Privacy Policy

Scope and responsible parties

This privacy policy informs users ("you") about the nature, scope and purposes of the collection and use of personal data on the website and the Storyways App ("Online Offer"). 


The responsible party is: 

Fictionic UG (haftungsbeschränkt)  

Werinherstraße 3 81541 Munich  


phone: +49 89 23068739  


Managing Director: Darja Vojenina  

Court of registration: Munich  

Registration number: HRB 260171  

VAT-IdNr: DE335546133  


(hereinafter "we", "us" or "Fictionic") 


Basic information on data processing 


Types of data processed: 

  • Inventory data (e.g., names, addresses). 

  • Contact data (e.g., e-mail, telephone numbers). 

  • Content data (e.g., text entries, queries, messages). 

  • Contract data (e.g., subject matter of contract, term, customer category). 

  • Payment data (e.g., bank details, payment history). 

  • Usage data (e.g., websites visited, interest in content, access times). 

  • Meta/communication data (e.g., device information, IP addresses). 


Processing of special categories of data (Art. 9 para. 1 GDPR): 

No special categories of data are processed. 


Categories of data subjects: 

Customers, prospective customers, visitors and users of the online offer, business partners, visitors and users of the online offer. 


Purpose of processing: 

  • Provision of the online offer, its contents. 

  • Provision of contractual services, service and customer care. 

  • Answering contact requests and communication with users. 

  • Marketing, advertising and market research. 

  • Security measures. 


Processing of personal data 

The use of your data is governed by the applicable legal provisions, in particular the General Data Protection Regulation (hereinafter: GDPR). 


Terminology used 

"Personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 


"Processing" means any operation or set of operations which is performed upon personal data, whether or not by automatic means. The term is broad and covers virtually any handling of data. 


Controller" means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. 


Relevant legal basis 

In accordance with Article 13 of the GDPR, we inform you of the legal basis for our data processing. If the legal basis is not mentioned in the privacy policy, the following applies: The legal basis for obtaining consent is Art. 6(1)(a) and Art. 7 GDPR, the legal basis for processing for the performance of our services and implementation of contractual measures and answering queries is Art. 6(1)(b) GDPR, the legal basis for processing for the performance of our legal obligations is Art. 6(1)(c) GDPR, and the legal basis for processing for the protection of our legitimate interests is Art. 6(1)(f) GDPR. In the event that vital interests of the data subject or another natural person require the processing of personal data, the legal basis is Art. 6 (1) (d) GDPR. 


Security measures 

We take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk in accordance with Article 32 of the GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons; 


The measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as access to, input, disclosure, ensuring availability and segregation of the data. We also have procedures in place to ensure the exercise of data subjects' rights, deletion of data and response to data compromise.  


Furthermore, we already take the protection of personal data into account during the development and selection of hardware, software and procedures, in accordance with the principle of data protection through technology design and through data protection-friendly default settings (Art. 25 GDPR). 

The security measures include in particular the encrypted transmission of data between your browser and our server. 


Disclosure and transmission of data 

If, in the course of our processing, we disclose data to other persons and companies (order processors or third parties), transmit it to them or otherwise grant them access to the data, this will only be done on the basis of a legal permission (e.g. if a transmission of the data to third parties, such as to payment service providers, is necessary for the performance of the contract pursuant to Art. 6 (1) (b) GDPR), you have consented, a legal obligation provides for this or on the basis of our legitimate interests (e.g. when using agents). e.g. when using agents, hosting providers, tax, business and legal advisors, customer care, accounting, billing and similar services that allow us to efficiently and effectively fulfil our contractual obligations, administrative tasks and duties).If we commission third parties to process data on the basis of a so-called "order processing agreement", this is done on the basis of Art. 28 GDPR. 


Disclosure of personal data to authorities 

We reserve the right, in the event of a legal obligation, to disclose information about you if we are required to do so by lawful authorities or law enforcement bodies. The legal basis for the processing is Art. 6 (1) c) GDPR in conjunction with Section 24 BDSG-neu. 


Transfers to third countries 

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this is done in the context of using third-party services or disclosing, or transferring data to third parties, this is only done if it is done to fulfil our (pre-)contractual obligations, on the basis of your consent, due to a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we only process or allow the processing of data in a third country if the special requirements of Art. 44 ff. GDPR are met. This means, for example, that processing takes place on the basis of special guarantees, such as the officially recognised determination of a level of data protection corresponding to the EU or compliance with officially recognised special contractual obligations (so-called "standard contractual clauses"). 


