Privacy Policy

1. Who We Are and How to Contact Us

StoryHatch is operated as a sole proprietorship under the name “StoryHatch” (the “operator”). The Service is hosted at app.storyhatch.app.

If you have any questions, requests, or complaints about this Privacy Policy or how we handle your data — including requests to access or delete your information — contact us at [email protected]. The data controller responsible for your information is StoryHatch, operating from the State of South Carolina, United States.

2. Information We Collect and Why

We collect only the information needed to run your account, generate and manage your videos, process payments, and (if you choose) publish to YouTube. The categories below list each type of data we collect, why, and how it is used.

• Account email address — for authentication, login, password recovery, and transactional messages (for example, a notice when your video is ready).
• Password (stored only as a bcrypt hash, 10 rounds) — to authenticate your login. We never store your password in plain text and cannot recover it; we can only reset it.
• Credits balance — an integer tracking how many video-generation credits you have remaining, used for pay-per-video billing.
• Plan type (e.g. “free” or “system”) — tracks your account tier.
• Stripe customer ID — stored so Stripe can identify you for payments and future purchases. We do not store your card details (see Payments, below).
• YouTube OAuth refresh token (encrypted at rest with AES-256-GCM) — used only to upload videos to your connected YouTube channel on your behalf when you choose to publish.
• YouTube channel ID, channel title, and the timestamp you connected — to display your connected channel, route uploads to the correct channel, and keep an audit trail.
• ElevenLabs voice IDs and names (active voice ID, active voice name, and your persistent Instant Voice Clone ID) — to select which voice (a preset or your own clone) narrates your videos and to display the active voice to you.
• Activity and engagement data — last login timestamp, login streak counter, and last reward timestamp — to recognize returning users and apply login-streak rewards.
• Referral data — your unique referral code and, if you signed up through someone’s link, the ID of the person who referred you — to run the referral program and grant referral credits.
• Video records and metadata — for each video we store the title, filename, file path, size, duration, generation status, the source subreddit and Reddit post ID, the post’s upvote count, the narration transcript (title and full script text, as JSON), any error message, the credit cost charged, a free/demo flag, internal content-quality scores (a 0–100 “Viral Intelligence” hook/quality heuristic, recommended action, hook type, sub-scores, and reasoning), and timestamps. That internal score rates the source material and script; it is not a prediction or promise of views.
• Published YouTube video ID — stored after you publish so we can associate the video with your account.
• Client IP address — for abuse prevention and rate limiting on free signup and free-video endpoints. We keep a per-IP daily hit log (written to disk) to enforce 24-hour usage caps; this log persists across server restarts.
• Processed payment event IDs — a record of Stripe webhook event IDs we have handled, used solely to prevent double-crediting if Stripe re-delivers an event.

3. Legal Bases for Processing (EEA / UK)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data under the following legal bases:

• Performance of a contract — to create and operate your account, generate and store your videos, process credit purchases, and publish to YouTube when you ask us to.
• Legitimate interests — to secure the Service, prevent fraud and abuse (including IP-based rate limiting), maintain audit trails, and improve the user-facing features of the product.
• Consent — for optional features you explicitly enable, such as connecting your YouTube channel, creating a voice clone, or auto-posting to third-party platforms. You can withdraw consent at any time (for example, by disconnecting YouTube).
• Compliance with legal obligations — to meet tax, accounting, and other legal requirements connected to payments.

4. Use of YouTube API Services

StoryHatch uses YouTube API Services. By using StoryHatch’s YouTube features, you also agree to be bound by the YouTube Terms of Service, and you can review Google’s practices in the Google Privacy Policy.

StoryHatch only accesses your YouTube account when you explicitly connect it through Google’s OAuth consent screen. Once connected, we store an encrypted refresh token (AES-256-GCM at rest), your channel ID, channel title, and the connection timestamp, so we can perform the uploads you initiate and show you which channel is connected. We use this YouTube data only to provide the channel-connection and upload features visible in the StoryHatch interface.

