Privacy Policy
This Privacy Policy explains how Stories of History collects, uses, stores and protects personal data when you visit the site, create an account, subscribe, contact us, or otherwise interact with the platform.
Last updated: July 8, 2026
Related policies
This Privacy Policy explains how Stories of History handles personal data. It sits alongside our Terms of Use and Legal & Disclaimers page.
1. Who we are
Stories of History is the controller of personal data processed through this website and related services, except where this policy states otherwise.
Controller name: Stories of History
Contact email: support@storiesofhistory.co
Website: https://storiesofhistory.co
Country: United Kingdom
2. Scope of this policy
This Privacy Policy applies to personal data we collect when you:
- visit and browse Stories of History,
- create or use an account,
- subscribe to a free or paid plan,
- contact us by email or through a form,
- join a waiting list or mailing list,
- use interactive features on the site,
- purchase a subscription or other paid service,
- or otherwise interact with the platform.
3. The personal data we collect
The personal data we collect depends on how you use the site. It may include:
- Identity and account data, such as your name, username, login credentials, account ID, or profile details.
- Contact data, such as your email address and any information you provide when contacting us.
- Subscription and transaction data, such as plan type, billing status, renewal dates, and limited payment-related information provided by payment processors.
- Technical data, such as IP address, browser type, device type, operating system, approximate location, referring pages, and site performance data.
- Usage data, such as pages viewed, stories opened, clicks, time on page, feature use, and navigation behaviour.
- Communications data, such as messages you send to us and our replies.
- Marketing preferences, such as whether you have opted in to receive updates.
- Weekly email subscription data, such as your email address, signup source, consent statement, consent date, consent method, consent source URL, unsubscribe status, unsubscribe method, suppression status and subscription event records.
- History Explorer and AI-assisted feature data, such as topic queries, saved route names, generated route results, request counts, cache references and related feature metadata.
- Cookie and similar technology data, where these tools are used on the site.
We do not intentionally collect special category personal data unless there is a clear reason to do so and an appropriate lawful basis applies.
4. How we collect personal data
We collect personal data in the following ways:
- Directly from you, for example when you sign up, subscribe, contact us, or join a mailing list.
- Automatically, through server logs, cookies, analytics tools, and similar technologies when you use the site.
- From service providers, such as payment processors, authentication providers, hosting platforms, analytics tools, email providers, and customer support tools.
5. How we use your personal data
We may use personal data to:
- provide, operate and improve the platform,
- create and manage user accounts,
- process subscriptions and payments,
- deliver paid or premium features,
- send service-related messages,
- respond to support requests and enquiries,
- generate and save AI-assisted History Explorer routes where available,
- monitor usage, diagnose technical issues and improve performance,
- protect the site, users and business from fraud, abuse or misuse,
- comply with legal and regulatory obligations,
- send marketing communications, including the weekly email, where permitted by law and consented to where required,
- and analyse site usage to improve content, features and design.
6. Our lawful bases for processing
Under UK data protection law, we use different lawful bases for different processing activities. The main mapping is:
- Account creation, login and profile management: we process account email, name, login records, authentication metadata and Supabase user ID so you can create and use an account. Lawful basis: contract; legitimate interests for account security, abuse prevention and support.
- Saved progress and product features: we process story progress, journey progress, saved paths, topic requests and related feature state so signed-in users can resume and use interactive features. Lawful basis: contract for core account features; legitimate interests for proportionate troubleshooting, product improvement and abuse prevention.
- AI-assisted History Explorer: where this feature is available, we process topic queries, the relevant Stories of History content catalogue, generated route results and related feature metadata to suggest reading routes, save routes for signed-in users, enforce fair-use limits and improve feature reliability. Lawful basis: contract for providing the Premium feature; legitimate interests for abuse prevention, reliability, troubleshooting and proportionate product improvement.
- Subscriptions, checkout and billing: we process plan status, Stripe customer and subscription references, billing state, refund status and related transaction records so we can provide Premium access and manage payments. Lawful basis: contract; legal obligation for tax and accounting records; legitimate interests for fraud prevention, refunds, dispute handling and reconciliation.
- Service messages and support: we process contact details, support messages, account email notifications and delivery metadata to respond to requests and send necessary account messages. Lawful basis: contract; legitimate interests for support, reliability and evidence of communications; legal obligation where the request relates to privacy rights, tax, accounting or other compliance duties.
- Weekly email and marketing: we process email address, signup source, consent statement, consent date, consent method, consent source URL, unsubscribe status, unsubscribe method and subscription event records to send the weekly email, evidence consent and honour preferences. Lawful basis: consent where required for direct marketing; legal obligation and legitimate interests for unsubscribe and suppression records.
- Security, fraud prevention and rate limiting: we process limited technical and security data to protect the platform and users from misuse, abuse, fraud and unauthorised access. Lawful basis: legitimate interests; legal obligation where security records are needed for compliance or legal claims.
