Start free →
LEGAL

Data Processing Addendum.

The contract that governs our handling of personal data about your End Viewers when we process it on your behalf. Folds into the Terms of Service; counter-signature available on request.

Effective May 5, 2026·Version 1.0

1. Preamble & acceptance

This Data Processing Addendum (the “DPA”) forms part of, and is incorporated into, the WebStory Terms of Service(the “Terms”) between you (the “Customer”) and Torge Stehr and Callum Thomas, doing business jointly as “WebStory” (the “Processor,” “we,” “us”).

This DPA governs our processing of Personal Data about End Viewers on your behalf when you use the Service to publish Stories. By creating an account or otherwise using the Service, you accept this DPA. If your organization requires a counter-signed copy, email hello@webstory.app and we will arrange one.

2. Definitions

Capitalized terms not defined here have the meaning given in the Terms or the Privacy Policy.

  • Applicable Data Protection Laws — the EU GDPR, the UK GDPR, the Swiss FADP, the California CCPA/CPRA, Quebec’s Law 25, the Australian Privacy Act, Canadian PIPEDA, and any other privacy law that applies to a processing activity under this DPA.
  • Personal Data — personal information about End Viewers that we process on your behalf, as described in Annex I.
  • Sub-processor — a third party we engage to process Personal Data on your behalf.
  • EU SCCs — the Standard Contractual Clauses set out in the Annex to Commission Implementing Decision (EU) 2021/914.
  • UK Addendum — the UK International Data Transfer Addendum issued under section 119A of the UK Data Protection Act 2018.
  • Personal Data Breach — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

3. Roles & scope

You are the controller of End-Viewer Personal Data. We are your processor. The processing operations, categories of data, retention, and other particulars are set out in Annex I.

This DPA covers Personal Data about End Viewers only. For account-level personal data (your own credentials, billing, support correspondence), we are the controller and our handling is governed by the Privacy Policy.

4. Customer instructions

We will process Personal Data only on your documented instructions. Your documented instructions consist of:

  • the Terms and this DPA;
  • your dashboard configuration (form fields, integration toggles, cookie banner settings, custom domains, and the like); and
  • your written requests to us via hello@webstory.app.

We will tell you if we believe an instruction violates Applicable Data Protection Laws.

5. Confidentiality

We ensure that personnel authorized to process Personal Data are bound by appropriate written confidentiality obligations.

6. Security measures

We implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. The current measures are described in Annex II. We may update measures over time provided the level of protection is not materially reduced.

7. Sub-processors

Authorization. You authorize us to engage Sub-processors to assist in providing the Service. Our current Sub-processors are listed at getwebstory.com/subprocessors (incorporated as Annex III).

Notice. We will notify Customers via email at least 30 days before adding or replacing a Sub-processor that handles Personal Data.

Objection. You may object to a new Sub-processor by replying to that notice within 30 days. If we cannot reasonably accommodate your objection, you may terminate the affected portion of the Service as your sole remedy.

Sub-processor obligations. Each Sub-processor is bound by written terms imposing data-protection obligations at least as protective as this DPA.

Liability. We remain liable for the acts and omissions of our Sub-processors with respect to Personal Data to the same extent we are liable for our own acts.

8. Data subject rights

Where reasonably possible, we will help you respond to End Viewer requests to exercise rights under Applicable Data Protection Laws (access, rectification, deletion, portability, restriction, objection, and similar). If we receive a request directly from an End Viewer, we will route it to you without undue delay.

9. Personal Data Breach notification

We will notify you of a Personal Data Breach affecting your End Viewers’ Personal Data without undue delay after becoming aware of it, and in any event within 72 hours where reasonably possible. Our notice will describe (a) the nature of the breach, (b) the categories and approximate number of records affected, (c) the likely consequences, and (d) the measures we have taken or propose to take. We will provide updates as further information becomes available.

10. DPIAs & prior consultation

We will provide reasonable assistance to enable you to carry out Data Protection Impact Assessments and consultations with supervisory authorities, taking into account the nature of processing and the information available to us.