You can revoke StoryHatch’s access at any time: disconnect your channel inside StoryHatch (which revokes the token and removes it from active use), or revoke access at Google’s security settings page. The specific access StoryHatch requests:

• YouTube Data API — youtube.upload (a restricted scope): to upload finished videos to your connected channel on your behalf. We send the rendered video file and its metadata (title, description, tags) to YouTube only when you choose to publish.
• YouTube Data API — youtube.readonly: to read your channel’s basic information (channel ID and title) so we can confirm which channel is connected and route uploads correctly. We do not read or modify your channel’s content, comments, or analytics.

5. Google API Services Limited Use Disclosure

StoryHatch’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically: StoryHatch only uses YouTube data to provide and improve the user-facing features visible in the app (uploading finished videos to your connected channel, and reading your channel’s basic information to confirm which channel is connected). StoryHatch does not sell or transfer this data to third parties such as advertising platforms, data brokers, or information resellers; does not use it to serve advertising (including retargeting, personalized, or interest-based advertising); does not use it for any credit or lending decision; does not use it to develop, improve, or train generalized or non-personalized AI/ML models; and does not allow humans to read the data except with your affirmative consent for specific items, for security or to comply with applicable law, or when the data has been aggregated and anonymized for internal operations.

6. Third Parties and Subprocessors

StoryHatch relies on the following third-party services to operate. We share only the data necessary for each to perform its function. Several are optional and active only if the operator enables them, as noted.

• Stripe — payment processing and checkout. Receives your user ID, email, and the credits purchased, and returns a Stripe customer ID. Your card data is collected and processed entirely by Stripe; StoryHatch never receives or stores card numbers.
• ElevenLabs — text-to-speech voice synthesis and voice-clone creation. Receives the narration script text, a short identifier used to name your voice clone, any audio sample you upload to create a clone, and voice-selection IDs.
• Reddit API — fetches public Reddit posts used as story source material, using the operator’s credentials. No personal data about you is sent to Reddit.
• Pexels — supplies stock background footage. Receives search query terms only; results are cached locally to reduce calls.
• YouTube / Google — see the YouTube and Limited Use sections above. Receives your encrypted OAuth token and the video file, metadata, and channel ID involved in an upload you initiate.
• Resend — transactional email delivery (e.g., video-ready notices, password resets). Receives your email address and message content; messages are sent from [email protected].
• edge-tts (Microsoft) — fallback text-to-speech when ElevenLabs is unavailable. Receives narration script text only.
• Piper TTS — an offline fallback voice engine that runs locally. No data is sent to any external service.
• yt-dlp — fetches sample gameplay background clips. Sends search queries only (no personal data); clips are stored locally.
• TikTok (optional) — if enabled by the operator, auto-posts a finished video using a persisted session. Receives the video file, title, and description.
• Discord (optional) — if a webhook is configured, sends the operator internal status and error alerts. Inert if not configured.
• OpenAI (optional) — if explicitly enabled by the operator, performs optional script/title enhancement. Receives a Reddit post title and script text. Disabled by default; the product works fully without it.
• ntfy.sh (optional) — if configured, sends push notifications about generation events.
• We do not sell your personal information, and we do not share Google/YouTube user data with any party except as described in the YouTube and Limited Use sections above.

7. Cookies and Local Storage

StoryHatch uses cookies and/or browser local storage strictly to keep you logged in and to operate the Service (for example, maintaining your authenticated session). We do not use advertising or cross-site tracking cookies, and we do not use Google/YouTube data for any advertising purpose. Disabling essential cookies may prevent you from logging in or using core features.

8. Data Retention and Deletion

We keep your data only as described here, and we want to be transparent about what you can delete yourself today versus what currently requires contacting us.

What you can delete yourself: you can delete individual videos, or delete all of your completed videos at once. Deleting a video removes its database record and its files on disk, including sidecar files such as captions (.srt), description, hashtags, pinned-comment text, and thumbnail. Videos still in progress (queued or actively generating) cannot be deleted until they finish or fail. You can also disconnect your YouTube channel, which revokes and removes the stored token from active use.

