Loading
Last Updated: November 2025
Stolly Privacy Policy
Last Updated: November 2025
This Privacy Policy (“Policy”) explains how Stolly (“Stolly”, “we”, “us”, “our”) processes personal data when individuals (“you”, “users”) access or use our mobile applications, websites and related services (collectively, the “Service”). We process personal data in accordance with Regulation (EU) 2016/679 (“GDPR”), the Swedish Data Protection Act and other applicable data protection laws.
Until Stolly is incorporated as a separate legal entity, the controller of personal data for the purposes of the GDPR is the founding individual or individuals identified in the app and on our website, with contact details and postal address in Sweden as specified in the “Contact” section of this Policy. Once a Swedish company is registered, this Policy will be updated so that the company becomes the controller.
This Policy applies to all processing of personal data that occurs in connection with the use of the Service, including account creation, profile management, story creation and playback, social interactions, AI-assisted features, TTS features, advertising, subscriptions and monetisation, support and complaints handling, as well as visits to our website and transparency pages.
We collect and process only such personal data as is necessary for the purposes set out in this Policy.
When you create and maintain an account, we process identification and profile data such as your email address, username or display name, optional avatar image or avatar URL, profile biography and links, age and date of birth for age-gating and compliance with child and teen protection rules, as well as country, preferred language and locale. We also process authentication and account status data, including password hashes where applicable, security tokens, session identifiers, account status flags, consent choices and privacy settings.
During registration and subsequent access, we process IP address, approximate location derived from IP (typically at country or region level), device language, time zone and basic technical parameters in order to determine applicable legal regimes and consent rules, to operate security and fraud-prevention measures and to provide a suitable version of the Service.
When you use the Service as a creator or listener, we process user-generated content, including stories, titles, descriptions, text, captions, subtitles, hashtags, cover images, audio and video files, as well as comments, likes, favourites, follows, reports and other interactions you make or receive. We also process drafts and AI-assisted variants of stories, including text you submit to AI features and the generated text returned to you, and we keep technical references to media files in storage buckets.
If you use AI-assisted features, we process prompts, drafts, edits and the resulting AI outputs, together with contextual information necessary to generate and deliver that content. If you use TTS features, we process text to be narrated, TTS configuration parameters such as voice choice, language and style, and information about the TTS job status, including temporary URLs to audio files and related artefacts stored in private “temporary” buckets before final publication.
We process device and session data, including app-scoped device identifiers generated client-side, mobile operating system, device model, app version, system language, information about secure storage of access and refresh tokens, session metadata recorded via backend procedures and state information about connectivity, queued requests and background tasks. Such data is required for authentication, session management, reliability and security of the Service and is typically linked to your account or a pseudonymous device identifier.
We process usage, analytics and personalisation data. This includes data about your interactions with stories, such as views, partial views, completions, skips, swipes, muting and unmuting, as well as timestamps and story identifiers, recorded in partitioned tables such as story view logs. We also process information about likes, favourites, follows and other engagement, and we store user interests selected during onboarding in dedicated structures for feed personalisation. For ranking and semantic search, we process vector representations (“embeddings”) of story text and profile interests in specific embedding tables.
We process data related to advertising and marketing where relevant, including ad impression events, duration of ad views, click state and basic context, together with device identifiers available to the Google Mobile Ads SDK, and your consent or refusal with respect to personalised or non-personalised ads, as recorded through our consent mechanisms.
With respect to payments and monetisation, we process data about your in-app purchases and subscriptions, including the type of plan (such as Free, Premium or Turbo), credit or virtual currency balances, transaction history, store receipts and platform purchase metadata received from Apple App Store and Google Play Billing. We do not process or store your full payment card or bank details; such data is handled by the app stores and their payment providers acting as independent controllers.
