Privacy Policy

Effective Date: January 18, 2026

Summary: Your stories are yours. We help you preserve them securely. We don't sell your data, we don't use it for advertising, and you can delete everything at any time.

1. Introduction

Welcome to OverBiscuits ("we," "our," or "us"). We respect your privacy and are committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application.

2. Information We Collect

2.1 Information You Provide

Account Information: Email address, name, and authentication data (via Apple Sign-In or email registration)
Voice Recordings: Audio files you record when answering questions
Transcriptions: Text transcriptions of your voice recordings
Photos: Images you attach to your stories
Story Content: All answers, edits, and content you create
Preferences: Language settings, onboarding preferences, module progress

2.2 Automatically Collected Information

Device Information: Device type, operating system version, app version
Usage Data: Features used, time spent, errors encountered
Analytics: Crash reports, performance metrics (via Firebase)

2.3 Information We Do NOT Collect

We do NOT collect your location data
We do NOT access your contacts
We do NOT track you across other apps or websites
We do NOT collect health or financial data

3. How We Use Your Information

We use your information to:

Provide the Service: Store your stories, sync across devices, enable features
Process Audio: Transcribe your recordings using OpenAI's Whisper API
Generate Follow-Ups: Create relevant follow-up questions using Anthropic's Claude API
Text-to-Speech: Read questions aloud using OpenAI's TTS API
Improve the App: Fix bugs, improve performance, develop new features
Customer Support: Respond to your questions and help requests
Process Payments: Handle subscriptions via Apple's App Store

4. Data Storage and Security

4.1 Where Your Data is Stored

Firebase (Google Cloud): Your stories, transcriptions, and profile data
Firebase Storage: Your audio recordings and photos (encrypted)
Your Device: Local encrypted cache for offline access

4.2 Security Measures

Encryption at Rest: All audio files encrypted using AES encryption
Encryption in Transit: HTTPS/TLS for all data transmission
Certificate Pinning: Validates API connections to prevent interception
Firebase Security: Industry-standard cloud security by Google
Access Control: Only you can access your stories (via authentication)

5. Data Sharing and Third Parties

5.1 Third-Party Services

We use the following third-party services to provide our features:

Firebase (Google): Cloud storage, database, authentication
Privacy Policy: https://firebase.google.com/support/privacy
OpenAI: Speech-to-text transcription, text-to-speech
Privacy Policy: https://openai.com/privacy
Anthropic: AI-powered follow-up question generation
Privacy Policy: https://www.anthropic.com/privacy
Apple App Store: Payment processing and subscription management
Privacy Policy: https://www.apple.com/legal/privacy

5.2 What We Do NOT Do

❌ We do NOT sell your data to anyone
❌ We do NOT use your stories for advertising
❌ We do NOT share your data with data brokers
❌ We do NOT use your data for marketing without consent

6. Family Sharing

OverBiscuits includes features that allow you to share your stories with family members ("Listeners"). This section explains how data is shared within families.

6.1 How Family Sharing Works

Storytellers can invite family members to view their stories
Listeners can read stories, leave comments, and send story requests ("nudges")
Invitations are sent via email or shareable invite codes
Storytellers control who has access to their stories

6.2 Data Shared with Family Members

When you invite someone to your family, they can see:

Your display name and profile information
Your stories, transcriptions, and attached photos
Your progress through chapters (if enabled in settings)
Comments left by other family members

6.3 Listener Data

When someone joins your family as a Listener, we collect:

Their email address (for the invitation)
Their display name
Comments they leave on your stories
Story requests they send to you

6.4 Removing Family Members

Storytellers can remove Listeners at any time
Listeners can leave a family at any time
When removed, Listeners lose access to all stories immediately
Comments left by removed members may be retained or deleted at the Storyteller's discretion

7. Content About Others

Important: Your stories may naturally include information about other people—family members, friends, and others from your life. You are responsible for the content you share.