Credits: purchased credits are one-time and do not expire. If a video ends in an error state, the credit charged for it is automatically and atomically refunded. New accounts receive 3 free credits on signup (plus 2 more if you joined through a valid referral); your first video can be generated free as a watermarked demo, subject to per-IP limits.

Account-wide deletion: to be honest, StoryHatch does not yet provide a self-service “delete my entire account” button. Certain records — such as your account email, referral code, login history, Stripe customer ID, voice IDs, and any YouTube token until you disconnect — persist until removed. To request full deletion of your account and associated personal data (a GDPR/CCPA erasure request), contact us at [email protected] and we will process it manually. We are working to add a self-service account-deletion option.

No fixed retention schedule: other than automatic refunds and a routine cleanup job that removes orphaned video files, the product does not auto-purge user data on a timer; data persists until you delete it or request deletion. Note that revoking access via Google stops future YouTube access but does not by itself delete data already stored in StoryHatch — use the steps above or contact us for that.

9. Security

We take reasonable technical measures to protect your data:

• Passwords are never stored in plain text — they are hashed with bcrypt (10 rounds).
• YouTube OAuth refresh tokens are encrypted at rest using AES-256-GCM.
• Stripe webhooks are signature-verified, and payment events are processed idempotently to prevent double-crediting.
• Card data is never handled by StoryHatch; it is processed exclusively by Stripe.
• No system is perfectly secure. While we work to protect your information, we cannot guarantee absolute security, and you use the Service at your own risk.

10. Payments

StoryHatch uses a pay-per-video credit model — one-time credit purchases, not subscriptions. One credit is consumed per video (a single generation request produces three videos and therefore consumes three credits, charged up front; if a video fails, its credit is refunded automatically).

Credit packages currently offered are Hatchling (30 credits, $9), Skyward (120 credits, $29), and Celestial (450 credits, $99). When you buy credits you are redirected to Stripe’s hosted checkout. After successful payment, Stripe notifies StoryHatch via a verified webhook, which grants your credits and stores your Stripe customer ID for future purchases. StoryHatch never receives, stores, or processes your card details — all card handling is performed by Stripe under Stripe’s own privacy policy.

11. Children’s Privacy

StoryHatch is not directed to children. The Service is intended for users aged 16 and older (and in no case under 13). We do not knowingly collect personal information from children under these ages. If you believe a child has provided us personal data, contact us at [email protected] and we will delete it.

12. International Data Transfers

StoryHatch and several of its subprocessors (including Stripe, ElevenLabs, Google/YouTube, and Resend) may process and store data on servers in countries other than yours, including the United States. Where required, such transfers rely on appropriate safeguards such as Standard Contractual Clauses or the providers’ own approved transfer mechanisms. By using the Service, you understand that your information may be transferred to and processed in the United States and other countries with different data-protection laws.

13. Your Rights (GDPR and CCPA)

Depending on where you live, you have rights over your personal data, and we honor these rights for all users where we are able.

If you are in the EEA, UK, or Switzerland (GDPR), you have the right to access, correct, delete, restrict, or object to our processing of your data; the right to data portability; and the right to withdraw consent for optional features at any time. You also have the right to lodge a complaint with your local supervisory authority.

If you are a California resident (CCPA/CPRA), you have the right to know what personal information we collect and how we use and share it, the right to request deletion, the right to correct inaccurate information, and the right to opt out of the “sale” or “sharing” of personal information. StoryHatch does not sell your personal information and does not share it for cross-context behavioral advertising. We will not discriminate against you for exercising any of these rights.

To exercise any of these rights, contact us at [email protected]. As noted above, some deletion requests are currently handled manually while we build self-service tools. You can also independently revoke YouTube/Google access at Google’s security settings page.

14. Changes to This Policy

We may update this Privacy Policy from time to time as the product evolves. When we make material changes, we will update the effective date and, where appropriate, notify you. The policy is prominently displayed and accessible at all times within the Service, and your continued use after an update means you accept the revised policy.

Effective date: June 6, 2026. Last updated: June 6, 2026.

15. Contact

For any privacy questions, requests, or complaints — including data access and deletion requests — contact us at [email protected]. The operator is StoryHatch, operating from the State of South Carolina, United States.