We design the Service to reduce those risks, but we cannot eliminate them.

7. Who we share information with

We share information with the categories of recipients below, and only as necessary for the purposes listed.

7.1 Service providers and sub-processors

Storydeck relies on the following providers to operate. Each is expected to process information for the purposes described below and in line with applicable agreements, policies, or terms.

Provider Purpose Information shared
Auth0 (Okta, Inc.) User authentication, login, multi-factor authentication Email address, account identifier, authentication events, role claims
Anthropic, PBC LLM inference: chat, titles, entity extraction, flashcards, AI review Relevant decrypted content and prompts for the specific AI request
OpenAI, L.L.C. Embedding generation and search-related AI features Relevant decrypted content used to generate embeddings
Resend, Inc. Transactional email delivery Email address, subject, body, delivery metadata
Neon, Inc. Managed PostgreSQL database hosting Application database data, including encrypted memory content and metadata
Amazon Web Services, Inc. Key management through AWS KMS Key-wrapping and key-management metadata; plaintext keys do not leave AWS KMS
Fly.io, Inc. Application hosting and runtime Server logs, request metadata, deployment artifacts
Stripe, Inc. Payment processing and subscription billing Email, name, billing address, payment details, subscription records
Cloudflare, Inc. DNS, CDN, bot protection, Turnstile, analytics, security, traffic management IP address, request metadata, device/browser metadata, traffic patterns, security events
Google LLC Runtime delivery of Google Fonts IP address, User-Agent, request metadata
jsDelivr / CDN providers Runtime delivery of frontend assets used for beta feedback tooling IP address, User-Agent, request metadata

7.2 Legal compliance and protection of rights

We may disclose your information if required by a lawful subpoena, court order, or other legal process; if we reasonably believe it is necessary to protect the rights, property, or safety of Storydeck, our users, or others; or to investigate and address violations of our Terms of Service. Where the law allows and where doing so would not create risk or violate legal requirements, we will try to notify you before disclosing your information.

7.3 Business transfers

If Storydeck is involved in a merger, acquisition, sale of assets, financing, reorganization, or bankruptcy, your information may be transferred to a successor or acquirer, subject to the protections of this Privacy Policy or a replacement policy disclosed to you.

7.4 Security, abuse prevention, and AI firewall logging

Storydeck uses an AI firewall to scan AI-bound requests for prompt-injection, jailbreak attempts, malicious instructions, and other adversarial inputs.

If the firewall flags content as potentially harmful, we may log:

  • the flagged text segment,
  • a small amount of surrounding context,
  • the rule or model decision that caused the flag,
  • account and request metadata,
  • timestamps and technical diagnostic information.

We do this to protect the Service, investigate abuse, improve detection, and preserve forensic evidence. We do not log full journal entries for ordinary AI requests, and we limit access to these security logs.

Because users control what they enter, flagged content may contain sensitive personal information. Users should avoid entering secrets, passwords, Social Security numbers, bank account numbers, payment card numbers, or other highly sensitive information into Storydeck.

7.5 No advertising sale or sharing

We do not share your information for advertising, marketing sale, data-broker sale, or cross-context behavioral advertising.

8. How we protect your information

We use technical and organizational practices designed to protect your information, including:

  • Encryption at rest for journal entries, life stories, and similar memory content.
  • Encryption in transit for connections between you and the Service, and between the Service and our service providers.
  • Authentication via Auth0, with multi-factor authentication available where supported.
  • Key management through AWS KMS.
  • An AI firewall that scans AI-bound requests for adversarial content before they leave our systems.
  • Audit logging of administrative and security-sensitive actions.
  • Access controls designed to limit which Storydeck personnel can access user data, with administrative access logged.

No system is 100% secure. We cannot guarantee the absolute security, confidentiality, availability, or integrity of your information. What we can promise is to be honest about how we handle it, work to reduce risk, and notify you as required by applicable law if a security incident affects your data.

If you discover a security issue, please report it to [email protected]. We do not yet operate a paid bug-bounty program; we may credit reporters with permission.

9. How long we keep your information

Information Retention
Account information, including email and profile Until you delete your account, plus a limited period for recovery, legal, security, or operational needs
Journal entries, life stories, knowledge-base entries Until you delete the entry or your account, subject to backup retention, legal requirements, and security exceptions described below
Embeddings Until the related content or account is deleted, subject to backup retention
AI usage records, including token counts, billing data, model used, latency, and cost Retained as long as reasonably needed for billing, debugging, security, analytics, legal, tax, accounting, and operational purposes. We may delete, aggregate, or anonymize these records when they are no longer needed.
AI firewall logs — non-blocked content Retained as long as reasonably needed for debugging, security, abuse prevention, legal, and operational purposes.
AI firewall logs — blocked or flagged content Retained as long as reasonably needed for security review, abuse prevention, incident response, legal, and forensic purposes.
Server access logs Retained as long as reasonably needed for security, debugging, performance monitoring, abuse prevention, legal, and operational purposes.
Email delivery logs Retained as long as reasonably needed for support, deliverability, security, compliance, and operational purposes.
Payment records, subscriptions, invoices, tax records, and dispute records As required by U.S. tax, accounting, payment, and legal obligations, typically up to 7 years or longer if required
Backup database snapshots Retained according to our operational backup practices. At launch this may include provider-default backups; over time we may retain backups for more than one year for business continuity, disaster recovery, legal, or security reasons. Deleted user content may remain in encrypted backups until those backups expire or are overwritten.