Deletion of data 

The data we process will be deleted or its processing restricted in accordance with Articles 17 and 18 of the GDPR. Unless expressly stated within the scope of this privacy policy, the data stored by us will be deleted as soon as it is no longer required for its intended purpose and the deletion does not conflict with any statutory retention obligations. If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. I.e. the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law. 


According to legal requirements, data is stored for 6 years in accordance with § 257 para. 1 HGB (commercial books, inventories, opening balances, annual financial statements, commercial letters, accounting vouchers, etc.) and for 10 years in accordance with § 147 para. 1 AO (books, records, management reports, accounting vouchers, commercial and business letters, documents relevant for taxation, etc.). 


Your rights as a data subject 


Withdrawal of your consent - As a data subject, you have the right to withdraw your consent once given to Storyways at any time in accordance with Art. 7 (3) of the GDPR. This means that we may no longer process your personal data. After revocation of consent, processing that was lawful in the past remains lawful. 


Objection - Insofar as your personal data is processed on the basis of legitimate interests pursuant to Art. 6 (1) f) GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, if there are reasons for doing so 

which arise from your particular situation. This is the case if the processing is not necessary, in particular, for the performance of a contract with you, which is shown in each case in the following description of the functions. When exercising such an objection, we ask you to explain the reasons why we should not process your personal data as we have done.  


In the event of your justified objection, we will review the merits of the case and either cease processing the data, amend it or show you our compelling legitimate grounds for continuing to process it. 

You can lodge your objection by post or by sending a simple e-mail. Of course, you can also object to the processing of your personal data for the purposes of advertising and data analysis at any time. We will also inform you of how you can object at the time of use.  


Information - In accordance with Art. 15 of the GDPR, you can obtain information about your personal data processed by Storyways free of charge upon request. The information will inform you about: 

  • the purposes of processing, 

  • the category of personal data, 

  • the categories of recipients to whom the data has been or will be disclosed, 

  • the intended storage period, 

  • the existence of a right to rectification, erasure, restriction of processing or objection, 

  • the existence of a right of appeal 

  • the origin of your data, if it has not been collected by us, any existing automated decision-making including profiling. 


Correction - In accordance with Article 16 of the GDPR, you can request correction if we store your personal data incorrectly or incompletely. 


Erasure - Pursuant to Art. 17 GDPR, you may request the erasure of your personal data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the assertion, exercise or defence of legal claims.  


Restriction - Pursuant to Art. 18 GDPR, you have the right to request the restriction of the processing of your personal data, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you object to its erasure and we no longer require the data, but you need it for the assertion, exercise or defence of legal claims or you have objected to the processing pursuant to Art. 21 GDPR. 


Data portability - In accordance with Art. 20 GDPR, you will receive your personal data that you have provided to us in a structured, common and machine-readable format. You may request their transfer to another controller, provided that this is technically possible for us. 


Complaint - You are entitled to complain to a supervisory authority under Article 77 of the GDPR if you consider that the processing of your personal data infringes the GDPR. As a rule, you can contact the supervisory authority at your usual place of residence, place of work or the place of an alleged breach. 


The supervisory authority 

The Bavarian Data Protection Commissioner in Munich is the supervisory authority responsible for us in matters of data protection. You have the right to contact the data protection officer with a complaint at any time ( However, we would appreciate it if you could address your concerns to the data protection officer before contacting him.  


Individual processing 


Automatic collection of access data/server log files 

We automatically collect a number of technical data, which are personal data, each time the website is accessed. 


These are: 

  • IP address of the user 

  • Name of the accessed website or file 

  • Date and time of access 

  • Amount of data transferred 

  • Message about successful retrieval 

  • Browser type and version 

  • Operating system of the user 

  • end device used by the user, 

  • referrer URL (the previously visited page) 


The server log files with the above data are automatically deleted after seven days at the latest. We reserve the right to store the server log files for a longer period of time if facts exist that suggest the assumption of unauthorised access (such as an attempt at hacking or a so-called DDOS attack). 