11. Audits

We will make available the information necessary to demonstrate compliance with this DPA. Once per twelve-month period (and additionally on a reasonable basis after a Personal Data Breach), you may request a written summary of (i) our security posture, (ii) recent third-party attestations or certifications held by our Sub-processors where available, and (iii) responses to specific written questions. On-site audits aren’t currently available; we will participate in reasonable written information-gathering instead.

12. International data transfers (SCCs)

Where Personal Data is transferred from the EEA, the United Kingdom, or Switzerland to a country that has not been recognized as providing an adequate level of protection:

12.1 EU SCCs

The EU SCCs are incorporated into this DPA by reference, with the following selections:

  • Module 2 (Controller-to-Processor) applies.
  • Clause 7 (Docking Clause) applies.
  • Clause 9(a) Option 2 (general written authorisation) applies, with the time period for new Sub-processor notice set at 30 days.
  • Clause 11 (optional independent dispute resolution language) does not apply.
  • Clause 17 Option 1 applies; governing law is the law of Ireland.
  • Clause 18(b) designates the courts of Ireland.
  • Annex I.A & I.B (Parties & Description of Transfer): see Annex I of this DPA.
  • Annex I.C (Competent Supervisory Authority): the supervisory authority of the EU/EEA Member State in which the data subjects are located; absent that, the Irish Data Protection Commission.
  • Annex II (Technical & organisational measures): see Annex II of this DPA.
  • Annex III (Sub-processors): see Annex III of this DPA.

12.2 UK Addendum

The UK Addendum is incorporated by reference and applies between us. Tables 1–3 of the UK Addendum are completed using the Annexes to the EU SCCs as set out in this DPA. Table 4: neither party may end the UK Addendum when the Approved Addendum changes, except as permitted by the UK Addendum.

12.3 Swiss transfers

The EU SCCs apply with adaptations: references to the GDPR are read as references to the Swiss FADP; the supervisory authority is the Federal Data Protection and Information Commissioner; the governing law is Swiss; and individuals in Switzerland may bring claims in their place of habitual residence.

13. Return or deletion of data

On termination of the Service, or at your written request before then, we will delete Personal Data about your End Viewers from our active systems within a reasonable period (and in any event within 30 daysof termination), except where retention is required by law. Routine encrypted backups roll off according to Supabase’s retention policy (currently around 7 days on our plan); we don’t restore from backup except for disaster recovery. On request, we will provide written confirmation of deletion.

14. Customer commitments

You represent and warrant that:

  • you have a lawful basis under Applicable Data Protection Laws for the processing you instruct us to perform;
  • you have provided End Viewers with all required information about your processing of their Personal Data, including by publishing your own privacy notice on, or linked from, the Stories you operate;
  • where consent is required (including for cookies under EU/UK ePrivacy laws), you have configured the Service to obtain it;
  • the Personal Data you instruct us to collect via lead forms or otherwise is reasonable, relevant, and not excessive for the purposes for which it is processed; and
  • you will respond promptly to End Viewer rights requests we route to you.

15. Term, conflict, severability

This DPA takes effect when you accept the Terms and remains in effect for as long as the Terms remain in effect. In the event of a conflict between this DPA and the Terms or the Privacy Policy with respect to the processing of End Viewer Personal Data, this DPA prevails. If any part of this DPA is unenforceable, the rest stays in force.

16. Liability

Liability under this DPA is subject to the limits of liability set out in the Terms of Service.

17. Governing law

Except as required by Applicable Data Protection Laws or by Section 12 above with respect to the SCCs, this DPA is governed by the laws of the Province of British Columbia and the federal laws of Canada applicable in BC, with disputes brought to the courts located in Vancouver, British Columbia — consistent with the Terms.

18. Notices

Notices to us under this DPA: hello@webstory.app; and 3578 146A Street, Surrey BC V4P 1B2, Canada.

Notices to you: the email address on file for your account.

