storyyy

Privacy Policy

Version 1.0.0 · Effective 2026-06-12

Version 1.0.0 — Effective June 12, 2026

This Privacy Policy explains how Ross Frederick, an individual doing business as "Mother" ("Mother", "we", "us"), collects and uses information when you use the Mother suite: Storyboard (storyyy.app), Midnight, and SlideKit (the "Service"). One account covers all three products, so this policy covers all three.

The short version: we collect what we need to run a creative tool — your account, your content, and billing metadata. We don't run ad tracking, we don't sell your data, and we don't train AI models on your content.

Contact: support@motherrr.app

1. What we collect

  • Account information. Your email address and basic profile information, provided when you sign up with Google or with email authentication. Authentication is handled through Supabase.
  • Provider API keys (Studio tier, optional). If you connect your own AI-provider keys, they are stored AES-256-encrypted at rest. They are never displayed back in plaintext in any interface, and staff cannot read them in plaintext through any admin UI. They are used only to run the generation requests you make.
  • Your content. The prompts, images, video, audio, and other media you upload, and the material the Service generates for you. Media files are stored in our storage infrastructure (Cloudflare R2); project and metadata records are stored in our database (Supabase/Postgres).
  • Usage and billing metadata. Records of generations you run (model, credit cost, timestamps, status), your credit ledger, subscription tier, and payment status. We see billing metadata from Stripe but never your card number — card data goes directly to Stripe and never touches our servers.
  • Operational logs and error reports. Standard server logs (such as IP address and request metadata) and error reports used to keep the Service running.

What we don't do: no advertising trackers, no third-party ad pixels, no cross-site behavioral profiling.

2. How we use information

  • To provide the Service: authenticate you, store and display your work, run the generations you request, and sync in real time.
  • To bill you: manage subscriptions, grant and debit credits, and prevent payment fraud and credit abuse.
  • To operate and improve reliability: debugging, security, and abuse prevention.
  • To communicate with you: transactional email (receipts, important account or legal notices). We do not send marketing email without your consent.

3. Who processes your data (our processors)

We use a small set of service providers to run Mother. Each receives only what its role requires:

| Processor | Role | |-----------|------| | Vercel | Application hosting and serverless compute | | Supabase | Database, authentication, and realtime infrastructure | | Cloudflare | CDN and media storage (R2) | | Stripe | Payments and subscription billing — your card data is collected by and stored with Stripe and never touches our servers | | Resend | Transactional email delivery | | Sentry | Error monitoring — error reports may include account identifiers and request metadata | | AI providers | Model inference, described below |

AI providers. When you run a generation, we send the selected provider the prompt and the input media needed for that generation — nothing more. Depending on the model you choose, the generation is dispatched to one of these provider families:

  1. Google (Google AI Studio — Gemini, Imagen, Veo, Nano Banana models)
  2. fal.ai (inference platform hosting multiple model families)
  3. WaveSpeed AI (inference platform hosting multiple model families)
  4. Kuaishou (Kling models)
  5. Beeble AI (SwitchLight / SwitchX relighting)
  6. Black Forest Labs (FLUX models)
  7. Runway
  8. Luma AI
  9. ElevenLabs (voice, music, and sound)
  10. MiniMax (Hailuo models)
  11. Topaz Labs (upscaling)

Each provider processes that data under its own terms. On the Studio tier with your own keys connected, requests to that provider run under your direct relationship with the provider.

4. We do not sell your data

We do not sell personal information, and we do not share it for cross-context behavioral advertising. We do not use your content to train AI models.

5. Retention and deletion

We keep your data for the life of your account. When you delete your account (or ask us to), we delete your personal data and content, allowing for a reasonable window for it to age out of routine backups. Billing records may be retained longer where tax or accounting law requires. To request deletion, use the in-app option or email support@motherrr.app.

6. Your rights

If you are in the EEA or UK (GDPR): you have the right to access, rectify, and erase your personal data; to restrict or object to processing; to data portability; to withdraw consent where processing is based on consent; and to lodge a complaint with your supervisory authority.

If you are a California resident (CCPA/CPRA): you have the right to know what personal information we collect and how it's used; to delete it; to correct it; to opt out of sale or sharing (we do not sell or share personal information as the CPRA defines those terms); and to not be discriminated against for exercising your rights.

To exercise any of these rights, email support@motherrr.app from the address on your account (or include enough information for us to verify it's you). We respond within the timeframes the applicable law requires.

7. Cookies

We set only strictly necessary cookies: the authentication/session cookies created by our auth system (Supabase) that keep you signed in. We do not set analytics, advertising, or cross-site tracking cookies. Because we use only strictly necessary cookies, no cookie consent banner is required.

8. International transfers

Mother is operated from the United States, and our processors store and process data primarily in the US. If you use the Service from outside the US, your data is transferred to and processed in the US, where privacy law may differ from your jurisdiction's.

9. Children

The Service is not directed to children under 13 (or under 16 in the EEA/UK), and we do not knowingly collect their data. If you believe a child has created an account, contact support@motherrr.app and we will delete it.

10. Security

We protect data with industry-standard measures: encryption in transit (TLS), encryption at rest for provider API keys (AES-256), row-level access controls in our database, and least-privilege access to production systems. No system is perfectly secure; if a breach affects your personal data, we will notify you as the law requires.

11. Changes to this policy

We may update this policy from time to time. If we make material changes we will notify you by email or in-app notice before they take effect. The "effective" date at the top always reflects the current version.

Contact

Ross Frederick, d/b/a Mother support@motherrr.app