The personal data in log files are processed on the basis of Art. 6 para. 1 lit. f GDPR. This authorisation permits the processing of personal data within the scope of the "legitimate interest" of the controller, insofar as your fundamental rights, freedoms or interests do not prevail. Our legitimate interest is to facilitate administration and the ability to detect and prosecute hacking. You can object to this data processing at any time if there are reasons that restrict your rights to a particular extent or if there is a particular interest in preventing the data processing. 


Use of cookies 

In addition to the data mentioned above, cookies are stored on your device when you use our website. Cookies are small text files that are stored by the browser you are using and through which certain information can flow to the entity that sets the cookie. Cookies cannot run programs or deliver viruses to your device. 


This website uses transient cookies and persistent cookies, the scope and functionality of which are explained below: Transient cookies are automatically deleted when you close the browser. These include, in particular, session cookies. These store a so-called session ID, with which various queries of your browser can be assigned to the common session. This allows your device to be recognised when you return to our website. Session cookies are deleted when you log out or close the browser. 


Persistent cookies are automatically deleted after a set period of time, which may vary depending on the cookie. You can also delete the cookies at any time in the security settings of your browser. You can determine the acceptance of cookies and other technologies that are not necessary for the operation and function of the website via the cookie banner displayed when the page is called up. 


If users do not want cookies to be stored on their device, they are asked to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online offer. 

A general objection to the use of cookies used for online marketing purposes can be declared for many of the services, especially in the case of tracking, via the US-American site  or the EU site   

Please note that in this case not all functions of our online offer can be used. 


Business analyses and market research 

In order to run our business economically and to be able to recognise market trends, customer and user wishes, we analyse the data we have on business transactions, contracts, queries, etc.. In doing so, we process inventory data, communication data, contract data, payment data, usage data, metadata on the basis of Art. 6 para. 1 lit. f. GDPR, whereby the data subjects include customers, interested parties, business partners, visitors and users of the online offer. The analyses are carried out for the purpose of business management evaluations, marketing and market research. In doing so, we may take into account the profiles of registered users with details of, for example, their purchase transactions. The analyses serve us to increase user-friendliness, to optimise our offer and to improve business management. The analyses serve us alone and are not disclosed externally, unless they are anonymous analyses with summarised values. 


If these analyses or profiles are personal, they are deleted or anonymised when the user terminates the contract, otherwise after two years from the conclusion of the contract. In all other respects, the overall business analyses and general trend analyses are prepared anonymously wherever possible. 



Storyways regularly sends out newsletters and uses the so-called double opt-in procedure for registration. This means that after registering for newsletters, you also have to confirm. You will receive a confirmation e-mail with a link contained therein. Only then will you receive the newsletter. In doing so, we process your e-mail address for sending and for proof of consent. The legal basis for the processing is Art. 6 para. 1 a) GDPR. You can revoke this consent at any time. If you no longer wish to receive the newsletter, you can also unsubscribe at any time using the unsubscribe link included. Data will be stored for up to four years after you have unsubscribed. 


Storyways uses the services of rapidmail GmbH, Augustinerplatz 2, 79098 Freiburg, Germany for sending e-mails by way of order processing. With rapidmail, the sending of e-mails can be organised and analysed. If you enter data such as your e-mail address for the purpose of receiving newsletters, this will also be stored on servers of rapidmail. Order processing and the EU standard contractual clauses have been agreed with rapidmail. With rapidmail, we can analyse our email campaigns. When you open an email sent with rapidmail, a file contained in the email (so-called web-beacon) connects to the servers of rapidmail in Germany. In this way, it can generally be determined whether a message has been opened and which links, if any, have been clicked on.You can find more information on the data protection of rapidmail here:  


Order processing and customer account 

When you order a book or other product in the app, we may collect the following data from you to process the desired order: 


  • IOS or Google user ID 

  • Email address 

  • Payment confirmation from the payment data collected by Apple Pay or Google Pay , depending on the payment method; 

  • Device IP and device serial number to link the story history to the device. 


You may also be asked to enter a range of personal data as part of the account creation process. We store this data to save you from having to enter this data in the future when you place new orders. You can always view, change and delete the data in your user account. The legal basis for this is Art. 6 para. 1 lit. b GDPR. 


We record your purchase data in our accounting software and the pseudonymised purchase data in a so-called data warehouse database. The purpose is to fulfil legal requirements and to control the company. The legal basis for this is Art. 6 para. 1 lit. f GDPR. In addition, in the case of accounting, Art. 6 para. 1 lit. c GDPR. Insofar as the data processing is based on Art. 6 Para. 1 lit. f GDPR, our legitimate interest lies in controlling and ensuring the profitability of our online offer. 


