GraveStory is a mobile app that photographs gravestones and generates compassionate biographical stories about the people buried there. This policy explains what data we collect, why we collect it, and how you can control it.
1. Information We Collect
Photos. When you scan a gravestone, the photo is uploaded to Cloudflare R2 (cloud storage) so the biography can be displayed on the community map to other users if you choose to make your story public. Photos are never used for advertising or sold to third parties.
Location data. With your permission, we read the GPS coordinates embedded in your photo (EXIF data) or your device’s current location to identify the cemetery. Coordinates are stored alongside the story so your stories appear on your personal cemetery map.
Account information. If you create an account, we store your email address and an optional display name via Supabase (our database provider). You may also sign in with Google, in which case Google shares your email address with us.
Story data. The biography text, gravestone inscription, name, dates, and cemetery location are stored in our database. Stories are private by default; you choose whether to share them publicly on the community map.
Scan and purchase records. We record how many gravestones you have scanned (to enforce free-tier limits) and how many scan credits you have purchased. Purchase records are written by our payment webhook and are never modifiable by clients.
Device identifier. On sign-up we generate an anonymous hardware fingerprint (a hash of device brand, model, and OS version) to deter abuse. This hash cannot be reversed to identify you personally.
2. How We Use Your Information
- To generate biographical stories via Google Gemini AI (your photo and gravestone text are sent to Google’s servers for processing).
- To search public genealogy and historical records (WikiTree, Wikidata, Wikipedia, Library of Congress Chronicling America, OpenStreetMap) to enrich the biography.
- To display your stories on your personal map and, if you opt in, on the community global map.
- To enforce free-tier scan limits and credit balances.
- To sync your stories across devices when you are signed in.
3. Third-Party Services
GraveStory relies on the following services, each governed by its own privacy policy:
- Google Gemini AI — photo and text processing (Google Privacy Policy)
- Supabase — database and authentication (Supabase Privacy Policy)
- Cloudflare R2 — photo storage (Cloudflare Privacy Policy)
- Tavily — web search for genealogy results
- WikiTree, Wikidata, Wikipedia — public genealogy and encyclopedia data
- Library of Congress (Chronicling America) — historic newspaper archive
- OpenStreetMap / Nominatim — cemetery geocoding and maps
- RevenueCat — in-app purchase management (RevenueCat Privacy Policy)
- Google (OAuth sign-in) — optional Google account sign-in
4. Public Stories and Community Map
If you mark a story as public, the biography text, gravestone photo, name, dates, and approximate GPS location become visible to all GraveStory users on the community map. Your display name (if set) appears as the contributor. You can make a story private or delete it at any time — it is removed from the community map immediately.
5. Accuracy and How We Guard Against Fabrication
GraveStory uses generative AI to write biographies, and we take the risk of AI “hallucination” — confidently invented facts — seriously. A fabricated life story about a real person who is buried somewhere is not acceptable to us. We have built multiple safeguards into the app specifically to keep the biographies grounded in evidence rather than in the AI’s imagination:
- Grounded only in real sources. The AI is instructed to write only from the gravestone itself and from numbered, externally retrieved sources — never from its own training memory. Its guiding rule is that “memory is not a source.” A short, honest biography is treated as a success; an invented one as a failure.
- No sources, no AI. When our research finds no supporting records at all, we do not ask the AI to write a biography. Instead the app returns a short summary drawn strictly from the words on the stone. This removes the most common path to fabrication entirely.
- Cross-source corroboration. Before writing, we cross-check names, dates, and burial places across independent sources (WikiTree, Wikidata, Find A Grave, BillionGraves, historic obituaries, the Library of Congress newspaper archive, and the Internet Archive). Agreement raises confidence; conflicts are flagged to the AI explicitly, and the date carved on the stone is preferred over conflicting records.
- Citations on every claim. Each factual statement in a biography must carry a numbered citation pointing back to the source that supports it. Our software validates these citations after generation, removes any orphaned or invented citation markers, and surfaces the underlying sources to you so you can check them yourself.
- Evidence-scaled length. The depth of a biography is capped by how much evidence actually exists. A single weak source yields only a paragraph or two; a fuller life history is permitted only when multiple independent sources agree. The AI is told not to pad a story with generic filler.
- “Same name” protection. When matching a person to historical records, we reject candidates whose dates differ significantly from the dates on the stone, so a stranger who merely shares a name is not mistaken for the person you photographed.
- Famous-figure guardrail. A biography is only allowed to draw on the wider public record of a well-known historical figure when the dates on the stone match that figure within a few years and an encyclopedia article confirming the same person is present in the cited sources. This prevents an ordinary person from being mistakenly given a famous namesake’s life story.
- Photo verification. Before any biography is attempted, the app first checks that the photo actually shows a gravestone, reducing nonsensical output from unrelated images.
No automated system is perfect, and we cannot guarantee that every detail is correct — historical records themselves contain errors, and weathered stones can be misread. We encourage you to treat the biographies as a respectful, source-cited starting point and to verify important details against the cited sources.
6. Data Retention
Your stories are retained until you delete them or delete your account. Deleted stories are soft-deleted (marked with a deletion timestamp) for up to 30 days to allow sync across devices, then permanently removed. Scan event records (used for usage limits) are retained for 12 months.
7. Your Rights
- Access & export — contact us to request a copy of your stored data.
- Deletion — delete individual stories from within the app. To delete your entire account and all associated data, open Settings → Delete Account in the app, or follow the instructions on our account & data deletion page (which also covers requesting deletion by email if you no longer have the app installed).
- Correction — update your display name in the app’s Settings screen at any time.
- Opt out of public sharing — set your default visibility to Private in Settings, or toggle individual stories to private.
8. Children
GraveStory is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.
9. Security
All data is transmitted over HTTPS. Supabase Row Level Security policies ensure users can only read and write their own records. Purchased credit balances are write-protected at the database level — only our server-side webhook can add credits.
10. Changes to This Policy
We may update this policy from time to time. The effective date at the top of this page will reflect the most recent revision. Continued use of GraveStory after a change constitutes acceptance of the updated policy.
11. Contact
Questions, data requests, or account deletion: edmondsj46@gmail.com