Skip to main content
OpenFiction

Search for characters or series

Privacy Policy

Last updated: 9 March 2026

Who we are

OpenFiction is operated from the United Kingdom. For the purposes of UK data protection law (UK GDPR), we are the data controller for the personal information described in this policy.

What we collect and why

When you create an account, we store your email address and display name. These are used to identify you on the site and to send account-related notifications.

When you use the site, we also collect:

  • Reading profile data - which books you mark as read or currently reading, used to power spoiler filtering
  • Contributions - any content you add or edit (character data, appearances, etc.)
  • Content requests and votes - requests you submit and votes you cast
  • Search queries - anonymised search terms to help us understand what content to add (not linked to your account)

Lawful basis for processing

Under UK GDPR, we process your personal data on the following bases:

  • Contract - processing your account data is necessary to provide you with the service you signed up for
  • Legitimate interests - we use anonymised search data to improve the site, and moderation data to keep the community safe
  • Consent - you can choose to enable or disable in-app notifications at any time from your profile settings

How we use your data

  • To provide and improve the service (displaying your reading profile, filtering spoilers, tracking contributions)
  • To send you notifications about your content requests, contributions, and account activity
  • To maintain the quality of the site (moderation, abuse prevention)

We do not sell your personal data to third parties. We do not use your data for advertising or marketing purposes.

Authentication

We use Firebase Authentication (provided by Google) to manage sign-in. Your password is handled entirely by Firebase and is never stored on our servers. Please refer to Firebase's privacy documentation for details on how they handle authentication data.

Data storage

Your data is stored and processed by the following third-party providers:

  • Turso - database hosting (stores your account data, contributions, and reading profile)
  • Netlify - site hosting and serverless functions
  • Cloudflare - content delivery network and DDoS protection
  • Resend - transactional email (password reset and account notification emails)
  • Firebase Authentication (Google) - sign-in and identity management

We choose providers with strong security practices and appropriate data protection measures.

Cookies and local storage

We use essential cookies only - specifically a session cookie to keep you signed in. We do not use tracking cookies, analytics cookies, or any third-party advertising cookies.

We use local storage (persists between visits) to remember your preferences:

  • Sidebar layout preference (expanded or collapsed)
  • Recent search history (stored locally, never sent to our servers)
  • Whether you've dismissed onboarding messages

We use session storage (cleared when you close your browser tab) to remember which spoiler sections you've revealed during your visit.

None of this data is sent to our servers or shared with third parties. You can clear it at any time through your browser settings.

Your rights under UK GDPR

You have the right to:

  • Access your data - your reading profile, contributions, and requests are all visible in your dashboard. You can also download a full copy of your personal data from your profile settings
  • Data portability - export your data as a machine-readable JSON file from your profile settings
  • Rectify your data - change your display name and notification preferences from your profile settings
  • Erase your data - delete your account from your profile settings. This schedules your account for permanent deletion after a 30-day cooling-off period, during which you can change your mind
  • Withdraw consent - turn off notifications at any time from your profile settings
  • Object to processing - contact us if you have concerns about how we use your data

When your account is deleted, your personal data (email, display name, reading profile) is permanently removed. Contributions you made to character data remain on the site but are no longer linked to your account - this is necessary to maintain the integrity of the community database.

Data retention

We keep your personal data for as long as you have an active account. If you delete your account, your personal data is permanently removed after a 30-day grace period.

Anonymised data (such as search queries and aggregated statistics) is retained indefinitely as it cannot be linked back to you.

International transfers

Your data may be processed outside the UK by our service providers (Firebase, Turso, Netlify). Where this happens, we rely on providers that maintain appropriate safeguards for international data transfers as required by UK GDPR.

Data breaches

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33
  • Notify affected users without undue delay if the breach is likely to result in a high risk to your rights and freedoms, as required by UK GDPR Article 34
  • Provide clear information about the nature of the breach, the data affected, and the steps we are taking to address it

Children

OpenFiction is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal data, please contact us and we will remove it.

Changes to this policy

We may update this policy from time to time. Significant changes will be communicated via the site. The "last updated" date at the top of this page reflects the most recent revision.

Questions?

If you have questions about how we handle your data, visit our Help & Support page.