- Analytics and product metrics: Vercel Web Analytics and first-party product metrics help us understand broad traffic, performance and product usage. Google Analytics 4 is used when analytics consent has been given through CookieYes and Google Consent Mode. Lawful basis: legitimate interests for privacy-focused and proportionate operational analytics; consent for non-essential analytics cookies or similar tracking where required.
- Legal, audit and administration records: we process limited audit, admin, dispute, refund and compliance records to run the service responsibly and evidence decisions. Lawful basis: legitimate interests; legal obligation where records are needed for regulatory, tax, accounting or legal requirements.
Where we rely on legitimate interests, we aim to ensure the processing is proportionate and does not unfairly impact your rights.
Where we rely on consent, you can withdraw consent at any time. This will not affect processing that took place before withdrawal.
7. Cookies and similar technologies
We may use cookies, pixels, local storage, analytics tools and similar technologies to operate the site, remember preferences, understand usage and improve performance.
These technologies may include:
- strictly necessary technologies required for the site to function,
- analytics technologies that help us understand how the site is used,
- preference technologies that remember settings,
- and marketing technologies if used and lawfully enabled.
Where required by law, we will ask for consent before setting non-essential cookies or similar technologies.
You can also control cookies through your browser settings, although disabling some technologies may affect site functionality.
We use CookieYes to help present cookie choices, record consent preferences, and manage consent for cookies and similar technologies.
8. Analytics
We use privacy-focused analytics and first-party product metrics to understand how visitors use the site, which pages are most useful, how users move through the platform, and where technical or content improvements are needed.
This includes Vercel Web Analytics for aggregated website traffic and route-level performance insights, Google Analytics 4 when configured and analytics consent has been given through CookieYes and Google Consent Mode, and first-party product events stored in Supabase for account, subscription and content engagement metrics. Some service events, such as subscription or newsletter events, may also be recorded where needed to operate and improve the service. Search terms and History Explorer query metadata may be recorded where needed for consented analytics, product metrics, abuse prevention or feature reliability. We do not intentionally send payment card details, account passwords or sensitive account content to analytics providers.
9. Payments and subscriptions
If you purchase a subscription or other paid service, payment information is processed by Stripe rather than directly by us. Stripe may collect and process payment details, billing information, fraud prevention signals and transaction records needed to complete and manage the payment.
We may receive limited payment-related information, such as:
- billing status,
- subscription tier,
- renewal or cancellation status,
- partial card metadata such as card type or last four digits, if supplied,
- transaction identifiers,
- and payment failure or refund status.
We do not store full payment card numbers on Stories of History.
10. Third-party processors and service providers
We use trusted third-party processors and service providers to operate Stories of History. The main providers we currently use or may use for the platform are:
Supabase
Used for authentication, account records, profiles, saved progress, subscription state, admin records and database hosting.
Links: privacy policy · data processing addendum
Stripe
Used for checkout, subscriptions, billing status, payment references, refunds, payment reconciliation and tax or accounting records.
Links: privacy policy · service providers and sub-processors
Vercel
Used for website hosting, deployments, runtime infrastructure, security, logs, performance, availability, privacy-focused web analytics and related platform operations.
Links: privacy policy · data processing addendum · sub-processors and security information
CookieYes
Used for cookie consent management, cookie banner display, consent preference storage, and related consent records.
Links: privacy policy
Sentry
Used for error monitoring, diagnostics, performance monitoring, issue investigation and platform reliability.
Links: privacy policy · data processing addendum · sub-processors
Google Analytics
Used for website analytics, measurement, traffic reporting, and understanding how visitors use the site when analytics consent has been given through CookieYes and Google Consent Mode.
Links: privacy policy · data processing terms · Analytics data processing terms information
Resend
Used for transactional account emails, password reset messages, account notifications, weekly subscriber emails, delivery events and related email metadata.
Links: privacy policy · sub-processors · data processing addendum
OpenAI
Used for AI-assisted History Explorer functionality, including semantic matching, learning-route generation and related feature support. When used, we may send the topic query, relevant catalogue context and generated output to OpenAI through the API. Do not include sensitive personal information in History Explorer queries.
Links: enterprise privacy · data processing addendum · services agreement
We may also share personal data with other trusted third parties where necessary, including:
- customer support tools,
- professional advisers, where necessary,
- and regulators, law enforcement, courts or authorities where required by law.
We require service providers to process personal data only as permitted and with appropriate security and confidentiality protections.
11. International transfers
Some service providers may process personal data outside the UK. This can happen even where primary storage is in the UK or EEA, for example if provider support teams, affiliates or subprocessors access data from another country.
In practice, this means:
- providers that support account, hosting, analytics, email, consent, diagnostics and payment services may process data in the UK, EEA, United States or other countries where they or their subprocessors operate,
- payment providers may process customer and transaction information globally where needed to complete payments, prevent fraud, manage subscriptions, handle refunds and meet legal obligations,
- analytics and infrastructure providers may process technical, usage, performance and diagnostic data in the countries where their systems and support operations are located,
- consent and email providers may process consent records, email addresses, delivery metadata and related service information in the countries where their systems and subprocessors operate.
