Skip to main content
StoryUnic

Privacy Policy

Last updated: June 1, 2026

This Privacy Policy explains how we collect, use, store, share, and protect personal data when you use the Storyunic app and related services.

Controller Notice

This Privacy Policy explains how we collect, use, store, share, and protect personal data when you use the Storyunic app and related services. Full controller identity and privacy contact details are listed in Section 16 and on the public Impressum page.

Scope

This Privacy Policy applies to personal data processed through the Storyunic app and related services.

Data We Process

Account and identity data:

  • Firebase user ID
  • email address (if provided)
  • display name (if provided)
  • sign-in provider metadata (email/google/apple/anonymous)

Profile and app preference data:

  • app language and selected settings
  • legal consent metadata (terms/privacy version, acceptance timestamp, locale, source)

Story creation and content data:

  • story inputs you provide (for example child name or nickname, age range, themes, tone, moral, voice, duration)
  • prompts generated by the app to produce your story
  • generated story text, images, and audio assets
  • story metadata (timestamps, status, generation info)

AI processing disclosure: To generate stories, selected data is sent to third-party AI processing systems, including prompt content and selected parameters (for example language, tone, voice, and duration). If you include personal data in prompts, that data may also be transmitted for processing.

Subscription and purchase-related metadata:

  • entitlement and subscription status
  • product identifier, renewal or cancellation status, expiry metadata
  • credit balance and credit transaction metadata

Payments are processed by Apple/Google; we do not receive full payment card numbers.

Device, session, and technical data:

  • app version, platform, locale, timezone, device model (where available)
  • persistent device identifier used for anti-abuse and onboarding credit control
  • push token and token metadata
  • diagnostic or security logs and error records

Support data:

  • support ticket content and support conversation messages
  • account identifiers needed to resolve requests

Analytics data: in-app analytics events and usage telemetry used to measure app performance and feature quality.

Story asset storage: generated assets are typically stored in cloud infrastructure under your account scope, including Firestore documents and Cloud Storage paths.

Purposes and Legal Bases (GDPR Art. 6)

We process data for the following purposes:

  • Contract performance (Art. 6(1)(b)): account access, story generation, sync, subscription features, support.
  • Legitimate interests (Art. 6(1)(f)): service security, fraud prevention, abuse prevention, reliability, and debugging.
  • Legal obligations (Art. 6(1)(c)): accounting, tax, legal compliance, and legal defense.
  • Consent (Art. 6(1)(a)) where required by law or platform policy.

AI Data Use and Model Training Transparency

Storyunic does not intentionally use your prompts, stories, or generated assets to train its own foundation models.

Third-party AI providers (including Google Gemini) process submitted generation data to provide outputs. Provider-side retention and potential secondary use are governed by the relevant provider terms, data processing terms, and legal obligations.

Where available, we use provider configurations intended to limit use of customer content for generalized model training, but providers may still process limited data for safety, abuse monitoring, and legal compliance.

Child Data and Prompt Minimization

Storyunic is a family storytelling app, but account ownership and legal decisions are intended for adults.

  • We strongly recommend using nicknames instead of real child names.
  • Do not submit photos of children or sensitive personal data in prompts.
  • If you submit personal data about a child or third party, you are responsible for having a valid legal basis and any required consents.

Recipients and Processors

We use processors and service providers to operate the app, including:

  • Google Firebase (Auth, Firestore, Functions, Storage, Messaging, Analytics)
  • Google AI services (Gemini) for generation workloads
  • RevenueCat (subscription entitlement and billing metadata handling)
  • Apple and Google app store ecosystems (purchase and platform-level account systems)

We share only what is necessary to provide and secure the service.

International Data Transfers

Data may be processed outside Germany/EEA (including the US) by our processors. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses and/or recognized adequacy mechanisms (including participation under the EU-US Data Privacy Framework where applicable).

Retention

We retain personal data only as long as needed for the purposes above:

  • Account, profile, story records, and story assets: generally until account deletion is requested or account is otherwise removed.
  • Support data: generally up to 24 months after ticket closure unless longer retention is needed for legal claims.
  • Security and technical logs: generally up to 12 months unless longer retention is required for incident or legal handling.
  • Billing and accounting evidence: retained as required by applicable legal obligations.

When account deletion is completed, we remove active account-scoped records and associated storage objects, subject to limited backup retention and legal retention duties. Backups may persist for a limited period before automatic overwrite.

Analytics, Tracking, and Platform Permissions

We currently use Firebase Analytics for in-app product and reliability metrics. We do not currently run personalized ads based on cross-app tracking identifiers.

Storyunic currently does not request iOS App Tracking Transparency (ATT) permission for ad tracking. If this changes in the future, we will request the required platform permission before enabling such tracking.

There is currently no dedicated in-app analytics toggle; you can limit data processing by stopping use of the service and requesting account deletion.

Your Rights

Under GDPR, you may have rights to:

  • access
  • rectification
  • erasure
  • restriction
  • portability
  • objection
  • withdrawal of consent (where consent is the legal basis)
  • complaint to a supervisory authority

To exercise rights, contact: info@ahmeterentosun.com. You can also initiate account deletion in-app or through our account deletion page.

Personal Data Breach Notification

If a personal data breach occurs, we follow GDPR obligations, including notification to the competent supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware when required.

Where the breach is likely to result in a high risk to individuals, we will notify affected users without undue delay as required by GDPR Art. 34.

Supervisory Authority

You can lodge a complaint with a data protection authority, including: Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI).

Security Measures

We apply technical and organizational safeguards appropriate to risk, including access control, authentication controls, encrypted transport, and security monitoring. No system is 100 percent secure, but we continuously improve safeguards.

Changes to This Policy

We may update this Privacy Policy to reflect legal, technical, or business changes. Updated versions will include a new effective date and version.

Controller Identity and Contact

Ahmet Eren Tosun (sole proprietorship), Am Tierpark 25, 10315 Berlin, Germany. Privacy contact: info@ahmeterentosun.com. Initial response target for privacy requests: within 7 days. Formal GDPR response timeline: up to 1 month (extendable where legally allowed).