Quick Summary
I made this as a hobby project. It is available free of charge and does not contain advertising. It comes with no warranty and I may choose to shut it down at any time.
Stories are private. Access is restricted to the person that first created the story, plus anyone they invite. Anyone who gets an invite URL for a story can access that story, so be careful how you share it.
Card Story does not have a sign-up or registration system, and does not collect any names or contact details.
A cookie is used for access control, and is necessary for the functioning of the site. By default this is a temporary cookie. If you enable the "Remember me" option, then a persistent cookie is set.
Story text is kept for up to 1 month. If you write something you want to keep, please use the Download button to save a copy.
Connection metadata is kept for up to 2 weeks.
Aggregate statistical usage data (which does not include any story content) may be kept indefinitely.
I may access and read story text in order to debug problems with Card Story, or to identify attempted technical attacks or abuse.
I will not sell, publish or otherwise make public any story content without explicit permission.
Preface
This website is just something I'm making in my free time, and providing for others to play with for free. It is not a paid service, and I have limited time to work on it. I am just one individual. I have done my best to make the text of this document clear, but I am not a legal professional, so this text is written for laymen, by a layman. Please read it with that in mind.
General
Card Story is provided with no guarantee or warranty for any particular purpose.
Card Story is a toy or game. It is intended for small groups of people who already know each other to have fun making up short fictional stories together. It is an improvisation game. It is not intended for serious works of authorship, nor is it intended as a storage system or communication tool. The content of each individual story is written by the players and I do not control it. Even within the limitations of its nature as a toy, I cannot provide any guarantee or warranty that it will work as I intend, or that your experience will be in any way good.
I have limited time and resources to make and maintain Card Story, so despite my best intentions there may be broken, missing, or misleading functionality. The content of your story may be irrecoverably lost at any time including during play, and the system may delay or fail to transmit data between players. I will not be held liable for any inconvenience, hurt, or damages that arise from the use of this website.
I may at my sole discretion choose to terminate (that is, shut down) the website, or to ban any individual or group from accessing the website. I may do this at any time, including while you're right in the middle of playing.
I recommend: Treat Card Story as a toy. Do not use it for anything that requires reliability. Do not assume that if it works today it will work tomorrow.
Safety
The content of a Card Story story is created by the players. Content may be vulgar or otherwise inappropriate or offensive, depending on who you play with. Card Story does not apply content filtering or moderation, apart from some technical restrictions to prevent some forms of technical attack. I make no representation as to the psychological safety of the content you may be exposed to while playing the game.
I recommend: Only play with people you already know!
Security
I have tried to design and implement Card Story to restrict access for each story to people who have been invited to participate. When you create a story, access to that story is restricted to you (technically, to your web browser on your computer, or even more technically to whoever has the cookie that grants access to the story). You can click the 'Invite Someone' button at the top right corner of the story page to get a link that grants access to the story. Anyone with this invite link will be able to access the story. Security—in the sense of controlling who can view or participate in a particular story—relies on keeping invite URLs private.
This is intended to avoid needing any sign-up or registration system. It also avoids any need for Card Story to collect or store email addresses, phone numbers or other strongly identifying information. Hopefully it is also reasonably easy to use, since many people are familiar with sending and receiving links. It does require some care on the part of players: Don't post invite URLs publicly or share them with people you don't want to play with!
There is currently no mechanism to ban, block or otherwise remove anyone from a story once they have access. I may implement such an option in the future. For now, the only recourse is to abandon that story.
I recommend: When you create a story, send invite links directly to the people you want to play with, using your preferred private messaging system, and remind them not to share the URL with anyone else.
Despite my best efforts, security of internet connected systems is a difficult thing to get right, and it is possible that flaws in the design or implementation of Card Story could result in security breaches. Please protect yourself by avoiding entering any personal or sensitive information on this website.
Use of cookies
Card Story uses a cookie to give your web browser a unique identifier that is then used to authenticate subsequent accesses to the stories you have created or been invited to participate in. This cookie is needed for the functioning of the website, so that access to each story can be restricted to only the creator and the people they invite. By default this is a session cookie, which your browser will delete when you close all your browser windows. If you switch on the 'Remember Me' option—which is shown whenever you open a story—then a persistent cookie is used. Cookies are only set on parts of the website that require them. For example, this page about privacy does not set any cookies.
Privacy and Data Retention
Story content: All text entered in Card Story is sent to the server, and copied to all other players who are connected to that story. This includes text which you enter and then delete. Text sent to the server is stored for up to 1 month from when the story is started.
Metadata about client connections, including the source IP address of any connections received, and technical information about your web browser, may be stored by the server for up to 2 weeks. This information will not be published or otherwise shared. It is collected for use in debugging and identifying technical attacks or other technical abuse.
Statistical data about the usage of Card Story may be kept by me indefinitely, and I may choose to publish subsets or summaries of it publicly. This does not include any story content (any text entered by players) or any personally identifiable information, but may include, for example: how many stories have been written, distribution of player count across stories, how many cards do stories have, how many words have been written in Card Story, what times of day are most popular for playing, how many people are playing on mobile compared to desktop/laptop, and many other aggregate statistical summaries. This is collected so that I can get feedback on how people are using Card Story, and see if that changes over time.
I recommend: Do not write anything that you consider sensitive or private.
I may: Make temporary copies (stored for up to 2 weeks) of any story data or metadata, for data backup or for testing and system maintenance purposes.
I may: Access and read any story text myself, for the purpose of debugging system problems or identifying attempted technical attacks or abuse.
I will not: Sell, publish or otherwise share any story content except as needed for the functionality of the website, unless I have explicit confirmation that the authors of that content are happy for me to do so. (Card Story functionality: any entered text is stored on the server, and is copied to all other players connected to that story)
I will not: Retain any entered text for more than 1 month from when it was received by the server, unless I have explicit consent from the authors of that content.
The above represents my intentions, and I may deviate from the above if legal obligations require it, or in other situations that I cannot reasonably plan for.