Start free →
LEGAL

Privacy Policy.

What we collect, why, who we share it with, and how to make us stop. Written for our customers, for getwebstory.com visitors, and for the viewers who land on a published WebStory.

Effective May 5, 2026·Version 1.0

1. Who we are

This Privacy Policy is published by WebStory, an unincorporated joint venture between Torge Stehr (Surrey, British Columbia, Canada) and Callum Thomas (Australia). Mailing address: 3578 146A Street, Surrey BC V4P 1B2, Canada. Email: hello@webstory.app.

We are planning to incorporate first in British Columbia, Canada. When we do, this Policy will be assigned to the successor entity, which will inherit all of our commitments here.

2. What this Policy covers

This Policy explains how we handle personal data when:

  • you visit our marketing website at getwebstory.com;
  • you sign up for and use our creator dashboard at webstoryapp.com;
  • you contact us, subscribe to our newsletter, or otherwise interact with us; and
  • your business uses WebStory to publish a Story at <handle>.webstory.app (the subdomain you select) that someone else watches (an “End Viewer”).

Different rules apply depending on which is happening — read sections 4–6 carefully.

3. Our role: controller vs. processor

Privacy law splits responsibility between the entity that decides why and how personal data is processed (the “controller”) and the entity that processes it on the controller’s behalf (the “processor”).

WebStory plays both roles:

  • We are the controller of personal data we collect directly from you, our customers — account credentials, billing data, support correspondence, our internal analytics about how you use the dashboard, and so on.
  • We are a processor for personal data your published WebStories generate about your End Viewers — viewer cookies, watch events, lead form submissions, Shopify cart activity. You are the controller of that data, because you decide what your Story collects and what you do with it. We process it on your behalf, on the instructions you give us via your dashboard configuration.

Section 13 sets out the Data Processing Addendum that applies to that processor role.

4. Personal data we collect from you (our customers)

When you create and use a WebStory account, we collect:

  • Account & identity — email address, password (stored only as a salted hash by our auth provider Supabase), display name, profile picture if you upload one, and any OAuth metadata you supply (e.g. a Google display name) if you sign in via OAuth.
  • Billing data (when billing is live) — name, billing address, tax ID where applicable, last four digits and brand of payment card, and transaction history. We don’t see or store full card numbers; Stripe handles them.
  • Customer Content — the videos, images, canvas frames, copy, branding, and configurations you upload to your Stories.
  • Integration credentials — OAuth tokens for Shopify, Zapier, Campaign Monitor, Squarespace, and other integrations you authorize. We encrypt these at rest.
  • Support correspondence — emails, contact-form submissions, and other messages you send us.
  • Dashboard usage telemetry — logs and error reports generated as you use the dashboard, including IP, user-agent, page paths, error stack traces, and a 5% sample of session replays via Sentry, with all text and form inputs masked and all media blocked.

5. Personal data we collect from website visitors (getwebstory.com)

The marketing site at getwebstory.com currently uses no third-party analytics, advertising, or tracking cookies. Server logs at our hosting provider Vercel record IP addresses and request metadata for security and abuse prevention.

If you submit the contact form or newsletter form, we collect what you fill in (name, email, message) and route it via Mailgun to hello@webstory.app.

We may add first-party analytics in the future. If we do, we will update this Policy and let you know in advance for any change that materially affects your privacy.

6. Personal data we collect from your End Viewers

When someone watches a WebStory you operate, we (as your processor) receive:

  • IP address and request metadata — captured by Cloudflare as part of normal request logging.
  • User-agent and referrer — sent by the viewer’s browser.
  • Cookies and local-storage identifiers set on the viewer’s device:
    • webstory-viewer-id (365 days) — random UUID identifying repeat viewers.
    • webstory-session-id (per tab) — identifies a single visit.
    • webstory-audio-preference (365 days) — remembers whether they unmuted.
    • webstory-cart-id (365 days) — Shopify cart UUID for ecommerce integrations.
    • webstory-onboarding-seen (365 days) — remembers whether they have dismissed the first-time onboarding overlay.
  • Engagement events — page loads, video play/pause, video progress (sampled at 5% intervals), reel views, button clicks, form submissions, swipes, and time-on-Story heartbeats every five seconds.
  • Lead form submissions — whatever fields you, the customer, configure your form to collect (commonly name, email, phone). These are stored in plain text in our database. You decide how sensitive these fields are — pick them carefully.
  • Shopify cart and checkout interactions — when your Story includes Shopify integrations, viewer cart and checkout activity passes through. Shopify is a separate controller for that data; see Shopify’s privacy policy.

We act on your (the customer’s) instructions when handling this data. You decide whether and how to surface a cookie banner, what your forms collect, and which third-party integrations to enable.

