Privacy Note

Ready to submit your story?

This page explains what we collect, why, how long we keep it, who helps us run the site, and how you can exercise your rights. We write this in plain language on purpose.

Who We Are

Controller: Prompted Spiral, USA

Hosting/infra: Hostinger International Ltd. (data processor). See their DPA and privacy terms linked in the “Processors” section below.

What We Collect

We keep data lean by design.

  • Display name (alias/handle recommended).
  • Story content (what you write in the submission form)
  • Story metadata you choose to include (e.g., AI provider/model, emotions, content warnings, slider answers).

Data We Keep in Private

  • Deletion Code (hash only). A system‑generated code shown once after you submit.
  • Recovery Phrase (hash only). A system‑generated passphrase shown once after you submit.
  • Attempt counters for the delete tool (numbers only).
  • Moderation/audit notes (if needed).

What We Don’t Store By Default

  • No email address (unless you proactively contact us).
  • No IP address for research purposes (web server access logs may exist briefly for security/ops).
  • No device IDs or advertising IDs.
  • No government IDs or identity documents.

Why We Collect It

  • Publish a public archive of stories about experiences with AI.
  • Create aggregate statistics/charts for research and public understanding (never individual‑level stats).
  • Moderation and site security, including preventing spam and brute force abuse of the deletion tool.

Legal Bases (EEA/UK/Switzerland)

If you are in the EEA/UK/Switzerland, we rely on:

  • Consent (GDPR Art. 6(1)(a)) for publishing your story and using it in aggregate statistics. You can withdraw consent at any time; see “Your rights.”
  • For any sensitive data you choose to include in your story (e.g., health, beliefs), we rely on your explicit consent (Art. 9(2)(a)).

Outside those regions, we rely on consent and our legitimate interests in operating a public archive.

Your Choices & Rights

  • Delete your story (self‑service): Use your Deletion Code or Recovery Phrase on the Delete page. Without one of these, we generally cannot verify authorship and may decline deletion, except where the law requires removal or we decide to redact for risk of harm.
  • Withdraw consent (EEA/UK/CH): You may withdraw consent for future use and request deletion. If you lost your code/phrase, contact us; we’ll assess your request as the law requires.
  • Access/Copy/Correction/Restriction/Objection (EEA/UK/CH): Write us using the contact above. We may ask you to use the code/phrase for verification.
  • Complain: You may contact your data protection authority. We’ll provide details on request.

Retention

  • Public stories: intended to be long‑term. If you withdraw consent (EEA/UK/CH) or use your code/phrase, we delete or unpublish as required.
  • Analytics data: stored as aggregated/bucketed counts only. We do not keep per‑story analytics outside the public content and minimal keys noted above.
  • Server logs: minimal and short‑lived for security (e.g., ≤30 days), then deleted.
  • Backups: encrypted; rotate on a schedule (e.g., 30–90 days). Removed entries disappear as backups roll off.

How We Protect Data

  • Secrets are stored as bcrypt/Argon2 hashes; raw codes/phrases are never stored.
  • Delete tool has rate limits, cooldowns, and CAPTCHA after repeated failures.
  • Admin access is least‑privilege; sensitive meta is masked.
  • HTTPS everywhere; encrypted backups; monitored updates.

Analytics

  • We build charts from aggregated features (e.g., month, model, emotion/category counts, slider ranges).
  • We don’t use IPs or cookies for research analytics.
  • We hide any chart slice where fewer than 5 stories fall into a bucket.

Cookies & Site Analytics

We currently do not use site analytics cookies. If this changes, we’ll update this page and show a consent banner where required. Privacy‑friendly, cookieless analytics may be used for basic traffic counts.

We use a short-lived session cookie (or session storage) after submission to briefly re-display your deletion keys on the confirmation page. It expires automatically within about 10 minutes and isn’t used for tracking or analytics.

Processors & Transfers

We use service providers (“processors”) under data‑processing terms.

  • Hostinger International Ltd. – hosting/CDN/email infrastructure. Data may be processed outside your country. For EEA/UK transfers, Hostinger’s Standard Contractual Clauses apply (see Hostinger’s DPA).

Children

This site is 18+ only. Do not submit content if you are under 18. If we learn a minor submitted a story, we’ll remove it.

How Deletion Works

  • After submitting, you’ll see a Deletion Code and a Recovery Phrase once. Save them.
  • To remove your story later, go to [Delete Page URL] and enter the code or phrase.
  • Without a valid code or phrase, we generally cannot verify authorship and may decline deletion, except where the law requires removal. We may redact specific details if there is a credible risk of harm.

Changes To This Notice

If we make material changes, we’ll update the “Last updated” date and, where appropriate, show a notice on the site.

Ready to submit your story?