FictionFlux

Privacy Policy

Last updated: 11 June 2026

This Privacy Policy explains what FictionFlux collects, why, who we share it with, how long we keep it, and the choices you have. It applies to the web app, the mobile apps, and our APIs.

Quick summary

  • We collect the data needed to run a reading platform: your account, your reading activity, your purchases, and basic technical telemetry.
  • We don't sell your personal information and we don't share it for cross-context behavioural advertising.
  • You can delete your account at any time — no sign-in required to start the request.

Data we collect

You give us

  • Account: email, display name / username, password (stored as a salted bcrypt hash — we never see your plaintext password).
  • Profile: optional avatar and bio.
  • Engagement: follows, comments, ratings, library entries.
  • Support: the contents of any support ticket you open.

We generate as you use the service

  • Reading activity: chapters opened, reading progress, view events. Used to power "continue reading" and recommendations.
  • Wallet activity: coin balances, purchases, chapter unlocks, read/download licences.
  • Technical: IP, user-agent, timestamps, session tokens, error logs. Used for security, abuse prevention, and debugging.

From third parties

  • Payment processors: transaction id, last four digits of card, status codes. We never receive your full card number; that goes directly to Paystack / Apple / Google.

How we use it

  • Provide the reading experience you signed up for.
  • Process coin purchases, unlock chapters and licences, and run the wallet.
  • Pay authors their royalties.
  • Recommend stories you might like.
  • Keep the service secure: detect fraud, enforce our Terms, respond to abuse and DMCA reports.
  • Communicate with you: receipts, security alerts, replies to your support tickets, and (only if you opt in) marketing emails.
  • Improve the product using aggregated, non-identifying analytics.

Legal bases (GDPR / NDPR readers)

  • Contract: most account, billing, and content-delivery processing.
  • Legitimate interests: security, fraud prevention, product improvement.
  • Consent: optional analytics, marketing email, push notifications.
  • Legal obligation: tax, accounting, lawful requests.

Who we share data with (sub-processors)

  • Paystack — card processing on the web. They receive only the data needed to charge your card.
  • Apple & Google — in-app billing on iOS / Android respectively.
  • Email provider — to deliver receipts, password resets, deletion confirmations, and other transactional email.
  • Cloud hosting — to operate the servers your data lives on.
  • Sentry (when enabled) — to capture server-side error reports. We scrub request bodies and headers that might contain credentials.

Each sub-processor is under a written agreement that limits their use of your data to providing the service to us. We never sell your personal information.

How long we keep data

  • Account profile: while your account is active; anonymised within 30 days of a deletion request.
  • Reading progress, follows, library: deleted on account deletion.
  • Comments and ratings: reassigned to "Deleted user" on account deletion (so threads don't collapse) but no longer linkable to you.
  • Wallet and purchase records: retained for up to 7 years for tax, accounting, and audit obligations.
  • Security logs: 90 days.

Your rights

  • Access & portability: download a JSON copy of your data from Account → Export.
  • Deletion: see Account Deletion. No sign-in is required to start the request.
  • Reset (keep your account): signed-in users can clear their reading history, library, follows, comments, and ratings while keeping their account, coins, and purchases — from the same Account & data page.
  • Correction: edit your profile, or contact us.
  • Object / restrict: contact us at privacy@fictionflux.com.
  • Complain: in the EU, to your local supervisory authority; in Nigeria, to the NDPB; in California, under CCPA.

Children

FictionFlux is not directed at children under 13 and we don't knowingly collect data from them. If we learn we have, we delete it. Some content is age-gated and requires confirmation of age; parents in California and the EEA have additional rights on behalf of minors — contact us at privacy@fictionflux.com.

Mobile apps (Google Play / App Store)

The mobile apps may request the following permissions:

  • Internet — to talk to our API.
  • Billing — for in-app coin purchases.
  • Storage — to cache downloaded books you licensed.
  • Notifications — only with your consent, for things like author-update alerts.

The Google Play data-safety form and the Apple App Store nutrition label reflect this policy verbatim.

International transfers

Our servers are operated from Nigeria, with sub-processors in the EU and the US. Where transfers leave your country, we rely on Standard Contractual Clauses or equivalent safeguards.

Security

Passwords are stored as bcrypt hashes. Sessions are JWT-based with revocation. We use HTTPS everywhere, rate-limit sensitive endpoints, and HMAC-sign cross-service traffic. We don't guarantee perfect security, but we work hard at it.

Changes to this policy

We'll announce material changes in-app at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.

Contact

Privacy questions: privacy@fictionflux.com. Account deletion: /account/delete.