Annex I — Description of processing

A. Parties

Data exporter / Controller: the Customer, as identified by the account-holder details we hold for you.

Data importer / Processor: WebStory, an unincorporated joint venture between Torge Stehr (Surrey, BC, Canada) and Callum Thomas (Australia). Contact: hello@webstory.app.

B. Description of transfer

Categories of data subjects: End Viewers — natural persons who watch a published WebStory you operate.

Categories of Personal Data:

  • Viewer cookie / local-storage identifiers (webstory-viewer-id, webstory-session-id, webstory-audio-preference, webstory-cart-id, webstory-onboarding-seen).
  • IP address and request metadata (captured by Cloudflare in normal request logging).
  • User-agent and referrer.
  • Engagement events: page loads, video play/pause, video progress (sampled at 5% intervals), reel views, button clicks, swipes, time-on-Story heartbeats every 5 seconds, form submissions, onboarding events.
  • Lead form submissions: whatever fields you configure your forms to collect (commonly name, email, phone).
  • Shopify cart and checkout interactions, when you connect a Shopify store.

Sensitive Personal Data: none, unless you instruct us by configuring lead-form fields or other inputs that collect special-category data. If you do, you’re responsible for additional safeguards required by Applicable Data Protection Laws.

Frequency of transfer: continuous, while your Stories are published.

Nature of processing: hosting, encoding, caching, edge delivery, measurement (analytics), security, support, and ancillary activities to operate the Service.

Purpose of processing: providing, operating, securing, and improving the Service in accordance with the Terms.

Retention: for the life of your account; deletion within 30 days of account termination, subject to legal-retention obligations and the rolling backup window described in Section 13.

C. Competent supervisory authority

For EU transfers, the supervisory authority of the EEA/Member State in which the data subjects are located; absent that, the Irish Data Protection Commission. For UK transfers, the UK Information Commissioner’s Office. For Swiss transfers, the Federal Data Protection and Information Commissioner.

Annex II — Technical & organisational measures

The current measures we maintain include those listed below. We may update them over time provided the level of protection is not materially reduced.

  • Encryption in transit: TLS for all customer-facing surfaces (dashboard, viewer player, marketing site).
  • Encryption at rest: at-rest encryption at Supabase (Postgres), Cloudflare Stream, Cloudflare R2, Cloudflare KV, and Cloudflare D1, per provider defaults.
  • Encrypted storage of integration credentials: OAuth tokens for Shopify, Squarespace, Zapier, and Campaign Monitor are stored encrypted at rest with separate initialization vectors.
  • Identity & access management: authentication delegated to Supabase, with password hashing handled by Supabase. Production-system access is on a least-privilege basis.
  • Network controls: all customer-facing endpoints are fronted by Cloudflare; webhook endpoints verify HMAC signatures (Cloudflare Stream, Shopify).
  • Rate limiting: Upstash Redis-based rate limiting on dashboard and analytics endpoints.
  • Logging & monitoring: dashboard mutations recorded in an audit table; error monitoring via Sentry, with session replay sampled at 5% and configured to mask all text and form inputs and to block all media.
  • Backups & disaster recovery: automated managed backups via Supabase on the current plan’s retention window (~7 days); we don’t restore from backup except for disaster recovery.
  • Personnel: all individuals authorized to access Personal Data are bound by confidentiality obligations.
  • Vulnerability handling: responsible disclosures accepted at hello@webstory.app.
  • Sub-processor due diligence: we contract with Sub-processors on terms imposing data-protection obligations at least as protective as those in this DPA.

Annex III — Sub-processors

The current list of approved Sub-processors is published at getwebstory.com/subprocessors. That page is incorporated into this Annex III by reference, and changes follow the notice-and-objection process in Section 7.

Version history

  • 1.0May 5, 2026— initial publication.
QR code linking to webstory.app
P.S. — this site is a regular page.
Our real one is a WebStory. See it at webstory.app →
↑ Scan to open on your phone