Privacy first, by design

Your data protection starts the moment you sign up and continues through every interaction with Stolly. Here's exactly how we keep your information secure.

We collect only what's necessary: your email address, date of birth for age verification, and basic account details. When you use the app, we track viewing activity, watch time, and interactions like likes or comments - but only to make the platform work and improve your experience if you opt in to personalization.

What we don't collect: We don't access your contacts, we don't track your location unless you explicitly enable it for location-based features, and we don't monitor your browsing history outside Stolly. No hidden data harvesting, period.

Every piece of data you send to Stolly is encrypted in transit using TLS 1.3, the latest security standard. Once it reaches our servers, it's encrypted at rest using AES-256-GCM encryption - the same standard used by banks and governments. Your password is hashed using bcrypt with salt, meaning even we can't see it.

All your data is stored on EU-based servers with GDPR-compliant hosting partners. We use PostgreSQL databases with row-level security policies, ensuring that data access is strictly controlled and audited. Our infrastructure is geo-redundant, meaning your data is backed up across multiple secure locations - but always within the EU/EEA.

Access to user data is restricted to a small team of engineers who need it to maintain the platform, and every access is logged and audited. We use role-based access controls, multi-factor authentication, and regular security reviews to ensure nobody can access data they shouldn't. We never give third parties direct access to your personal information.

Your data is used for three main purposes: running your account (login, content delivery, security), improving the platform (bug fixes, performance optimization), and - only if you opt in - personalizing your experience through content recommendations. We also process data when legally required, such as responding to valid law enforcement requests or preventing fraud.

When you request account deletion, we start the process immediately. Most personal data is removed within 30 days. Some data must be retained longer for legal reasons - like financial records for tax compliance or security logs for fraud prevention - but we delete everything we legally can as quickly as possible. You can also request deletion of specific data types without closing your account.

Privacy isn't just about what we do - it's about what you can control. Stolly gives you granular control over every optional data use, with clear explanations and no hidden catches.

In Settings > Privacy > Consent Center, you'll find toggles for every optional data processing purpose. Each toggle has a clear explanation of what it does, what data is involved, and how it affects your experience. There are no pre-checked boxes, no confusing language, and no dark patterns trying to trick you into sharing more than you want.

Analytics: When enabled, we collect anonymized usage data to understand how people use Stolly and where we can improve. This includes page views, feature usage, and error reports - but never tied to your identity.

Personalization: This powers content recommendations based on your viewing history. When disabled, you'll see a generic mix of popular and recent stories instead of personalized suggestions.

Location: Only used if you enable location-based features like finding local storytellers or location-tagged stories. We never track your location in the background.

AI Training: Determines whether your interactions can be used to train our recommendation algorithms and content moderation systems. When disabled, your data is excluded from training datasets.

Push Notifications: Controls whether we can send you notifications about new content, replies, or account activity. You can also fine-tune notification types separately.

Some data processing is essential to make Stolly work: account authentication, content delivery, security monitoring, and legal compliance. You can't opt out of these because they're necessary for the service to function. Everything else - analytics, personalization, marketing, AI training - is optional and off by default.

Open the Stolly app, go to Settings > Privacy > Consent Center. Tap any toggle to enable or disable that purpose. Changes take effect immediately for new data. For existing data flows (like recommendation algorithms), changes are applied within 24-72 hours as systems update.

Beyond consent controls, you can request a copy of all your personal data, ask us to correct inaccurate information, or request full account deletion. These requests are handled through Settings > Privacy > Data Rights, and we respond within the timelines required by GDPR (typically within 30 days).

For those who want to understand the technical details of how we protect your privacy, here's what's under the hood.

We use OAuth 2.0 for authentication with JWT (JSON Web Tokens) for session management. Access tokens expire after 15 minutes, and refresh tokens are rotated on every use to prevent token theft. Passwords are hashed using bcrypt with a cost factor of 12, and we enforce strong password requirements. Multi-factor authentication is available for additional security.

All data in transit is encrypted using TLS 1.3 with perfect forward secrecy, meaning even if our encryption keys were compromised, past communications remain secure. Data at rest is encrypted using AES-256-GCM, with encryption keys managed through a secure key management service that rotates keys regularly.

We use PostgreSQL with row-level security policies that enforce access controls at the database level. All database connections are encrypted, and we use prepared statements to prevent SQL injection attacks. Backups are encrypted with the same AES-256 standard and stored in geo-redundant locations within the EU, with a 30-day retention period.

Our infrastructure includes real-time security monitoring with automated threat detection. We log all access to sensitive data, monitor for unusual patterns, and have automated alerts for potential security incidents. Regular penetration testing and security audits help us identify and fix vulnerabilities before they can be exploited.

Stolly is built to comply with GDPR (General Data Protection Regulation), the EU Digital Services Act, and Swedish data protection law. We're working toward ISO 27001 certification for information security management. Our privacy policy and practices are reviewed regularly by legal counsel to ensure ongoing compliance.

We work with a small number of trusted service providers for hosting (AWS EU region), analytics (privacy-focused tools only), payment processing (Stripe), and email delivery (SendGrid). All third parties are bound by strict data processing agreements that limit what they can do with your data and require them to meet the same security standards we do. We never share your personal data with advertisers or data brokers.

Where possible, we use open-source security libraries that have been audited by the security community. We publish transparency reports annually detailing data requests from law enforcement, security incidents, and privacy improvements. You can contact our privacy team at privacy@stolly.app with questions or concerns.