Last updated: June 26, 2026. This policy has been updated to improve clarity for writers. For questions, contact kevin@firstory.app. This policy has not been reviewed by an attorney.
Introduction
Firstory helps writers create and manage stories through an AI-powered platform that includes the Firstory web application, Firstory MCP server, and Ghost Reader analysis tool. This privacy policy explains how we collect, use, and safeguard your information.
AI Provider Disclosure
Firstory routes your AI requests to third-party model providers. When you use an AI feature (story generation, scene drafting, analysis, revision, or any other AI-assisted tool), the content needed to fulfill your request is transmitted to the relevant provider. Providers currently in use:
- OpenAI — story generation, scene drafting, character development, analysis ( privacy policy)
- Anthropic — long-form narrative, deep revision, structural editing ( privacy policy)
- DeepSeek — character voice, dialogue drafting ( privacy policy)
- Google Gemini — research assistance, worldbuilding ( terms of service)
For a detailed breakdown of what each provider receives, their data handling policies, and our no-training commitment, see the Fanfic Trust Center.
Data We Process
- Account data from Supabase authentication, including user ID, email, and account tier.
- Story content — stories, scenes, character profiles, premises, and other creative content you create through the platform.
- AI interactions — prompts, generations, analysis requests, and feedback you provide on AI outputs.
- Usage analytics from PostHog, including feature usage, session data, and interaction patterns.
- Error reports from Sentry, including stack traces and diagnostic data when errors occur.
- Billing metadata from Stripe, including customer ID, payment status, checkout session ID, and webhook event IDs. We do not store full card numbers or card security codes.
- Operational logs from Vercel for reliability monitoring and abuse prevention.
How We Use Data
- Provide the writing platform, AI features, and story management tools
- Authenticate users and apply account tier access
- Process payments and maintain billing state
- Monitor reliability, diagnose errors, and prevent abuse
- Improve product quality and user experience
Cookies and Tracking
Product Analytics (PostHog)
Firstory uses PostHog for product analytics — understanding which features writers use, how the interface is navigated, and where the product can improve. PostHog collects session data, feature interaction events, and anonymized usage patterns. PostHog sets first-party cookies to identify returning sessions. PostHog does not track you across other websites, and we do not use PostHog for advertising.
You can opt out of PostHog tracking at any time by visiting PostHog's opt-out page. Opting out sets a cookie in your browser that tells PostHog to stop recording events from that browser.
Advertising Cookies
Firstory does not use advertising cookies, tracking pixels, or cross-site tracking of any kind. We do not serve ads on the platform, and we do not share your data with advertising networks or data brokers.
Do Not Track
Firstory honors the Do Not Track (DNT) browser setting. When your browser sends a DNT: 1 header, PostHog tracking is disabled for that session. You can enable DNT in your browser at any time. Note that DNT is a browser-level signal — it applies per-browser, not per-account.
Essential Cookies
Supabase authentication uses essential session cookies to keep you signed in. These cookies are required for the service to function and cannot be disabled without breaking core functionality.
International Data Transfers
Where Your Data Lives
Firstory stores user data on Supabase. Your data is hosted in the Supabase region configured for the Firstory project. As of this writing, the primary data storage region is ap-southeast-1 (Singapore). This may change if we migrate infrastructure — check this page for current information.
Cross-Border Processing
When you use AI features, your prompts and relevant story context are sent to third-party AI providers (OpenAI, Anthropic, DeepSeek, Google Gemini) whose servers may be located in the United States, Europe, or other jurisdictions. This constitutes an international transfer of your data. Each provider's data processing is governed by their respective privacy policies and data processing agreements.
GDPR and International Users
If you are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction with data transfer restrictions, you should be aware that your data may be transferred to and processed in countries that have not been deemed to provide an adequate level of data protection by your local regulator. By using Firstory, you consent to these transfers. Where applicable, we rely on standard contractual clauses, provider data processing addenda, and adequacy decisions as the legal basis for international transfers.
To exercise your rights under GDPR or equivalent data protection laws, contact kevin@firstory.app.
AI Provider Data Sharing
When you use AI features, the content needed to fulfill your request is sent to the configured third-party AI provider. Firstory does not use your stories or writing data to train AI models. We use provider APIs to generate responses for your workflow, not to contribute your content to training datasets.
Provider-side processing is subject to each provider's service and privacy terms. Active AI providers may include OpenAI, Anthropic, DeepSeek, and Google Gemini. Users should review the relevant provider's policies for vendor-specific details. See our Fanfic Trust Center for a detailed breakdown per provider.
Data Storage and Security
Your data is stored using Supabase with encryption at rest and in transit. We implement appropriate security measures to protect against unauthorized access, alteration, disclosure, or destruction of your information.
Payments
Payments are processed by Stripe. Firstory does not store full card numbers or card security codes. Billing metadata (customer ID, payment status, transaction IDs) is retained for account management and support purposes.
Third-Party Processors
The service uses the following third-party processors to operate:
- Supabase — authentication and database
- Vercel — hosting and deployment
- Stripe — payment processing
- Sentry — error tracking
- PostHog — product analytics
- OpenAI, Anthropic, DeepSeek, Google Gemini — AI generation
Deletion and Access
To request access, correction, export, or deletion of your data, contact kevin@firstory.app. Do not send story drafts, payment details, access tokens, or private account data through public channels.
Your Rights
- Access your personal data
- Correct inaccurate data
- Request deletion of your data
- Export your story content
Changes
Material changes to this policy will be reflected on this deployed public page before broader distribution. The effective date at the top of this page indicates when the current version took effect.
Contact
For privacy-related questions or to exercise your rights, contact kevin@firstory.app.