Contacting us and customer service 

When contacting us (via contact form or e-mail), the user's details are processed for the purpose of handling the contact request and its processing pursuant to Art. 6 (1) lit. b) GDPR. 


We delete the queries if they are no longer necessary. We review the necessity every two years; we store queries from customers who have a customer account permanently and refer to the customer account details for deletion. Furthermore, the legal archiving obligations apply. 


Content Management System 

Storyways uses the Content Management System (CMS) of Storyblok GmbH, Peter-Behrens-Platz 2, 4020 Linz, Austria. In Storybloks, users of our online offer maintain the created and edited texts. This means that all content submitted to us by users for publication is transferred. In addition to texts, this also includes, for example, ratings, extensions and comments from other users. Storyblocks is used to record and maintain the online offer via the Storyblock CMS. This represents a legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR. You can find out more about Storyblok GmbH's data protection measures at   


Push notifications 

To enable push notifications to be sent, a "Firebase Cloud Messaging Registration Token" is created when the app is first launched, which uniquely identifies the app installation on your device. The token is used to recognise the message destination. 


The messages are sent via the Google Firebase Cloud Messaging service, which is offered by Google, Inc. Mountain View, USA. Further information on Google Firebase Cloud Messaging can be found at  and in Google's privacy policy at  


By agreeing to receive push notifications when you first start the app, you consent to the registration token being stored on our servers and used for sending. The settings on which topics you want to receive messages are stored in connection with the anonymised token and kept until revoked. 


Online presences in social media 

We maintain online presences on the basis of our legitimate interests within the meaning of Art. 6 para. 1 lit. f. GDPR, we maintain online presences within social networks and platforms in order to be able to communicate with the customers, interested parties and users active there and to inform them about our services there. When calling up the respective networks and platforms, the terms and conditions and data processing guidelines of their respective operators apply. 


Unless otherwise stated in our privacy policy, we process the data of users if they communicate with us within the social networks and platforms, e.g. write posts on our online presences or send us messages. 


Communication via post, e-mail or telephone 

We use remote means of communication, such as post, telephone or e-mail, for business processing and marketing purposes. In doing so, we process inventory data, address and contact data as well as contract data of customers, participants, interested parties and communication partners. 


The processing is based on Art. 6 para. 1 lit. a, Art. 7 GDPR, Art. 6 para. 1 lit. f GDPR in connection with legal requirements for promotional communications. Contact is only made with the consent of the contact partners or within the scope of legal permissions and the processed data is deleted as soon as it is no longer required and otherwise with objection/ revocation or discontinuation of the authorisation basis or legal archiving obligations. 


Integration of third-party services and content 

Within our online offer, we use content or service providers on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer within the meaning of Art. 6 Para. 1 lit. f. GDPR), we use content or service offers from third-party providers in order to integrate their content and services, such as videos or fonts (hereinafter uniformly referred to as "content"). This always requires that the third-party providers of this content are aware of the IP address of the user, as without the IP address they would not be able to send the content to their browser. The IP address is therefore necessary for the display of this content. We endeavour to only use content whose respective providers only use the IP address to deliver the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. The "pixel tags" can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may contain, among other things, technical information about the browser and operating system, referring websites, time of visit and other information about the use of our online offer, as well as being linked to such information from other sources. 


Hosting and Content Delivery Networks (CDN) 

Our online offer is hosted by external service providers (DigitalOcean, LLC, 101 Avenue of the Americas 10th Floor New York, NY 10013 United States) and (Netlify, Inc., located at 2325 3rd Street, Suite 296, San Francisco, California 94107). The personal data collected on our website is stored on DigitalOcean and Netlify's server. This may include, but is not limited to, IP addresses, contact requests, meta and communication data, contract data, contact details, names, website accesses and other generated data. 


DigitalOcean and Netlify are used for the purpose of fulfilling contracts with our potential and existing visitors and users and in the interest of providing our online service securely, quickly and efficiently by a professional provider. 


DigitalOcean and Netlify will only process your data to the extent necessary to fulfil its performance obligations and will comply with our instructions regarding such data. For more information about DigitalOcean, please visit and Netlify  


Linkedin icons created by Freepik - Flaticon