Start free →
LEGAL

Privacy Policy.

What we collect, why, who we share it with, and how to make us stop. Written for our customers, for getwebstory.com visitors, and for the viewers who land on a published Webstory.

Effective June 8, 2026·Version 1.2

1. Who we are

This Privacy Policy is published by Webstory Tech Inc., a company incorporated under the laws of British Columbia, Canada, which operates the Webstory platform. Mailing address: 3578 146A Street, Surrey BC V4P 1B2, Canada. Email: hello@webstory.app.

2. What this Policy covers

This Policy explains how we handle personal data when:

  • you visit our marketing website at getwebstory.com;
  • you sign up for and use our creator dashboard at webstoryapp.com;
  • you contact us, subscribe to our newsletter, or otherwise interact with us; and
  • your business uses Webstory to publish a Story at <handle>.webstory.app (the subdomain you select) that someone else watches (an “End Viewer”).

Different rules apply depending on which is happening — read sections 4–6 carefully.

3. Our role: controller vs. processor

Privacy law splits responsibility between the entity that decides why and how personal data is processed (the “controller”) and the entity that processes it on the controller’s behalf (the “processor”).

Webstory plays both roles:

  • We are the controller of personal data we collect directly from you, our customers — account credentials, billing data, support correspondence, our internal analytics about how you use the dashboard, and so on.
  • We are a processor for personal data your published Webstories generate about your End Viewers — viewer cookies, watch events, lead form submissions, Shopify cart activity. You are the controller of that data, because you decide what your Story collects and what you do with it. We process it on your behalf, on the instructions you give us via your dashboard configuration.

Section 13 sets out the Data Processing Addendum that applies to that processor role.

4. Personal data we collect from you (our customers)

When you create and use a Webstory account, we collect:

  • Account & identity — email address, password (stored only as a salted hash by our auth provider Supabase), display name, profile picture if you upload one, and any OAuth metadata you supply (e.g. a Google display name) if you sign in via OAuth.
  • Billing data (when billing is live) — name, billing address, tax ID where applicable, last four digits and brand of payment card, and transaction history. We don’t see or store full card numbers; Stripe handles them.
  • Customer Content — the videos, images, canvas frames, copy, branding, and configurations you upload to your Stories.
  • Integration credentials — OAuth tokens for Shopify, Zapier, Campaign Monitor, Squarespace, and other integrations you authorize. We encrypt these at rest.
  • Stripe Connect onboarding data — if you set up payments through the Service, you provide information that gets forwarded to Stripe to open and maintain your Stripe Connect Custom account. This includes your country, business type, business name and URL, merchant category, product description, the account-holder’s name, date of birth, address, email, phone, and job title, and bank-account information for payouts. We store an autosaved draft of the onboarding form in our database during the multi-step wizard, and a mirrored summary of your Stripe Connect account state (account ID, capability status, requirements) afterwards. Bank-account numbers are tokenized client-side by Stripe.js and never reach our servers in raw form.
  • Support correspondence — emails, contact-form submissions, and other messages you send us.
  • Dashboard usage telemetry — logs and error reports generated as you use the dashboard, including IP, user-agent, page paths, error stack traces, and a 5% sample of session replays via Sentry, with all text and form inputs masked and all media blocked.

5. Personal data we collect from website visitors (getwebstory.com)

The marketing site at getwebstory.com currently uses no third-party analytics, advertising, or tracking cookies. Server logs at our hosting provider Vercel record IP addresses and request metadata for security and abuse prevention.

If you submit the contact form or newsletter form, we collect what you fill in (name, email, message) and route it via Mailgun to hello@webstory.app.

We may add first-party analytics in the future. If we do, we will update this Policy and let you know in advance for any change that materially affects your privacy.

6. Personal data we collect from your End Viewers

When someone watches a Webstory you operate, we (as your processor) receive:

  • IP address and request metadata — captured by Cloudflare as part of normal request logging.
  • User-agent and referrer — sent by the viewer’s browser.
  • Cookies and local-storage identifiers set on the viewer’s device:
    • webstory-viewer-id (365 days) — random UUID identifying repeat viewers.
    • webstory-session-id (per tab) — identifies a single visit.
    • webstory-audio-preference (365 days) — remembers whether they unmuted.
    • webstory-cart-id (365 days) — cart UUID for Shopify or Squarespace ecommerce integrations.
    • webstory-cart-provider (365 days) — tracks which provider (SHOPIFY or SQUARESPACE) owns the active cart.
    • webstory-onboarding-seen (365 days) — remembers whether they have dismissed the first-time onboarding overlay.
  • Engagement events — page loads, video play/pause, video progress (sampled at 5% intervals), reel views, button clicks, form submissions, swipes, and time-on-Story heartbeats every five seconds.
  • Lead form submissions — whatever fields you, the customer, configure your form to collect (commonly name, email, phone). These are stored in plain text in our database. You decide how sensitive these fields are — pick them carefully.
  • Shopify cart and checkout interactions — when your Story includes Shopify integrations, viewer cart activity passes through and Shopify hosts the checkout. Shopify is a separate controller for that data; see Shopify’s privacy policy.
  • Squarespace cart and in-player checkout — when your Story includes a Squarespace integration, viewers can browse and check out without leaving the player. We collect their billing email, name, full billing address (line 1, line 2, city, state/region, postal code, country), and order line items. Card data is captured by an embedded Stripe iframe and tokenized in the viewer’s browser — card numbers never reach our servers (PCI SAQ A scope). On payment success we forward the order details to Squarespace via your authorized OAuth token; tax calculations are performed by Stripe Tax against your registered jurisdictions. Stripe and Squarespace are independent controllers for the data they handle directly; see their privacy policies.