For moderation, safety and security, we process reports you submit about content or users, the categorisation of those reports, the status and outcome of related investigations, as well as logs of moderation decisions, enforcement actions (including removal of content, account restrictions and bans) and technical signals from activity logs, IP addresses and device identifiers that help detect abuse, fraud and technical attacks.
Finally, we process communications data, such as messages you send to us via support channels, your requests to exercise data protection rights and related correspondence, as well as metadata relating to local notifications and background jobs managed by components such as Workmanager, Flutter Local Notifications and other SDKs necessary for the functioning of the Service.
We process personal data only where a lawful basis under Article 6 GDPR applies.
We process account, profile, authentication, content and technical data to enter into and perform the contract between you and us, namely to provide, maintain and operate the Service and its core features. This includes creating and managing your account, enabling you to create, edit, publish and delete stories, drafts and other content; providing AI-assisted and TTS features; enabling interactions such as likes, comments, favourites and follows; ensuring that your sessions remain authenticated and that you can access your content and settings on your devices. The legal basis is the necessity for the performance of a contract under Article 6(1)(b) GDPR.
We process usage, interest and embedding data to personalise the Service, in particular to rank and recommend stories in the “For You” feed and to provide discovery features. Depending on the jurisdiction and category of processing, the legal basis is your consent, obtained via consent dialogues or settings where required by law, or our legitimate interests under Article 6(1)(f) GDPR in providing a relevant and user-friendly experience, balanced against your rights and freedoms. Where the law requires explicit consent for certain personalisation or tracking, we will not perform those operations without your consent and will provide non-personalised alternatives where feasible.
We process analytics data, technical logs and event data for service improvement, testing, debugging, measuring performance, understanding usage patterns and planning future development. The legal basis is our legitimate interests under Article 6(1)(f) GDPR in operating, securing and improving the Service, applying appropriate safeguards such as pseudonymisation, aggregation, retention limits and access controls.
We process personal data for security, fraud prevention and enforcement, including detection, investigation and prevention of unauthorised access, spam, abuse, content that violates our Terms of Service or Community Guidelines, and behaviour that may pose a risk to other users, especially minors. We also process moderation and enforcement logs for these purposes. The legal basis is our legitimate interests under Article 6(1)(f) GDPR in protecting the Service and its users, and, where applicable, legal obligations or tasks carried out in the public interest.
We process certain data to comply with legal obligations under EU and national law, such as obligations related to consumer protection, tax, accounting, data protection, and the EU Digital Services Act, including obligations to keep records of moderation decisions and to provide statements of reasons and appeal mechanisms. The legal basis is Article 6(1)(c) GDPR, and in some cases Article 6(1)(e) GDPR where processing is necessary for a task carried out in the public interest.
We process data for advertising and marketing to the extent permitted by law. Where we show personalised advertising using personal data that is not strictly necessary for the provision of the Service, the legal basis is your consent under Article 6(1)(a) GDPR and, where relevant, Article 5(3) of the ePrivacy Directive as implemented in national law. Where we show non-personalised ads using only contextual information or technical identifiers necessary for frequency capping and measurement, the legal basis is our legitimate interests under Article 6(1)(f) GDPR, provided that your rights and freedoms are respected. We also process your email address and engagement metrics to send you service communications and, where you have opted in, marketing communications, with the legal basis being performance of a contract or legitimate interests, or consent where required.
We process personal data to respond to your support requests, manage your privacy rights requests, handle complaints and disputes and otherwise communicate with you. The legal basis is performance of a contract or pre-contractual measures, legal obligations and our legitimate interests in providing user support and ensuring accountability.
Where processing is based on your consent, you may withdraw that consent at any time via in-app settings or by contacting us, without affecting the lawfulness of processing based on consent before its withdrawal.
