Skip to content
AudaStories

Privacy

Last updated 21 April 2026.

We keep this short and practical. If anything here is unclear, email [email protected].

This service is not directed to users under 13.

Who we are

AudaStories is operated by Explorer Innovations Ltd, a company registered in England and Wales (company number 14639977). We are the data controller for the personal data described below.

What we collect

  • Account identifier. On first launch we create an anonymous Firebase user so your library and usage can persist across sessions on the same device. No personal data is collected at this stage. If you later sign in, the identifier is either the email address you sign up with, or the opaque subject identifier Apple or Google gives us if you sign in through them. We do not receive your real Apple or Google email unless you choose to share it, and signing in preserves the same identifier so your unlocks and usage stay attached.
  • Library activity. Which stories you have unlocked (opened), saved, started, or finished, and your playback position. This lives in your account so it follows you between devices.
  • Monthly listening usage. A per-month count of minutes used against your free or Plus quota. Stored as one document per calendar month under your user id so the counter resets automatically at month rollover.
  • Consent events. A timestamped record of what you have agreed to (the cookie banner, marketing, analytics). We keep these so we can prove we asked.
  • Analytics, only with consent. If you opt in, we record aggregate product events (story started, tier picked, search term) in Firebase Analytics, Google Analytics 4, and PostHog. No SDK initialises until you opt in.
  • Google Signals. If you have opted in to analytics and you are signed in to a Google account that has personalisation turned on, GA4 may use Google's identity graph to add aggregate demographics (rough age band, interests) and to recognise you across devices. This stays inside GA4 reporting; we do not use it for advertising. Turn it off any time in your Google account at myaccount.google.com.
  • Error reports, scrubbed. We use Sentry to catch crashes. Email, name, and IP are stripped before the report is sent.
  • Subscription state. If you buy Plus, RevenueCat holds the entitlement alongside your account identifier. Apple and Google hold the payment data. We never see your card.

Where it lives

Firestore, in the europe-west region. Backups live in Google Cloud Storage in the same region. Analytics data, if you have opted in, sits with the relevant processor (see the list below).

Legal basis (UK and EU GDPR)

  • Legitimate interest for the stuff we need to run the service: your account, your library, crash reports scrubbed of identifiers, fraud protection.
  • Consent for analytics, marketing emails, and non-essential cookies. Withdraw any time in the settings screen or the cookie banner.
  • Contract for subscription processing when you buy Plus.

Your rights

Under UK and EU data protection law you have the right to:

  • Access the personal data we hold on you.
  • Have it rectified if it is wrong.
  • Have it erased. "Delete my account" in Settings does this in one tap.
  • Export it. "Export my data" in Settings emails you a JSON bundle within 24 hours.
  • Object to processing based on legitimate interest.
  • Lodge a complaint with the Information Commissioner's Office (ico.org.uk) or your local EU supervisory authority.

For any of these, use the in-app tools or email [email protected]. We respond within 30 days.

How long we keep things

  • Account and library: until you delete the account.
  • Consent events: six years, to cover regulator queries.
  • Analytics: 14 months, then deleted automatically.
  • Crash reports: 90 days.
  • Firestore backups: 30 days rolling, plus a weekly snapshot for six months.

Sub-processors

  • Google Cloud (hosting, Firestore, Cloud Storage), europe-west region.
  • Firebase (authentication, analytics, crash reporting), part of Google.
  • RevenueCat (subscription management).
  • Sentry (error reporting, identifiers scrubbed).
  • PostHog (product analytics, EU region, consent-gated).
  • Inworld (text-to-speech synthesis).

We have data processing agreements with each of them.

Cookies

On the website:

  • audastories_consent (essential, 12 months): stores your cookie banner choice.
  • __session (essential, session): sign-in state when you use the web app.
  • _ga, _ga_* (analytics, 14 months, opt-in): Google Analytics 4 (also set by Firebase Analytics on the web app).
  • ph_* (analytics, 12 months, opt-in): PostHog.

Non-essential cookies only fire after you click accept on the banner.

Contact

Questions, requests, or complaints: [email protected]. Takedown requests have their own process on the takedowns page.

Changes to this policy

We will update this page when anything material changes and note the date at the top. For significant changes we will also tell you in the app before they take effect.