7. How we use personal data

We use personal data to:

  • Provide the Service — host your Stories, deliver them to viewers, render the dashboard, process logins and (when live) payments, deliver support.
  • Secure the Service — detect abuse, debug errors, prevent fraud and unauthorized access, respond to incidents.
  • Communicate with you — operational emails (account, billing, security), marketing emails about WebStory if you have opted in (you can unsubscribe at any time), and responses to your support requests.
  • Improve the Service — measure feature usage, fix bugs, and develop new features. This includes using de-identified or aggregated data freely.
  • Develop AI features. We may use Customer Content (videos, images, lead form data) to develop, train, and improve machine-learning features that power the Service. We do not currently do this; if we begin, we will describe it more specifically here. We don’t sell or licence raw Customer Content for third-party model training. To opt out of this use, contact hello@webstory.app.
  • Comply with legal obligations — tax records, abuse reports, lawful requests by authorities, IP complaints.

If GDPR or UK GDPR applies to you, our legal bases are:

  • Contract — to provide the Service you have signed up for.
  • Legitimate interests — to secure the Service, prevent fraud, debug errors, run de-identified analytics, and market WebStory to existing customers (we balance our interest against your rights).
  • Consent — for marketing emails to people who haven’t yet contracted with us, and for any future cookie-based tracking on getwebstory.com that requires it.
  • Legal obligation — when law requires us to process data (tax, abuse, court orders).

For data we process about your End Viewers (where we are your processor), the legal basis is set by you, the controller. You are responsible for having one.

9. Sub-processors

We use a small number of trusted third parties to operate the Service. The current list is published at getwebstory.com/subprocessors and is incorporated into this Policy by reference.

We give existing customers at least 30 days’ email notice before adding or replacing a sub-processor that handles personal data. If you object in writing within that window and we can’t accommodate the objection, your sole remedy is to terminate your subscription.

10. International data transfers

We are based in Canada and Australia. Our infrastructure operates globally:

  • Vercel — dashboard and marketing-site hosting (global edge, primary US).
  • Supabase — auth and Postgres database, hosted on AWS us-east-2 (Ohio, USA).
  • Cloudflare — Workers, Stream (video), R2 (object storage), KV, and D1 (edge SQLite) on a global edge network with no fixed region.
  • Other sub-processors (Stripe, Sentry, Upstash, Campaign Monitor, Mailgun, Zapier, Shopify, Squarespace) — see the sub-processor list.

When personal data of EU/UK/Swiss residents is transferred to a country that has not been recognized as providing adequate protection, we rely on the EU Standard Contractual Clauses (2021), the UK International Data Transfer Addendum, and the Swiss FDPIC equivalent, alongside supplementary technical and organizational measures (encryption in transit, encryption at rest where supported, access controls). On request to hello@webstory.app we’ll share the specific transfer mechanism that applies to a given flow.

11. Data retention

  • Active accounts: we keep your personal data for as long as your account is open.
  • Closed accounts: when your account is deleted, we delete your account record, your Customer Content, and your associated analytics events from our active systems. Routine encrypted backups (currently provided by Supabase’s free plan, with a retention window of around 7 days) roll off automatically. We don’t restore deleted data from backups except to recover from a disaster.
  • Limited records we keep longer: billing and tax records (where required by law — typically six years in Canada), abuse reports, and records needed to defend legal claims.
  • Marketing list: if you subscribe to our newsletter, we keep your email until you unsubscribe.

12. Your rights

Depending on where you live, you have some or all of the following rights with respect to personal data we hold about you (as a controller — that is, the account-side data in Section 4, not your End Viewers’ data, where you are the controller and viewer requests should be directed to your business):

  • access a copy of your data;
  • correct it if it’s wrong;
  • delete it;
  • port it to another service;
  • restrict or object to certain processing;
  • withdraw consent (where consent is the legal basis);
  • complain to a supervisory authority (see Section 18 below);
  • (California / certain US states) opt out of “sale” or “sharing” of personal data — we do not sell or share personal data in the meaning of those laws;
  • (Quebec, under Law 25) request that automated decisions affecting you be reviewed by a human — we don’t currently make solely automated decisions of legal effect.

To exercise a right, email hello@webstory.app from the address associated with your account (or otherwise enable us to verify your identity). We will respond within the timeframes required by your local law (generally 30 days). For requests about End Viewers’ data, please contact the customer who operates the WebStory in question; we will route those requests on.

13. Data Processing Addendum

This Section 13 forms a Data Processing Addendum (DPA) between you (the Customer, as controller) and WebStory (as processor) for the End-Viewer personal data described in Section 6. It applies automatically when you use the Service; we will counter-sign a copy on request.

13.1 Subject matter and duration

We process viewer personal data for as long as you use the Service and until you delete your account.

13.2 Nature and purpose of processing

Hosting, delivering, measuring, and securing your published Stories.

13.3 Categories of data subjects and personal data

Your End Viewers; the categories listed in Section 6 (cookies/IDs, IPs, engagement events, lead form data, ecommerce activity).

