Last updated: May 2026. This page explains what personal data Barakah Stories (“we”, “us”) collects, why we collect it, and the rights you have.
1. Who is the data controller
The data controller for Barakah Stories is Barakah Stories, Address on file with the operating entity. For privacy questions you can reach us at privacy@barakahstories.com or our Data Protection contact at dpo@barakahstories.com.
2. What we collect
- Account data: your email address (used to send sign-in links), display name if you set one, and an age range (not your exact age) used to keep the experience family-safe.
- Usage data: which stories you open, listen to, save, favorite, complete, and rate, with timestamps. This is what powers “Continue listening”, your personal library, and our trending feeds.
- Billing data: if you subscribe to Premium, our payment processor (Stripe) records the customer and subscription IDs and standard billing details. We do not see or store your full card number.
- Technical data: minimal request logs (IP, user agent, status code) and crash/error reports needed to keep the service reliable.
- Cookies: we set a strictly necessary session cookie when you sign in. We do not use cookies for advertising and we do not run third-party analytics trackers.
3. Why we use your data and on what legal basis
Under the EU General Data Protection Regulation (GDPR), we rely on the following lawful bases:
- Performance of a contract (Art. 6(1)(b)) — to create your account, deliver the stories, manage your free credits and your subscription, and provide customer support.
- Legitimate interests (Art. 6(1)(f)) — to keep the platform secure, prevent abuse, debug errors, and improve the product based on aggregated, non-identifying usage signals. You can object to this use at any time.
- Legal obligation (Art. 6(1)(c)) — for example, keeping the invoices our payment processor generates for the period required by tax law.
- Consent (Art. 6(1)(a)) — where we explicitly ask for it, for example to send optional product newsletters. You can withdraw consent at any time.
4. Who we share data with (subprocessors)
We deliberately keep the list of services that touch your data short. Each one is bound by a written agreement and processes data only on our instructions:
- Vercel — application hosting and request logs.
- Neon — managed PostgreSQL database (EU region by default). Stores your account, interactions, and billing identifiers.
- Cloudflare R2 — object storage for cover art, audio, and caption files. Stores no personal account data.
- Stripe — payment processing and subscription management for Premium plans.
- Enginemailer — transactional email delivery (sign-in links, account notifications).
- Sentry — error monitoring. We strip emails, tokens, and similar identifiers from reports before they leave our servers.
We do not sell or rent personal data, and we do not share it with advertisers.
5. International transfers
Some of our subprocessors (notably Stripe and Cloudflare) operate globally. Where personal data leaves the European Economic Area, we rely on the European Commission’s Standard Contractual Clauses and supplementary measures (encryption in transit and at rest) to keep the protection equivalent to the European Union.
6. How long we keep data
- Account & activity: while your account is active and for up to 12 months after you delete it, in case of accidental deletion or fraud investigation.
- Billing records: retained as long as required by applicable tax/accounting law (typically up to 10 years).
- Logs & error reports: typically 30–90 days, then automatically deleted or anonymized.
7. Your rights
If you are in the EU/EEA or UK, the GDPR gives you the right to:
- access the personal data we hold about you;
- have inaccurate data corrected;
- have your data erased (the “right to be forgotten”);
- restrict or object to certain processing;
- receive your data in a portable format;
- withdraw any consent you previously gave, without affecting the lawfulness of processing before that withdrawal;
- lodge a complaint with your local data protection authority.
You can exercise most rights yourself from your account page (delete account, update details, manage subscription). For anything else, email privacy@barakahstories.com and we will respond within 30 days.
8. Children and families
Barakah Stories is designed for families to enjoy together. We do not knowingly create accounts for children under the digital age of consent in their country (commonly 13–16 in the EU). Parents and guardians manage the account and any subscription on behalf of their household.
9. Security
We use TLS for all traffic, at-rest encryption on our database and object storage, scoped least-privilege credentials for our subprocessors, and rate limiting on sensitive endpoints. No online service is perfectly secure, so we encourage you to use a unique sign-in email.
10. Changes to this policy
If we change this policy in a way that materially affects you, we will notify you by email or in the app before the change takes effect. The “Last updated” date at the top of this page always reflects the current version.
11. Contact
Questions, requests, or complaints? Write to privacy@barakahstories.com.
This document is provided as a starting point and should be reviewed by qualified counsel before launch in any new jurisdiction.