We act on your (the customer’s) instructions when handling this data. You decide whether and how to surface a cookie banner, what your forms collect, and which third-party integrations to enable.

7. How we use personal data

We use personal data to:

  • Provide the Service — host your Stories, deliver them to viewers, render the dashboard, process logins and (when live) payments, deliver support.
  • Secure the Service — detect abuse, debug errors, prevent fraud and unauthorized access, respond to incidents.
  • Communicate with you — operational emails (account, billing, security), marketing emails about Webstory if you have opted in (you can unsubscribe at any time), and responses to your support requests.
  • Improve the Service — measure feature usage, fix bugs, and develop new features. This includes using de-identified or aggregated data freely.
  • Develop AI features. We may use Customer Content (videos, images, lead form data) to develop, train, and improve machine-learning features that power the Service. We do not currently do this; if we begin, we will describe it more specifically here. We don’t sell or licence raw Customer Content for third-party model training. To opt out of this use, contact hello@webstory.app.
  • Comply with legal obligations — tax records, abuse reports, lawful requests by authorities, IP complaints.

If GDPR or UK GDPR applies to you, our legal bases are:

  • Contract — to provide the Service you have signed up for.
  • Legitimate interests — to secure the Service, prevent fraud, debug errors, run de-identified analytics, and market Webstory to existing customers (we balance our interest against your rights).
  • Consent — for marketing emails to people who haven’t yet contracted with us, and for any future cookie-based tracking on getwebstory.com that requires it.
  • Legal obligation — when law requires us to process data (tax, abuse, court orders).

For data we process about your End Viewers (where we are your processor), the legal basis is set by you, the controller. You are responsible for having one.

9. Sub-processors

We use a small number of trusted third parties to operate the Service. The current list is published at getwebstory.com/subprocessors and is incorporated into this Policy by reference.

We give existing customers at least 30 days’ email notice before adding or replacing a sub-processor that handles personal data. If you object in writing within that window and we can’t accommodate the objection, your sole remedy is to terminate your subscription.

10. International data transfers

We are based in Canada and Australia. Our infrastructure operates globally:

  • Vercel — dashboard and marketing-site hosting (global edge, primary US).
  • Supabase — auth and Postgres database, hosted on AWS us-east-2 (Ohio, USA).
  • Cloudflare — Workers, Stream (video), R2 (object storage), KV, and D1 (edge SQLite) on a global edge network with no fixed region.
  • Other sub-processors (Stripe, Sentry, Upstash, Campaign Monitor, Mailgun, Zapier, Shopify, Squarespace) — see the sub-processor list.

When personal data of EU/UK/Swiss residents is transferred to a country that has not been recognized as providing adequate protection, we rely on the EU Standard Contractual Clauses (2021), the UK International Data Transfer Addendum, and the Swiss FDPIC equivalent, alongside supplementary technical and organizational measures (encryption in transit, encryption at rest where supported, access controls). On request to hello@webstory.app we’ll share the specific transfer mechanism that applies to a given flow.

11. Data retention

  • Active accounts: we keep your personal data for as long as your account is open.
  • Closed accounts: when your account is deleted, we delete your account record, your Customer Content, and your associated analytics events from our active systems. Routine encrypted backups (currently provided by Supabase’s free plan, with a retention window of around 7 days) roll off automatically. We don’t restore deleted data from backups except to recover from a disaster.
  • Limited records we keep longer: billing and tax records (where required by law — typically six years in Canada), abuse reports, and records needed to defend legal claims.
  • Marketing list: if you subscribe to our newsletter, we keep your email until you unsubscribe.

12. Your rights

Depending on where you live, you have some or all of the following rights with respect to personal data we hold about you (as a controller — that is, the account-side data in Section 4, not your End Viewers’ data, where you are the controller and viewer requests should be directed to your business):

  • access a copy of your data;
  • correct it if it’s wrong;
  • delete it;
  • port it to another service;
  • restrict or object to certain processing;
  • withdraw consent (where consent is the legal basis);
  • complain to a supervisory authority (see Section 18 below);
  • (California / certain US states) opt out of “sale” or “sharing” of personal data — we do not sell or share personal data in the meaning of those laws;
  • (Quebec, under Law 25) request that automated decisions affecting you be reviewed by a human — we don’t currently make solely automated decisions of legal effect.

