Home › Privacy Policy

Privacy Policy

Last updated: January 1, 2026

This Privacy Policy describes how StoryTrackr ("we," "us," or "our") collects, uses, and protects information when you use our service at storytrackr.app and dashboard.storytrackr.app (the "Service").

1. Information We Collect

Account Information: When you sign up, we collect your name, email address, and a hashed password. We do not store plain-text passwords.

Organization Data: Information you enter about your ministry organization (name, campus, settings).

Student Data: Names, grades, schools, photos, interaction notes, goals, and any other information you enter about students in your roster. This data is entered and owned by your organization.

Usage Data: We log aggregated, anonymized metrics such as login counts and page views to understand how the Service is used. We do not track individual browsing behavior.

Session Data: A session cookie is used to keep you logged in. It contains a random token — no personal information is stored in the cookie itself.

2. How We Use Your Information

  • To provide and operate the Service
  • To send transactional emails (account approval, password resets, invitations)
  • To respond to support requests
  • To improve the Service based on aggregated usage patterns

We do not use your data for advertising, sell it to third parties, or share it with any outside parties except as described below.

3. Data Storage & Security

All data is stored in Supabase Postgres and Storage, encrypted at rest and in transit. We use HTTPS with HSTS headers across all endpoints.

Passwords are hashed using PBKDF2 with 100,000 iterations and a random salt. Session tokens are randomly generated cryptographic values.

4. Student Data and COPPA

StoryTrackr stores information about minors (students) on behalf of your organization. Organizations using the Service are responsible for obtaining any necessary consent from parents or guardians as required by applicable law, including COPPA (Children's Online Privacy Protection Act) in the United States.

We do not collect student data directly from students — all student data is entered by authorized leaders within your organization.

5. Data Retention

Your organization's data is retained for as long as your account is active. Activity feed entries are automatically deleted after 90 days. Audit logs are retained for 180 days. You may request deletion of your account and associated data by contacting us at privacy@storytrackr.app.

6. Third-Party Services

Infrastructure providers: We use Vercel for application hosting and Supabase for database, authentication, and storage. Their privacy policies apply to infrastructure-level processing.

MailChannels: We use MailChannels to send transactional emails. Email addresses are shared with MailChannels only for the purpose of sending emails you've requested (account notifications, password resets).

We do not use Google Analytics, Facebook Pixel, or any third-party tracking or advertising services.

7. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate personal data
  • Request deletion of your account and data
  • Export your organization's data at any time from Settings → Export

To exercise these rights, contact privacy@storytrackr.app.

8. Changes to This Policy

We may update this policy from time to time. We'll notify you of material changes via email or an in-app notice at least 30 days before they take effect.

9. Contact

Questions about this policy? Contact us at privacy@storytrackr.app.