Privacy Policy - HSKStory

1. Who We Are

HSKStory is an online Chinese graded reading platform. Questions about this policy? Email anthony@hskstory.com.

2. What We Collect

Information you provide

Account: Email address and optional display name (we use passwordless magic link auth — no password is ever stored)
Purchases: Subscription status, entitlement source, and purchase history needed to unlock paid features and support billing issues

Collected automatically

Reading activity: Stories read, chapter progress, vocabulary saved, and flashcard reviews
Notifications: Device push tokens if you opt in to mobile reminders
Diagnostics: Error reports, crash logs, device/app version, and request context used to fix bugs
Infrastructure logs: Our hosting provider (Cloudflare) and web server log IP addresses and request metadata as part of normal operations. We do not store this data in our application.

3. How We Use It

Run the service: Deliver stories, audio, and manage your account
Explorer limits: Track your story count
Process payments: Via Paddle (our payment processor)
Support: Respond to questions and resolve issues
Improve: Analyze usage patterns to improve content and features

We do not sell your personal data to third parties.

4. Third-Party Services

Paddle — Payments

Paddle acts as merchant of record. They process all payments, handle global tax compliance, and issue receipts. We never store or see your card details. Paddle Privacy Policy

RevenueCat — Mobile Purchases & Entitlements

RevenueCat helps us connect App Store, Google Play, and web subscription entitlements to your HSKStory account. They receive account identifiers and purchase status needed to manage access.

Apple App Store and Google Play — In-App Purchases

Apple and Google process mobile in-app purchases, receipts, renewals, refunds, and related billing events. We never receive your full payment card details from them.

Resend — Email

We use Resend to send sign-in links and transactional emails. They receive your email address for delivery purposes only.

Firebase Cloud Messaging — Push Notifications

If you enable mobile reminders, Firebase Cloud Messaging receives a device push token so we can deliver notifications. Push reminders are opt-in.

Cloudflare — Hosting & Audio

Cloudflare proxies our web traffic and serves audio files. They process request data (IP address, headers) as part of normal CDN operations.

Sentry — Error Monitoring

When an error occurs, we send diagnostic data to Sentry to fix bugs. For signed-in users, this may include your user ID and email to help us identify and resolve the issue.

PostHog — Product Analytics

When analytics are enabled, PostHog helps us understand aggregate product usage and improve HSKStory. We configure PostHog without advertising cookies or cross-site tracking.

5. Data Storage & Security

Your data is stored on secure servers. We use passwordless authentication — no password is ever stored or transmitted. Account deletion has a 30-day grace period so you can cancel an accidental request by signing back in. After deletion, we remove account data unless a limited billing, security, tax, fraud-prevention, or legal-retention reason requires keeping a record.

6. Your Rights (GDPR)

You have the right to access, correct, delete, or export your data, and to opt out of marketing. Email anthony@hskstory.com to exercise any of these rights.

7. Cookies

We don't use advertising or tracking cookies. We use essential cookies for login and reader preferences (text size, font, voice). That's it.

8. Children's Privacy

Our service is not directed to children under 13. We do not knowingly collect personal data from children under 13.

9. Data Breaches

In the event of a data breach affecting your personal data, we will notify you within 72 hours.

10. Policy Changes

We will notify you of material changes to this policy via email before they take effect.