To exercise a right, email hello@webstory.app from the address associated with your account (or otherwise enable us to verify your identity). We will respond within the timeframes required by your local law (generally 30 days). For requests about End Viewers’ data, please contact the customer who operates the Webstory in question; we will route those requests on.

13. Data Processing Addendum

When you use Webstory to publish Stories that collect personal data about your End Viewers, our processing of that data on your behalf is governed by a standalone Data Processing Addendum published at getwebstory.com/dpa and incorporated into our Terms of Service. The DPA covers our processor obligations, the EU Standard Contractual Clauses, the UK Addendum, our technical-and-organisational measures, and the sub-processor commitments described in this Policy.

Accepting the Terms is acceptance of the DPA. If your organization needs a counter-signed copy for procurement review, email hello@webstory.app and we’ll arrange one.

14. Cookies on our properties

  • getwebstory.com: no third-party analytics or advertising cookies. We may set a small number of essential first-party cookies (e.g. for the contact form’s CSRF protection).
  • webstoryapp.com (the dashboard): essential session cookies set by our auth provider Supabase, plus the Sentry session-replay sampling described in Section 4 (5% sample, with text and form inputs masked and media blocked).
  • The viewer player (<handle>.webstory.app, where <handle> is the subdomain the customer selected; plus customer custom domains when supported): the cookies described in Section 6, set on your behalf as your processor. Two of those cookies (webstory-audio-preference and webstory-onboarding-seen) are scoped to .webstory.app rather than to a specific customer’s subdomain, so a viewer’s mute/unmute preference and dismissal of the first-time onboarding overlay carry across every Webstory they watch on *.webstory.app. The remaining viewer cookies are scoped to a single subdomain and don’t cross customers.
  • Stripe.js in the viewer browser. When a Story has Squarespace ecommerce enabled and a viewer enters checkout, the player loads js.stripe.com/v3/ on demand. Stripe sets its own cookies on its domain to operate the payment iframe and to perform fraud-prevention checks. Stripe is the controller for those cookies; see Stripe’s cookie policy.

We are releasing a cookie banner for your published Webstories that you can configure to suit your viewers’ jurisdiction. As described in Section 8 of the Terms, you the customer are responsible for choosing the right configuration and disclosing the cookies in your own privacy notice.

15. Children

The Service isn’t designed for, or directed at, children under 16. Don’t create a Webstory account if you’re younger than that. If you operate a Webstory whose audience includes minors, you are responsible for complying with applicable children’s-privacy laws (COPPA, GDPR Art. 8, Quebec Law 25, and so on) when collecting their data through your forms or analytics.

16. Security

We rely on our infrastructure providers’ encryption (Cloudflare, Supabase, Vercel — all with at-rest encryption by default, TLS in transit), encrypted storage of integration tokens, masked Sentry session replay, rate limiting via Upstash Redis, audit logging on key dashboard actions, and the security features of OAuth-based logins. Despite that, no system is fully secure. If you spot a vulnerability, please email hello@webstory.app — responsible disclosure is welcome.

17. Changes to this Policy

We may update this Policy. For material changes, we will give you at least 30 days’ email notice before they take effect. The current version, effective date, and a changelog are at the bottom of this page.

18. Region-specific notices

EU / UK / Swiss residents

You can reach us at hello@webstory.app or by mail at the address in Section 1. We don’t currently have a designated EU representative under GDPR Article 27 or a UK representative under UK GDPR Article 27. We will appoint one before we actively offer the Service to data subjects in those regions in a way that triggers the Article 27 obligation. In the meantime, your rights remain — bring them to us. You can also complain to your local supervisory authority.

California, Colorado, Virginia, Connecticut, and other US states

We do not “sell” or “share” personal data for cross-context behavioral advertising, and there is no such program to opt out of. You can exercise the rights in Section 12 by emailing us.

Quebec residents

Under Law 25, you can reach the person responsible for personal data at Webstory Tech Inc. at hello@webstory.app. You can submit access, rectification, and de-indexing requests there.

Australian customers

We comply with the Australian Privacy Principles. Complaints can be raised with us first; if not resolved, with the Office of the Australian Information Commissioner (oaic.gov.au).

Canadian customers (PIPEDA / provincial laws)

You can complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca) or your provincial equivalent.

19. Contact

Privacy questions, requests, or complaints: hello@webstory.app. By mail: Webstory Tech Inc., 3578 146A Street, Surrey BC V4P 1B2, Canada.

Version history

  • 1.2 — June 8, 2026— the publisher of this Policy is now Webstory Tech Inc., a British Columbia company, in place of the founding joint venture; contact and Quebec privacy-officer details updated accordingly.
  • 1.1 — May 7, 2026 — expanded customer-data section to describe Stripe Connect onboarding data; added Squarespace in-player checkout to End-Viewer data; documented the new webstory-cart-provider cookie and Stripe.js loading in the viewer browser.
  • 1.0 — May 5, 2026 — initial publication.
QR code linking to webstory.app
P.S. — this site is a regular page.
Our real one is a Webstory. See it at webstory.app →
↑ Scan to open on your phone