When you use AI-assisted features, your prompts, drafts and related context are transmitted from the client to our backend, where they may be forwarded to large language model providers, including but not limited to OpenAI models such as GPT-4o-mini and text-embedding-3-small, as well as moderation models, for the sole purpose of generating or analysing the requested content and operating safety mechanisms. The AI outputs returned are stored in our database and can be edited, published or deleted by you. We may further process portions of prompts and outputs to improve the performance, safety and fairness of AI-powered features, to detect abuse, and to build internal evaluation datasets, applying technical and organisational safeguards and, where required by law, relying on your consent or providing opt-out mechanisms.
When you use TTS features, the text of your stories or other content, combined with voice configuration parameters, is transmitted to TTS providers such as LemonFox, acting under our instructions, to generate audio narration and related artefacts. Temporary audio and caption files are stored in private temporary buckets in Supabase Storage and are either promoted to final public or semi-public buckets when you publish your story, or deleted after short retention periods if not used. We retain information about TTS jobs, including provider references and status, for operational, billing and audit purposes.
Our recommender systems process personal data, including embeddings and behavioural signals such as views, likes, completions and follows, in order to automatically rank and recommend stories in the feed, suggest accounts to follow and improve discovery. We also apply safety and age-based filters, for example to reduce the visibility of certain categories of content to teen users. This processing constitutes profiling within the meaning of the GDPR; however, it does not produce decisions that have legal effects or similarly significant effects on you in the sense of Article 22 GDPR. You may adjust relevant settings where offered and may object to certain types of profiling based on legitimate interests.
The Service may display advertising delivered via the Google Mobile Ads SDK and similar technologies. For this purpose, we process technical identifiers and limited contextual information and, if you have consented, personal data used to provide more relevant advertising. Your ad-related consent choices are recorded and honoured both locally and in our backend, and we serve non-personalised ads where you refuse personalised advertising but still use the ad-supported version of the Service.
Virtual currency, credits and subscriptions are managed through internal wallet, transaction and subscription tables. We process data about balances, purchases, redemptions and related store receipts. Purchases are processed by Apple and Google, which act as independent controllers in relation to your payment card or other billing data; we do not have access to full card numbers, bank account numbers or similar information.
Where we offer monetisation programmes to creators, we process additional data relating to eligibility, payout details, tax status and performance metrics in order to calculate and pay out amounts owed. In such cases, we may need to process identifiers and contact details that are not visible to other users and that are subject to separate programme terms.
We share personal data with third parties only when necessary for the purposes described in this Policy, on the basis of appropriate legal grounds and safeguards.
We use Supabase as our primary backend platform for authentication, database storage, object storage and edge functions. Supabase processes data on our behalf as a processor under a data processing agreement. Media files, including audio, video, images and avatars, are stored in Supabase Storage buckets, which may be fronted by a content delivery network. Databases store profile, content, analytics, logs and consent records, with Row Level Security and partitioning applied to limit access and retention.
We use AI and TTS providers such as OpenAI and LemonFox as processors, receiving prompts, content and limited metadata for the purposes of generating or analysing content as described above. We contractually restrict their use of your data to the provision of services to us and we do not authorise them to use your personal data for their own advertising or unrelated profiling.
We use advertising and analytics providers, including Google Mobile Ads and other SDK operators, with whom we share technical identifiers, ad events and other data pursuant to their roles as controllers or processors, depending on the specific integration. In the context of app store and billing operations, Apple and Google process your personal and payment data as independent controllers under their own privacy policies.
We may share personal data with professional advisors (lawyers, auditors), hosting providers, security and monitoring vendors, customer support tools and similar providers acting as processors bound by confidentiality and data protection obligations.
We may disclose personal data to public authorities, courts and law enforcement where we are legally obliged to do so or where such disclosure is necessary to establish, exercise or defend legal claims.
If personal data is transferred to countries outside the European Economic Area that do not benefit from an adequacy decision by the European Commission, we implement appropriate safeguards such as Standard Contractual Clauses approved by the European Commission, supplemented with additional measures where required. Information about such transfers and safeguards may be obtained by contacting us.
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected or as required by applicable law.
