Privacy Policy

Data Controller

The responsible party for data processing within the meaning of the General Data Protection Regulation (GDPR) is:

Data Protection Officer

Our appointed Data Protection Officer is Attorney Kai Flatau, Hamburg.

Contact

For all data protection enquiries, please contact us at privacy@outastory.com.

General Data Collection

Server Logs

When you visit OutaStory, our servers automatically record the following data: your IP address, access timestamps, and browser/client information. This data is stored for a maximum of 10 days and is used solely for security and technical diagnostics.

Cookies

We use session cookies that are required for the platform to function correctly. These cookies are temporary and are deleted when you close your browser. We do not use persistent tracking cookies without your explicit consent.

Third-Party Services

OutaStory integrates the following third-party services, each of which may process data in accordance with their own privacy policies:

• Google Analytics — Web analytics with IP anonymization enabled. Data is processed in accordance with Google's privacy policy.
• Google reCAPTCHA — Bot and fraud protection. Google may collect device and behavioural data to distinguish humans from automated traffic.
• Google Fonts — Typography assets served from Google's CDN. Your IP address may be transmitted to Google upon page load.
• Sentry — Error monitoring and performance management. Crash reports and diagnostic data may be transmitted to Sentry's servers.
• Brevo (formerly Sendinblue) — Transactional and marketing email delivery. Email addresses and delivery metadata are processed by Brevo.

Member Data

Registration & Account Data

When you register for an OutaStory account, we collect and store the information you provide (e.g. name, email address, and preferences). This data is stored securely within the Microsoft Azure cloud infrastructure.

Reading Activity

We track your reading progress, library interactions, and engagement metrics (e.g. pages read, time spent) in order to provide personalised recommendations and to support authors with aggregated analytics.

Payment Processing

Payments are handled by the following certified payment providers. OutaStory does not store complete payment card details:

• PayPal
• Stripe
• Mastercard
• VISA

Data Retention

Your personal data is retained for as long as your account is active. Upon account deletion, your personal data is removed within a reasonable timeframe. An exception applies to financial transaction records, which are retained for 10 years as required by German tax law (§ 147 AO).

Writer Data

Writers who publish on OutaStory agree to the following data practices:

• Submitted stories and associated metadata are stored on OutaStory's servers for the duration of the publishing relationship.
• The writer's identity (or chosen pseudonym) is linked to their published works and displayed publicly on the platform.
• Publication metrics — including page reads, ratings, and revenue data — are tracked and made available to the writer via their dashboard.

Your Rights under GDPR

As a data subject under the General Data Protection Regulation (GDPR), you have the following rights with respect to your personal data:

• Right of Access (Art. 15 GDPR) — You may request confirmation of whether we process your personal data and, if so, obtain a copy of it.
• Right to Rectification (Art. 16 GDPR) — You may request correction of inaccurate or incomplete personal data we hold about you.
• Right to Erasure (Art. 17 GDPR) — You may request deletion of your personal data subject to applicable legal retention obligations.
• Right to Restriction (Art. 18 GDPR) — You may request that we restrict the processing of your data in certain circumstances.
• Right to Data Portability (Art. 20 GDPR) — You may receive your personal data in a structured, machine-readable format.
• Right to Withdraw Consent (Art. 7(3) GDPR) — Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at privacy@outastory.com. We will respond within the timeframes required by applicable law.

Security

OutaStory uses 256-bit SSL/TLS encryption for all data transmitted between your device and our servers. We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction.