Privacy Policy

Last updated: 2026-05-22

At A Founder's Friend (operated by Storyroots Oy), we're committed to protecting your privacy. This policy explains how we collect, use, and safeguard your personal data when you use our web application, in line with the General Data Protection Regulation (GDPR) and the Finnish Data Protection Act (1050/2018).

1. Data Controller

The controller responsible for processing your personal data is:

Storyroots Oy

Business ID: 3471847-8

Niemenmäentie 8 A 9

00350 Helsinki, Finland

nicolas@getstoryroots.com

2. Personal Data We Collect

Account data

Email address and authentication credentials (or Google OAuth identifier)
Full name, username, avatar, pronouns, title, company, location, website, bio

Story content you create

Story roots: titles, transcripts, source recordings or uploaded documents
Generated stories and platform-specific variants, including cover images
Tone profiles, custom prompts, skills, story types, supporting assets
Contacts you add (names, optional emails, phone numbers, roles) for attribution and transcription keyterms
Ikigai-style profile answers and bio styling

Billing data

Subscription status, plan, billing period, quota usage
Payment metadata (Stripe customer ID, last payment events) — we do not store full card numbers

Technical data

IP address and user agent (for security monitoring)
Basic server logs and error reports

3. How We Collect Data

We collect data directly when you create an account, fill in your profile, upload recordings or documents, generate stories, or contact us. Technical data (IP, user agent, logs) is collected automatically when you interact with the service.

4. Legal Basis for Processing

Contract (Art. 6(1)(b))

To provide the service: hosting your stories, generating AI content you request, and processing your subscription.

Consent (Art. 6(1)(a))

When you choose to publish a story to a public profile, or when you opt in to product updates. You can withdraw consent at any time.

Legitimate interest (Art. 6(1)(f))

Security monitoring, fraud prevention, and improving stability. We minimise the data we collect and balance it against your privacy rights.

Legal obligation (Art. 6(1)(c))

Tax, accounting, and responses to lawful requests from authorities.

5. How We Use Your Data

Service delivery: hosting your story library and generating AI content you request
Billing: managing your subscription, quota, and invoices
Public profile: displaying stories you publish to your /profile/username page
Support: responding to your inquiries
Security: preventing fraud and abuse
Legal compliance: tax records, responses to authorities

6. Sub-processors & Third Parties

We rely on the following processors to operate the service. Each operates under a Data Processing Agreement.

Lovable Cloud (Supabase)

Database, authentication, file storage, and serverless functions. Our primary backend.

Processes: account data, story content, transcripts, uploads, billing metadata, server logs.

Data location: European Union (Frankfurt).

Privacy: supabase.com/privacy

Lovable AI Gateway

Routes AI requests to underlying providers (currently Google Gemini and OpenAI GPT models) to generate story content, summaries, platform variants, and bios from inputs you provide.

Data processed: the story text, transcripts, or prompts you send through AI features. We do not send your user ID or email as explicit identifiers, but your name may appear if it's part of your content.

Sub-processors: Google (Gemini), OpenAI (GPT). New providers will be added only after this policy is updated.

ElevenLabs

Speech-to-text transcription for audio recordings you upload.

Data processed: audio files and resulting transcripts. Audio is transmitted from our storage to ElevenLabs and processed under their standard retention policies.

Privacy: elevenlabs.io/privacy

Stripe

Payment processing, subscription management, and tax compliance.

Data processed: name, email, billing address, payment method details (card data handled directly by Stripe — we never see your full card number), country, and tax identifiers if you provide them.

Privacy: stripe.com/privacy

Google (Sign in with Google)

Optional authentication method.

Data processed: Google account ID, email, name, and profile picture (when you authorise sharing).

Privacy: policies.google.com/privacy

7. Cookies & Local Storage

We use strictly necessary cookies and browser local storage to keep you signed in (Supabase auth session) and remember UI preferences such as theme. We do not use advertising or cross-site tracking cookies.

8. Data Retention

Account & content: kept while your account is active. You can delete stories at any time, and request full account deletion by emailing us.
Audio uploads: stored only as long as needed for transcription and your reference. You can delete them at any time.
Billing records: retained for the period required by Finnish tax and accounting law (typically up to 6 years after the end of the fiscal year).
Server logs: retained for short-term security monitoring (typically 30–90 days).

9. Your Rights Under GDPR

You have the right to:

Access a copy of your personal data
Rectification of inaccurate data
Erasure ("right to be forgotten")
Restriction of processing
Data portability in a machine-readable format
Object to processing based on legitimate interest
Withdraw consent at any time, where processing is based on consent

To exercise these rights, email nicolas@getstoryroots.com. We will respond within 30 days.

10. Data Security

Data is encrypted in transit (HTTPS/TLS) and at rest. Database access is restricted by row-level security policies that scope reads and writes to the authenticated user. We follow the principle of least privilege for service-role keys and rotate credentials when needed.

11. International Data Transfers

Our primary data storage is in the EU (Frankfurt). Some processors (Stripe, ElevenLabs, OpenAI, Google) are based in the United States. Transfers to these providers rely on Standard Contractual Clauses (SCCs) or the EU–US Data Privacy Framework where applicable.

12. Children's Privacy

The service is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

13. AI Processing of Your Content

When you use AI features (story generation, platform variants, bio generation, transcription), the relevant content you provide is sent to the AI providers listed in Section 6 to produce the requested output.

You remain in control: AI features run only when you trigger them.
We do not use your story content to train third-party AI models.
Generated outputs are stored in your account so you can edit and reuse them.
Automated decisions producing legal or similarly significant effects are not made by the service.

14. Payments

Subscription payments are processed by Stripe. Stripe collects and stores your card details directly — we only receive a customer identifier, the subscription status, and limited metadata (last 4 digits, country, billing period). For invoices, receipts, or to update your payment method, use the "Manage subscription" button on the Billing page, which opens the Stripe customer portal.

15. Changes to This Policy

We may update this policy as the service evolves. Material changes will be announced in-app or by email. The "Last updated" date at the top reflects the current version.

16. Contact & Supervisory Authority

For any privacy question or to exercise your rights, contact nicolas@getstoryroots.com.

You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto), tietosuoja.fi.