Account and profile data are retained for as long as your account remains active. If you request deletion of your account, we will delete or anonymise the corresponding personal data, subject to necessary retention of certain information for legal obligations, legitimate interests such as fraud prevention and dispute resolution, and technical constraints such as backup cycles.
User-generated content, including published stories, associated audio and video, comments and interactions, is retained for as long as it remains published or until you delete it via the Service. Certain technical copies may persist for limited periods in backups and logs, and certain records may be retained where necessary to document moderation actions and compliance.
Temporary media assets, including intermediate audio files and captions stored in dedicated temporary buckets, are retained only for short operational periods, typically not exceeding the duration necessary to complete TTS or rendering jobs plus a defined buffer, after which they are automatically deleted, for example after twenty-four hours or seven days depending on the processing flow.
Story view logs and similar behavioural event data are stored in partitioned tables with defined retention periods. Raw events are generally retained only for a limited period necessary for ranking, debugging and abuse detection, after which they may be deleted or aggregated into statistics that no longer identify individual users or devices. Aggregated analytics may be retained for longer periods, for example up to eighteen months, to analyse trends.
Session data, security logs, consent records, payment and transaction data and moderation logs are retained in accordance with statutory retention obligations and limitation periods or, in their absence, for as long as reasonably necessary to protect our rights and our users’ safety.
The Service is not intended for children below the minimum age at which they may lawfully use online services in their country of residence without parental consent. We require users to state their age or date of birth during registration and we use this information to block registration where the user appears to be below the minimum applicable age. Where we become aware that we are processing personal data of a child who does not meet the minimum age requirement, we will take appropriate steps to delete the account and associated personal data, subject to any necessary retention for legal purposes.
For teen users who meet the minimum age but are not adults under applicable law, we apply additional safeguards, including restrictions or downranking of certain categories of content, limitations on specific features and more cautious handling of profiling and recommendations. Parents or legal guardians remain responsible for supervising minors’ use of the Service and for discussing the nature and limitations of AI-generated content and online social interactions.
Under the GDPR and applicable national laws, you have certain rights in relation to the personal data we process about you. These include the right to request access to your personal data, to obtain information about the processing and to receive a copy of the data; the right to request rectification of inaccurate or incomplete data; the right, in certain circumstances, to request erasure of your data; the right to request restriction of processing; the right to object to processing based on our legitimate interests, including profiling; the right to receive personal data you have provided to us in a structured, commonly used and machine-readable format and to transmit it to another controller (data portability); and, where processing is based on consent, the right to withdraw your consent at any time.
You can exercise many of these rights through the settings in the app, including changing your profile data, adjusting preferences, revoking sessions, pausing or reactivating your account and requesting account deletion. For other requests, or if you require assistance, you may contact us using the contact details below. We may need to verify your identity before acting on your request and may decline or limit requests where allowed by law, for example where they would adversely affect the rights and freedoms of others or where we must retain data to comply with legal obligations.
You also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement. In Sweden, the competent authority is Integritetsskyddsmyndigheten (IMY).
We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Such measures include, in particular, encryption of data in transit and at rest where appropriate, access controls based on roles and least privilege, logging and monitoring of access and critical operations, use of secure development and deployment practices, and regular review of infrastructure and configurations. Despite these measures, no information system can be fully secure, and we cannot guarantee absolute security. You are responsible for keeping your login credentials confidential and for notifying us promptly if you suspect unauthorised access to your account.
We may amend this Policy from time to time to reflect changes in our processing activities, the Service or applicable law. The updated version will be published within the Service and on our website with a new “Last Updated” date. Where changes are material or require your consent under applicable law, we will provide appropriate notice and, where necessary, obtain your renewed consent.
If you have any questions, comments or requests concerning this Policy or our processing of personal data, including requests to exercise your rights, you may contact us at:
Stolly
Email: privacy@stolly.app
Postal address: Korsvägen 3, 13142 Nacka Sweden