7.1 Personal Information in Stories

When you record your life story, you may include:

Names of family members, friends, colleagues
Dates of birth, marriage, or other life events
Places where people lived, worked, or visited
Photos containing identifiable individuals
Stories and anecdotes about others

7.2 Your Responsibilities

Consider whether others would be comfortable with what you share
Be thoughtful when sharing stories about living individuals
Obtain consent before sharing sensitive information about others
Be especially careful with information about minors

7.3 Voice Recordings

Your voice recordings are stored securely and used only to provide the service. In some jurisdictions, voice recordings may be considered biometric data. We:

Store voice data encrypted at rest
Process audio only for transcription purposes
Do not use voice data for identification or verification
Delete audio files when you delete your account

8. Your Rights and Choices

8.1 Access and Control

View Your Data: Access all your stories, recordings, and content in the app
Edit Your Data: Modify or delete any answer or recording
Export Your Data: Download your stories as PDF files
Delete Your Data: Use "Delete Account" in Settings to permanently remove all data

8.2 Your Legal Rights (GDPR, CCPA)

If you are in the EU, UK, or California, you have additional rights:

Right to Access: Request a copy of all your data
Right to Rectification: Correct inaccurate data
Right to Erasure: Request deletion of your data ("right to be forgotten")
Right to Portability: Receive your data in a machine-readable format
Right to Object: Object to processing of your data
Right to Restrict: Limit how we use your data

To exercise these rights, email us at privacy@overbiscuits.com

9. Data Retention

Active Accounts: We keep your data as long as your account is active
Deleted Accounts: Data deleted within 30 days of account deletion
Backups: Deleted data removed from backups within 90 days
Legal Requirements: We may retain data longer if required by law

10. Children's Privacy

OverBiscuits is intended for users aged 13 and older. We do not knowingly collect information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

11. International Data Transfers

Your data may be stored and processed in the United States or other countries where our service providers operate. We ensure appropriate safeguards are in place for international transfers, including:

Standard Contractual Clauses (EU)
Privacy Shield frameworks (where applicable)
Adequate levels of data protection

12. Cookies and Tracking

Our mobile app does not use cookies. We use Firebase Analytics to understand app usage, which includes:

Session duration
Feature usage
Crash reports
Device information

You can opt out of analytics in iOS Settings > Privacy > Analytics & Improvements.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

Posting a notice in the app
Sending an email to your registered address
Updating the "Effective Date" at the top of this policy

Your continued use of the app after changes constitutes acceptance of the updated policy.

14. California Privacy Rights (CCPA)

California residents have specific rights under the California Consumer Privacy Act (CCPA):

Information We Collect

Identifiers (name, email)
Audio recordings (your voice)
Internet activity (app usage)
Device information

How We Use It

Provide services
Improve the app
Customer support

We Do NOT Sell Your Personal Information

We have not sold personal information in the past 12 months and do not sell personal information.

Your CCPA Rights

Know what data we collect
Request deletion of your data
Opt out of data sales (not applicable - we don't sell)
Non-discrimination for exercising your rights

To exercise your rights, email privacy@overbiscuits.com

15. EU/UK Privacy Rights (GDPR)

If you are in the EU or UK, we process your data based on:

Contract: To provide the service you requested
Legitimate Interest: To improve our service and prevent fraud
Consent: For optional features like analytics

You have the right to lodge a complaint with your local data protection authority.

16. Security Incidents

In the unlikely event of a data breach that affects your personal information, we will:

Notify you within 72 hours (if required by law)
Describe the nature of the breach
Explain steps we're taking to address it
Provide guidance on how you can protect yourself

17. Do Not Track

Our app does not respond to Do Not Track signals because we don't track you across third-party websites. We only collect information necessary to provide our service.

Contact Us

If you have questions about this Privacy Policy or your data, please contact us:

Remember: Your stories are precious. We're here to help you preserve them safely. If you ever have concerns about your privacy, don't hesitate to reach out.