- AI service providers may process topic queries, catalogue context, generated route output and related API metadata in the countries where their systems and subprocessors operate.
Where personal data is transferred internationally, we use or rely on appropriate safeguards required by applicable law. These may include an adequacy decision, the UK International Data Transfer Addendum, standard contractual clauses, the UK Extension to the EU-US Data Privacy Framework, or another recognised lawful transfer mechanism.
You can find more information about each provider's privacy, data processing and transfer practices in the links listed in section 10.
12. Data retention
We keep personal data only for as long as reasonably necessary for the purposes described in this policy, including to provide services, maintain records, resolve disputes, enforce agreements, and comply with legal obligations.
Retention periods may vary depending on the type of data. For example:
- account, profile and authentication data is generally retained while your account is active, then deleted, anonymised or reduced after account closure unless a limited record is needed for legal, security, billing, dispute or audit reasons,
- saved progress, journey progress, saved paths and related product feature records are generally retained while your account is active; core story and journey progress is removed when an account is closed, while limited product or audit records may be deleted, anonymised or retained where justified,
- History Explorer queries, saved route records, generated route results, topic requests and related request metadata are generally retained while your account is active, unless deleted, hidden, anonymised, aggregated or retained where justified for security, billing, dispute, abuse-prevention, legal or audit reasons,
- subscription, billing and transaction records, including Stripe references, may be retained for up to six years after the relevant financial year, last transaction or account closure where needed for tax, accounting, refund, dispute or legal compliance purposes,
- support enquiries and privacy-rights request records are generally retained for up to three years, and may be retained for up to six years where needed for billing, legal, fraud, security, dispute or audit matters,
- first-party product analytics events are generally retained for up to 24 months before deletion, aggregation or anonymisation unless a longer period is justified for security, dispute, billing, legal or audit purposes,
- weekly email consent, unsubscribe and suppression records are kept for as long as needed to evidence consent, honour unsubscribe choices and avoid sending further marketing emails,
- consent preferences are kept until the preference expires, is reset, or is replaced by a later preference, usually for up to 12 months depending on configuration,
- Google Analytics, Vercel Web Analytics, Sentry, Resend, OpenAI and provider platform logs are retained according to the settings and retention controls available in those provider accounts, with retention kept proportionate to the operational purpose,
- security and technical records are kept only as long as reasonably needed for abuse prevention, reliability, investigation or legal purposes.
Retention exceptions may apply where records are needed for legal hold, fraud or security investigation, unresolved billing disputes, tax or accounting requirements, or active user-rights requests.
13. Your rights
Depending on your circumstances, you may have the right to:
- be informed about how your personal data is used,
- request access to your personal data,
- request correction of inaccurate or incomplete personal data,
- request erasure of personal data in some circumstances,
- request restriction of processing in some circumstances,
- object to certain processing, including some processing based on legitimate interests and some direct marketing,
- request portability of certain personal data,
- withdraw consent where we rely on consent,
- and complain to the UK Information Commissioner’s Office.
These rights are not absolute and may be subject to conditions or exemptions under applicable law.
14. How to exercise your rights
To make a privacy-related request, please contact us using the details in this policy or through the contact page.
Email: support@storiesofhistory.co
We may need to verify your identity before responding to a request. We will aim to respond within the time required by law.
Privacy requests are handled through our support inbox. Please include enough detail for us to identify and review your request.
15. Complaints
If you have concerns about how we handle personal data, we would prefer to have the opportunity to address them first.
You also have the right to complain to the UK Information Commissioner’s Office if you believe your personal data has been handled unlawfully. You can find complaint information on the ICO website.
16. Children
Stories of History is an educational platform and may be read by a broad audience, but accounts, subscriptions, weekly emails and Premium features are not intended for children under 13. If you are under 13, please do not create an account, subscribe to emails, buy Premium or send personal data to us.
If you are under 18, please use the platform with permission from a parent or guardian, especially before creating an account, using interactive features or purchasing Premium.
If you believe a child has provided personal data to us unlawfully or without appropriate permission, please contact us so the matter can be reviewed and, where appropriate, the data can be deleted or restricted.
17. Security
We take reasonable technical and organisational measures to protect personal data against unauthorised access, loss, misuse, disclosure or alteration.
No internet transmission or storage system is guaranteed to be fully secure, so we cannot guarantee absolute security.
18. Third-party links and services
This site may contain links to third-party websites, products or services. Their privacy practices are governed by their own policies, not this one.
We are not responsible for the privacy practices of third-party services that are not controlled by us.
19. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes to the platform, legal requirements, service providers or data processing practices.
The latest version will always be published on this page with the updated date shown at the top.
20. Contact us
If you have questions about this Privacy Policy or how Stories of History handles personal data, please contact us by email or through the contact page:
Stories of History
support@storiesofhistory.co
https://storiesofhistory.co