When your account is deleted, your encrypted memory content, profile data, and embeddings are removed from active systems within 30 days after confirmation, unless retention is required for legal, security, fraud-prevention, dispute, or abuse-investigation reasons.

Deleted content may remain in encrypted backups until those backups expire, are overwritten, or are no longer reasonably available for restoration. If a backup is restored, we will take reasonable steps to re-delete previously deleted user content from the restored active system.

10. Your privacy rights

We extend the following rights to all U.S. users, regardless of which state's privacy laws may apply to you:

  • Access: request a summary of what information we hold about you.
  • Correction: correct inaccurate or incomplete information. Most fields are editable directly in your account settings; for anything you can't edit yourself, contact us.
  • Deletion: request deletion of your account and the personal information we hold for you, subject to limited exceptions for legally-required retention, security investigations, abuse prevention, disputes, payment records, and backup retention.
  • Access / export / data portability: request a copy of the information we hold about you in a machine-readable format, such as JSON.
  • Opt-out of sale or sharing: we do not sell or share your information for cross-context behavioral advertising. There is nothing to opt out of, but you have a standing right to confirm this is so.
  • Non-discrimination: we will not deny you the Service, charge you a different price, or provide a different level of service because you exercised any privacy rights, except where a requested deletion or restriction makes it impossible to provide the Service.

To exercise any of these rights, write to us at [email protected].

At launch, access, export, correction, and deletion requests are handled manually. Storydeck personnel will verify your identity and process the request using internal administrative tools.

The deletion code exists, but deletion is not currently self-service. An authorized Storydeck administrator must run the deletion process.

We will verify your identity using your account email plus a confirmation step before responding. We aim to respond within 45 days. If we need more time, we will tell you why and request an extension of up to 45 additional days, as state laws permit.

If you believe we have not handled your request properly, you may submit a complaint to your state attorney general.

Authorized agents. Where state law allows, you may designate an authorized agent to make a request on your behalf. We will require written proof of authorization and will verify your identity directly before fulfilling the request.

11. State-specific information

This Section 11 is provided for transparency. Storydeck is below the formal applicability thresholds for many U.S. comprehensive privacy laws today. Even where a law does not formally apply to us, we extend the rights in Section 10 uniformly to all U.S. users.

California

If you are a California resident, the categories of personal information we collect, sources, purposes, and disclosures are described in Sections 2, 3, 4, 5, 6, and 7 of this policy.

We have not sold or shared personal information for cross-context behavioral advertising in the preceding 12 months and have no intention of doing so. We do not knowingly collect personal information from minors under 16.

Depending on what you choose to enter, Storydeck memory content may include sensitive personal information. We use such information only to provide the Service, operate AI features you use, secure the Service, comply with law, and perform the other purposes described in this policy.

Colorado, Connecticut, Virginia, and other comprehensive-privacy-law states

Sections 2, 3, 4, 5, 6, 7, and 10 provide disclosures related to collection, use, sharing, analytics, security, AI processing, and privacy rights.

Other states

Privacy law in the United States is evolving rapidly. We will update this section as new laws take effect and as our scale changes the formal applicability of each.

12. Children

Storydeck is not directed to anyone under 18, and no part of the Service is designed to attract minors. We do not knowingly collect, use, or disclose any information from a person under 18 years of age.

If we become aware that we have collected information from someone under 18, we will delete it as soon as reasonably possible. If you believe we have such information, please write to [email protected].

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make a material change — one that affects what we collect, how we use it, who we share it with, or how AI processing works — we will:

  1. Update the "Last updated" date at the top of this page.
  2. Notify you by email or in-product notice before the new version takes effect, where practical.
  3. Where the change is material to a paid plan, give you a clear option to cancel before the new version takes effect.

For non-material changes, such as clarifications, formatting, contact-information updates, or corrections, we will update the policy and the "Last updated" date.

14. Contact

For questions, requests, or concerns about this Privacy Policy or how Storydeck handles your information:

  • Email: [email protected]
  • General inquiries: [email protected]
  • Security concerns: [email protected]

We aim to respond within five business days for general inquiries and within the timelines described in Section 10 for formal data-rights requests.

Effective date: May 9, 2026 · Version: 1.0 (initial publication)

Storydeck to help you remember
Pricing · Privacy · Terms · © 2026 Storydeck