Data Processing Agreement

Last updated: March 2026

This Data Processing Agreement ("DPA") supplements our Terms of Service and Privacy Policy. It applies when StoryKeepr processes personal data on behalf of you ("Data Controller") in connection with your use of the platform — for example, when readers submit their email addresses on your download pages.

By using StoryKeepr features that involve processing personal data of third parties (such as download page email collection), you agree to the terms of this DPA.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection laws (including the GDPR)
  • "Data Controller" means you, the StoryKeepr user, who determines the purposes and means of processing Personal Data (e.g., collecting reader emails for your newsletter)
  • "Data Processor" means StoryKeepr, which processes Personal Data on behalf of the Data Controller
  • "Sub-processor" means a third party engaged by StoryKeepr to assist in processing Personal Data

2. Scope of Processing

StoryKeepr processes Personal Data solely to provide the services you use:

  • Data types: Email addresses, IP addresses (for geographic analytics), browser information, and timestamps
  • Data subjects: Readers and visitors who interact with your public pages, download pages, and tracked links
  • Purpose: Storing and displaying collected emails to you, sending download verification emails, recording page views and link clicks for analytics, and generating geographic performance reports
  • Duration: Data is processed for as long as your account is active. Upon account deletion, all associated data is permanently removed

3. Obligations of StoryKeepr (Data Processor)

StoryKeepr will:

  • Process Personal Data only on your documented instructions (i.e., through your use of platform features) and not for any other purpose
  • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures, including encryption in transit (HTTPS/TLS), secure password hashing (bcrypt), and access controls
  • Not engage additional Sub-processors without providing you notice (see Section 5)
  • Assist you in responding to data subject requests (access, correction, deletion, portability) to the extent reasonably possible
  • Notify you without undue delay (and no later than 72 hours) upon becoming aware of a Personal Data breach
  • Delete or return all Personal Data upon termination of your account, unless retention is required by law
  • Make available information necessary to demonstrate compliance with these obligations

4. Obligations of the Data Controller (You)

As the Data Controller, you are responsible for:

  • Ensuring you have a lawful basis for collecting Personal Data through StoryKeepr features (e.g., consent from readers who submit their email on your download pages)
  • Providing any required privacy notices to data subjects before or at the point of data collection
  • Complying with all applicable data protection laws when using exported data (e.g., adding emails to your newsletter service)
  • Responding to data subject requests related to data you have exported from StoryKeepr

5. Sub-processors

StoryKeepr uses the following Sub-processors to provide the service:

  • Cloudflare — CDN, DDoS protection, and DNS (United States)
  • Stripe — Payment processing (United States)
  • Sentry — Error monitoring and reporting (United States)
  • Google Analytics — Anonymized website usage analytics (United States)

We will provide notice of any new Sub-processors via email or platform notification before they begin processing Personal Data. If you object to a new Sub-processor, you may terminate your account.

6. International Data Transfers

StoryKeepr's servers and Sub-processors are located in the United States. If Personal Data originates from the European Economic Area (EEA), United Kingdom, or Switzerland, such transfers are made in accordance with applicable data protection laws. By using StoryKeepr, you acknowledge and consent to the transfer of Personal Data to the United States as described in our Privacy Policy.

7. Data Security & Breach Notification

StoryKeepr maintains appropriate technical and organizational measures to protect Personal Data against unauthorized access, loss, destruction, or alteration. In the event of a Personal Data breach, we will notify you without undue delay and no later than 72 hours after becoming aware of the breach, providing details of the nature of the breach, the data affected, and the remedial steps being taken.

8. Term & Termination

This DPA is effective for as long as you maintain an active StoryKeepr account. Upon account deletion, StoryKeepr will delete all Personal Data processed on your behalf, except where retention is required by law. The obligations in this DPA regarding data security, confidentiality, and breach notification survive termination.

9. Contact

For questions about this DPA or to exercise your rights, please contact us at [email protected].