1. Current sub-processors
Each entity below is bound by contractual data-protection terms with at least the same protections we owe you. We update this page when sub-processors change — see Section 2 below for how we notify you.
| Sub-processor | Purpose | Data categories | Hosting region |
|---|---|---|---|
| Vercel Inc. | Hosting for getwebstory.com and the webstoryapp.com dashboard. | Account & dashboard usage data, server logs, Customer Content delivered through the dashboard. | Global edge; primary US. |
| Supabase Inc. | Authentication and primary application database. | Email, hashed password, profile info, session tokens, Customer Content metadata, lead form submissions, integration tokens (encrypted). | AWS us-east-2 (Ohio, USA). |
| Cloudflare, Inc. | Cloudflare Stream (video), R2 (object storage), Workers, KV, D1, and viewer delivery for *.webstory.app and customer custom domains. | Customer Content (videos, images, canvas frames), End-Viewer IPs and request logs, viewer engagement events. | Global edge. |
| Stripe, Inc. | Payment processing (when billing is live). | Name, billing address, partial card data, tax ID, transaction history. | US, with EU/UK pinning per Stripe. |
| Functional Software, Inc. (Sentry) | Error monitoring and 5%-sampled session replay (text and inputs masked, media blocked). | Error stack traces, request metadata, masked session replays. | US. |
| Upstash, Inc. | Redis-based rate limiting. | IP addresses, request counts, rate-limit keys. | US / EU per region. |
| Campaign Monitor Pty Ltd | Marketing email lists for getwebstory.com; customer-driven list mapping when a customer enables the integration. | Subscriber email, name, list metadata; customer-defined fields when an integration is enabled. | Australia / US. |
| Mailgun (Sinch Email) | Transactional email for the marketing site forms (contact, newsletter). | Sender email, name, message body. | US or EU (per environment configuration). |
| Zapier, Inc. | Customer-driven webhook forwarding from your WebStory forms when you enable the integration. | Form-field values you have authorized to send. | US. |
| Shopify Inc. | Customer-driven cart and checkout in your WebStories when you connect a Shopify store. | Cart IDs, product IDs, viewer activity passed by your published Story; OAuth tokens stored encrypted on our side. | Global, per Shopify. |
| Squarespace, Inc. | Customer-driven Squarespace integration. | Integration metadata and credentials authorized by the customer. | US. |
2. Notice of changes
We give existing customers at least 30 days’ email notice before adding or replacing a sub-processor that handles personal data. To object, reply to that notice within 30 days. If we can’t accommodate your objection, your sole remedy is to terminate your subscription before the change takes effect.
3. Contact
Questions about this list? hello@webstory.app.
Version history
- 1.0 — May 5, 2026— initial publication.