13.4 Our obligations as processor

We will:

  • process viewer personal data only on your documented instructions (which include your dashboard configuration and these Terms);
  • ensure people authorized to access viewer data are bound by confidentiality;
  • implement appropriate technical and organizational security measures — current measures include TLS in transit, encryption at rest at our data stores, encrypted storage of integration tokens, access controls, least-privilege access to production systems, audit logs of dashboard changes, masked Sentry session replays, and rate limiting via Upstash Redis;
  • use sub-processors only as described in Section 9 above and impose written terms on them with at least the same protections;
  • help you respond to data-subject requests and consultations with supervisory authorities, to the extent reasonable;
  • notify you without undue delay (and within 72 hours where reasonably possible) of any personal data breach affecting your viewers;
  • on termination, delete or return viewer data per your instructions, except where retention is required by law.

13.5 International transfers

Where the SCCs apply, the EU SCCs (2021), Module 2 (Controller-to-Processor), are incorporated by reference. The UK IDTA applies for UK transfers. The Swiss FDPIC equivalent applies for Swiss transfers.

13.6 Audit

Once per year (and on a reasonable basis after a personal data breach), you may request a written summary of our security posture and recent third-party attestations from our sub-processors. On-site audits are not currently available; we will participate in reasonable written information-gathering instead.

13.7 Liability under this DPA

Liability under this DPA is subject to the limits of liability in our Terms of Service.

14. Cookies on our properties

  • getwebstory.com: no third-party analytics or advertising cookies. We may set a small number of essential first-party cookies (e.g. for the contact form’s CSRF protection).
  • webstoryapp.com (the dashboard): essential session cookies set by our auth provider Supabase, plus the Sentry session-replay sampling described in Section 4 (5% sample, with text and form inputs masked and media blocked).
  • The viewer player (<handle>.webstory.app, where <handle> is the subdomain the customer selected; plus customer custom domains when supported): the cookies described in Section 6, set on your behalf as your processor. Two of those cookies (webstory-audio-preference and webstory-onboarding-seen) are scoped to .webstory.app rather than to a specific customer’s subdomain, so a viewer’s mute/unmute preference and dismissal of the first-time onboarding overlay carry across every WebStory they watch on *.webstory.app. The remaining viewer cookies are scoped to a single subdomain and don’t cross customers.

We are releasing a cookie banner for your published WebStories that you can configure to suit your viewers’ jurisdiction. As described in Section 8 of the Terms, you the customer are responsible for choosing the right configuration and disclosing the cookies in your own privacy notice.

15. Children

The Service isn’t designed for, or directed at, children under 16. Don’t create a WebStory account if you’re younger than that. If you operate a WebStory whose audience includes minors, you are responsible for complying with applicable children’s-privacy laws (COPPA, GDPR Art. 8, Quebec Law 25, and so on) when collecting their data through your forms or analytics.

16. Security

We rely on our infrastructure providers’ encryption (Cloudflare, Supabase, Vercel — all with at-rest encryption by default, TLS in transit), encrypted storage of integration tokens, masked Sentry session replay, rate limiting via Upstash Redis, audit logging on key dashboard actions, and the security features of OAuth-based logins. Despite that, no system is fully secure. If you spot a vulnerability, please email hello@webstory.app — responsible disclosure is welcome.

17. Changes to this Policy

We may update this Policy. For material changes, we will give you at least 30 days’ email notice before they take effect. The current version, effective date, and a changelog are at the bottom of this page.

18. Region-specific notices

EU / UK / Swiss residents

You can reach us at hello@webstory.app or by mail at the address in Section 1. We don’t currently have a designated EU representative under GDPR Article 27 or a UK representative under UK GDPR Article 27. We will appoint one before we actively offer the Service to data subjects in those regions in a way that triggers the Article 27 obligation. In the meantime, your rights remain — bring them to us. You can also complain to your local supervisory authority.

California, Colorado, Virginia, Connecticut, and other US states

We do not “sell” or “share” personal data for cross-context behavioral advertising, and there is no such program to opt out of. You can exercise the rights in Section 12 by emailing us.

Quebec residents

Under Law 25, our privacy officer is Torge Stehr (hello@webstory.app). You can submit access, rectification, and de-indexing requests there.

Australian customers

We comply with the Australian Privacy Principles. Complaints can be raised with us first; if not resolved, with the Office of the Australian Information Commissioner (oaic.gov.au).

Canadian customers (PIPEDA / provincial laws)

You can complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca) or your provincial equivalent.

19. Contact

Privacy questions, requests, or complaints: hello@webstory.app. By mail: 3578 146A Street, Surrey BC V4P 1B2, Canada.

Version history

  • 1.0May 5, 2026 — initial publication.
QR code linking to webstory.app
P.S. — this site is a regular page.
Our real one is a WebStory. See it at webstory.app →
↑ Scan to open on your phone