Privacy Policy

Your privacy is at the heart of our service. In this document, we want to explain you as clearly and transparently as possible which data we collect from you and how we use it.

Last modified: October 14, 2021

Information You Provide

1. Newsletter

If you sign up for the newsletter on our homepage, we need a valid email address from you, which we store for the sole purpose of sending you updates about StoryArk. In order to verify that the email address actually belongs to you, we will send you an email with a confirmation link to the address you've given us when signing up for the newsletter (so-called "double opt-in"). By clicking on the confirmation link you agree that we're allowed to store the given email address and use it to send you newsletters, but for nothing else. Because we're processing your email on the legal basis of your explicit consent, you will find a link to unsubscribe from our mailing list in every email we're sending out. Once you've unsubscribed, we will delete your email address from our systems at latest 45 days after you've unsubscribed. Additionally, you can use the contact details at the end of this document to request a deletion of your data.

2. Account/Profile Information

In order to use our service, you need to create an account with us. When signing up for StoryArk in the app, we require certain information from you without which we cannot offer our service. For example, you have to authenticate yourself to us with your email address. You don't need to create and remember a password to sign into StoryArk. By default, we're sending you so-called "magic links" to your email inbox, which contain a temporary password that will log you in when you click them.

If you prefer a more classic sign-in flow, you can also set a password inside the StoryArk app. We will store your password only after we've "hashed" it, which is an irreversible transformation of your password. In short, it means, that we don't know your password, but we can use the hashed version to determine whether the password given when signing in matches the one previously set. That is, because the same input (given password when signing in) to a hash function will always result in the same output (hashed version of the password you've set and is stored with us).

When do you get emails from us?
As written above, we use your email currently only to send you a temporary password ("magic link") when you want to sign into StoryArk in the app. In the future, it will be possible for you to configure notification settings in the app and if you wish so, we're going to use your email address to e.g. inform you about new content in your network, or about new group join requests. We will use the email address you've registered with also to inform you about changes to our services or this policy.

When you're creating a new StoryArk account, we ask you for a unique username (e.g. "@tim1980") and a profile name (e.g. "Tim Miller"). Optionally, you can also upload a photo of you (avatar picture). All three information are supposed to make it easier for your friends to recognize you and they will be displayed to all users that you're in a group with together. You can use your real name as profile name, but can also opt to choose a pseudonym.

In contrast to other similar services, your profile information is NOT considered public and we will only share it with other StoryArk users that either are in the same group as you or want to join a group you're already a member of. But, unlike most of your other content, it is not end-to-end encrypted.

3. Your Network

Contrary to what you may be used from other services, we refrain from reading out the contacts in the address book on your phone. In our opinion, the added convenience is completely disproportionate to the resulting privacy issues, because you're not only giving away information about you but also about your contacts. In StoryArk, the only way to connect with your friends is by creating a new (maybe temporarily) empty group and sending them an invitation link. We find it a very convenient way to invite whole groups from your favorite chat app (e.g. WhatsApp) by creating a corresponding StoryArk group and posting the invitation link in the group chat.

Groups that you've joined or created are associated with your account. We also store when you send out a join request, join a group or when you leave a group. We use this data to control access permissions to the content shared with the group, so we require it to offer our service to you.

4. Your (Shared) Content

With StoryArk, we've created a private space for you and the people you care about (close friends and family), where you feel safe to share your photos. And when we say "friends" we mean people you would invite into your living room and not someone you've met 10 minutes ago. So while sharing your content on StoryArk is definitely something else than posting it on Instagram or Twitter, the same warnings apply: As soon as you give someone else access to some pictures, it is out of control what happens to them next. They can be re-shared on StoryArk or even another platform. So think twice before you give photos out of your hand.

Having said that, we do a lot to keep your personal data as secure as possible by encrypting it before it leaves your device (i.e. end-to-end encryption). This means, that we as your service provider have at no point in time access to your unencrypted content. Because for this reason it is not possible for us to know, whether files you've uploaded are considered personal data or not, we treat all of them as if they are, making sure that they are securely stored in European data centers. Unfortunately, all good things come with a price: As all of your data is encrypted, we cannot recover it if you lose your master key. That's why we urge you to export it after setting up your account.

