your data & your rights

Under GDPR (and similar laws — CCPA, UK GDPR, LGPD), you can:

• access — get a JSON export of everything we hold tied to your listener token
• rectify — change verticals, voice, tone, email at /listen/preferences
• erase — hard-delete your subscription + listening history. Encrypted backups expire on a 30-day cycle thereafter.
• portability — the export is a structured JSON suitable for re-import into any RSS-aware podcast tool
• restrict — pause your feed at /listen/preferences without deleting; we stop adding new episodes until you flip back on
• object — opt out of digest emails on the same preferences page

We can't see a listener token in this browser. To run a self-service export or erase, open this page from the device you subscribed on, or email story@storyflo.com with subject GDPR: + your feed URL or email.

• email — only when you supplied one (magic-link / digest opt-in)
• listener_token — random 32-hex; this IS your credential
• verticals, voice_id, tone_preference, tier
• wallet_address — only if you bound one (auto-minted Circle SCA or self-custody)
• listening history rows: article slug, day, completion %, voice, saved/dismissed flags
• BYO-TTS encrypted API key (Plus tier only; encrypted at rest with Fernet)

We do not hold: payment-card numbers (handled by Stripe), full IP addresses (we hash for rate limiting), passwords (we use magic-link auth), full body telemetry beyond completion %.

If a self-service action doesn't work for you, or if you're acting on someone else's behalf (next of kin, legal representative), email story@storyflo.com with subject GDPR:. We'll acknowledge within 5 business days and respond substantively within 30 days (per GDPR Art. 12).

If you're a publisher integrating storyflo and need a counter-signed Data Processing Agreement, see /legal/dpa and our trust + security overview.