Privacy Policy

Effective date: 2 March 2026

Storymaps.io ("the Service") is operated by the project maintainer ("the Operator", "we", "us"), who acts as the data controller for the purposes of UK GDPR and the EU General Data Protection Regulation. This policy explains what data we collect, how we use it, and your rights.

1. Data We Collect

Map content: The story maps you create (including card text, names, tags, notes, and structure) are stored on our servers to enable real-time collaboration and persistence.

Presence data: When you view a map, your cursor position and device type (desktop or mobile) are shared with other viewers of the same map via WebSocket. This data is ephemeral and not stored.

Display name: On desktop, you are optionally prompted for a display name for collaboration. This name is stored in your browser's local storage, shared with other viewers via WebSocket, and recorded in the map's activity log. The activity log is stored on our servers as part of the map data. You can change or clear your name at any time by clicking it in the viewer badge. If you decline to provide a name, you appear as "guest".

Server logs: Standard web server logs may record IP addresses, request timestamps, and user agent strings. These logs are used for operational purposes and are not correlated to individual users or maps.

2. Data We Do Not Collect

• We do not require or collect email addresses or account information. Display names are optional and user-provided
• We do not use cookies for tracking or advertising
• We do not use third-party analytics services
• We do not sell, share, or transfer your data to third parties

3. Legal Basis for Processing

We process your data on the following legal bases under GDPR Article 6:

• Legitimate interests (Article 6(1)(f)) — storing and transmitting map data to provide the service you have chosen to use. Our legitimate interest is operating the service; this is balanced against the minimal personal data involved, since the service does not require accounts or personal information.
• Legitimate interests — server logging for security, abuse prevention, and operational stability.

4. Internal Access to Data

The Operator may access map content from time to time for the purposes of debugging, maintaining service quality, and improving the product. This access is limited to what is necessary and is carried out under the legitimate interests legal basis. Map content is not shared with third parties for these purposes.

5. Third-Party Import and Export Credentials

When you use import or export features (Jira, Asana, Phabricator, Linear), any API tokens, email addresses, or credentials you provide are transmitted to our server over HTTPS. Our server acts as a pass-through proxy, forwarding your request to the third-party service on your behalf to avoid browser CORS restrictions. Credentials are held in memory only for the duration of the request and are never logged, stored, or persisted on our servers.

6. Data Storage and International Transfers

Map data is stored on servers located in the United States (Google Cloud Platform). This means your data may be transferred outside the UK and European Economic Area. Google Cloud Platform operates under standard contractual clauses and appropriate safeguards for international data transfers. Data is not encrypted at rest. If you are working with sensitive information, consider using the export features to maintain your own copies.

7. Data Retention

Maps are retained as long as the service is operational. We may delete maps that have not been accessed for an extended period to manage storage. There is no automated data expiry at this time, but we reserve the right to introduce retention limits in the future with reasonable notice.

8. Your Rights

Under UK GDPR and EU GDPR, you have the right to:

• Access — request a copy of the data we hold about you
• Erasure — request deletion of your map data
• Portability — export your data in a structured format (available via the built-in JSON, YAML, and CSV export features)
• Object — object to processing of your data based on legitimate interests
• Lodge a complaint — you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or your local supervisory authority

To exercise these rights, contact us using the details in Section 11 below.

9. Data Deletion

There is currently no self-service deletion feature. If you need map data deleted, contact us by email at [email protected] with the map ID. You may also open an issue on GitHub if you prefer.

10. Children's Privacy

Storymaps.io is not directed at children under 16. We do not knowingly collect data from children.

11. Contact

For privacy-related questions or to exercise your data rights, contact us by email at [email protected] or via the GitHub issue tracker.

12. Changes to This Policy

We may update this policy from time to time. Changes will be reflected by updating the effective date at the top of this page.