The following data are stored end-to-end encrypted at StoryArk:

  • All your uploaded photos in their original form, but also their corresponding thumbnails (created on your device) and iOS live photo video data,
  • titles of your albums and timeline entries,
  • metadata of your photos (width, height, creation data, location data, EXIF data),
  • the blur hash of your photos (see here for an explanation what this is),
  • a SHA256 hash of your original file (to make it easier to detect duplicates in your data),
  • the names you give to your groups (they are not shared with other users by the way),
  • encryption keys for single items (every photo, entry, album is encrypted with its own encryption key, generated on your device),
  • your comments and reactions.

There are also data, that we must store unencrypted to provide our service to you:

  • The size of your uploaded (encrypted) files so that we can calculate the amount of storage space you're using,
  • the modification dates of your content to correctly synchronize your data across multiple devices,
  • your profile name, user name and avatar image,
  • deletion status of photos, albums, timeline entries, etc.
  • with which groups you've shared content (timeline entries, albums, comments) with,
  • creator and members of groups and their creation date (see above for the reasoning behind this).

Automatically Collected Information

1. Your Approximate Location

Every time you start a new StoryArk login session or open the app after a while without using it, we associate your login session with the current time and your current IP address. We later derive your approximate location from it (see here for an explanation how this works) by using a freely available geolocation database, when you open the list of active login sessions in the app. We do this to ensure the safety of your account, because it allows you to more easily identify login sessions that were not started by you. This information is removed when you close the session (sign out). Our legal basis for the processing of this data is a legitimate interest to ensure the stability and overall security of our system.

2. App version, Language

When you first create an account, the app transmits the preferred language used on your device to our servers. We use this information to determine the language for the following email communication (confirmation mail, temporary login link, etc.)

Whenever the StoryArk app is opened and connects itself to our servers, it automatically transmits your current app version to our servers. We use this information to ensure the integrity of your data and need it to offer you our service. This information is dropped after the connection was successfully established.

3. Log data

Whenever you visit our homepage or when the app executes API requests (upload data/login/etc.) the app (or your browser) automatically transmit some general information to our servers:

  • Your IP address (and derived from that your internet provider and approximate location),
  • the user agent of your browser or app (e.g. "StoryArk/0.0.33 ios/15.0 (iPhone)", which contains the app version, platform and OS version, and device name),
  • when the access took place (timestamp),
  • the HTTP status code and the amount of transferred data,
  • the URL of the website you were coming from if you've followed a link to our website (so-called "referer").

We use this information to improve our service, to ensure the stability of the system (e.g. to determine the origin in case of an attack on our service), and to find and remove bugs. We do this on the legal basis of a legitimate interest to keep our service up and running.

We delete this data at latest 90 days after the access happened.

4. Cookies

We're using one session cookie for authenticating you in the app. It will be deleted when you sign out of the app.

We don't use any cookies at all on our homepage.

Your rights

1. The right to access

You have the right to request copies of your personal data.

2. The right to rectification

You have the right to request that we correct any information you believe is inaccurate. You also have the right to request that we complete the information you believe is incomplete.

3. The right to erasure

You have the right to request that we erase your personal data, under certain conditions.

4. The right to restrict processing

You have the right to request that we restrict the processing of your personal data, under certain conditions.

5. The right to object to processing

You have the right to object to our processing of your personal data, under certain conditions.

6. The right to data portability

You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.

If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us (see below for contact details.)

If you've given us your consent to process your personal data, you have the right to revoke it at any time with effect for the future.

Data processors

In general, we process your data ourselves, but we rely on several data processors (hosting, email delivery) to offer our services, with whom we have closed data processing agreements:

Receiver of your personal data may be any one of our data processors.

Updates to our policy

We may update this privacy policy from time to time. It's most up-to-date version will always be accessible at the current URL. We will inform you about changes to this policy either via email or within the StoryArk apps.

Contact Us

In case you have questions about this privacy policy or want to execute your rights outlined above, you can reach our data protection officer