Privacy Policy
TheirStory, Inc. | Last Updated: July 09, 2026
1. INTRODUCTION AND SCOPE
TheirStory, Inc. ("TheirStory," "we," "us," or "our") provides a web-based platform for recording, storing, transcribing, and sharing video and audio stories, including oral histories (the "Services"). This Privacy Policy explains what personal information we collect, how we use and share it, how long we keep it, and the choices and rights available to you. It applies to visitors, registered users, and the individuals whose stories are recorded through the Services, whether they interact with TheirStory directly or through an organization (a "Subscriber") that has licensed the Services under a separate agreement with us.
This Policy is incorporated by reference into, and should be read together with, our Terms and Conditions and any Master Service Agreement entered into by a Subscriber. If a Subscriber's agreement with us conflicts with this Policy on a matter specific to that Subscriber's use of the Services, the Subscriber agreement controls; in all other respects, this Policy governs how we handle personal information.
2. INFORMATION WE COLLECT
2.1 Information You Provide
We collect information you give us directly, including:
- Account and registration information, such as your name, email address, and password.
- Recordings and submissions, including video, audio, transcripts, images, and any accompanying text you create or upload through the Services ("Submissions").
- Communications you send us, such as support requests or feedback.
2.2 Information Collected Automatically
When you use the Services, we automatically collect limited technical information, including your IP address, browser and device type, operating system, pages viewed, and similar log data. We use cookies and comparable technologies solely to operate and secure the Services, remember your preferences, keep you signed in, and understand aggregate usage so we can improve the product, not to power third-party behavioral advertising. See Section 5 (Cookies and Tracking Technologies) for details.
2.3 Information We Receive Through a Subscriber
If you interact with the Services because an organization you belong to (for example, a school, library, archive, or cultural institution) has subscribed to TheirStory, that organization (rather than TheirStory) determines what personal information about you is submitted to the Services and is responsible for providing any notices and obtaining any consents required to do so. TheirStory processes that information as described in this Policy and in our agreement with the Subscriber.
3. HOW WE USE INFORMATION
3.1 Providing and Improving the Services
We use personal information to operate the Services: creating and maintaining accounts, recording and hosting Submissions, providing customer support, monitoring performance and security, and developing new features.
3.2 Your Submissions Are Private by Default
Submissions are private by default. We do not use, publish, or share a Submission beyond what is needed to provide the Services to you unless you opt in to allow broader use. If you opt in to share a Submission with TheirStory, you grant TheirStory, our affiliated companies, and our necessary sublicensees a non-exclusive, worldwide, royalty-free, perpetual license to copy, distribute, transmit, publicly display, publicly perform, reproduce, edit, translate, and reformat that Submission, and to publish your name in connection with it. You may revoke this consent at any time for future use, but revocation does not affect our license to Submissions already shared while your consent was in effect.
3.3 Legal Bases for Processing (EEA/UK Users)
Where the GDPR applies, we process personal information on one or more of the following legal bases: performance of a contract with you or your organization; our legitimate interests in operating, securing, and improving the Services (balanced against your rights); compliance with a legal obligation; and, where required, your consent, for example, before publishing a Submission or a testimonial.
4. HOW WE SHARE INFORMATION
4.1 We Do Not Sell Personal Data
TheirStory does not sell personal data, and we do not share personal data with third parties for those third parties' own advertising or marketing purposes. We do not operate third-party behavioral advertising networks on the Services.
4.2 Third-Party Service Providers
We share personal information with selected third-party service providers that support our business operations and service delivery, such as cloud hosting and storage, video and audio recording infrastructure, transcription services, email delivery, and payment processing. We assess these providers' security, privacy, and contractual controls before onboarding and periodically thereafter, and our agreements with them include confidentiality and data-security obligations proportionate to the services provided and no less protective than those TheirStory itself follows. Additional information about our vendor security practices is available upon request, subject to appropriate confidentiality arrangements.
4.3 Legal Obligations and Safety
We may disclose information if required by law, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to comply with the law, protect the rights, property, or safety of TheirStory, our users, or the public, or investigate fraud or security issues.
4.4 Business Transfers
If TheirStory is involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.
4.5 With Your Consent
We may share information for other purposes with your consent, such as when you agree to a customer testimonial.
5. COOKIES AND TRACKING TECHNOLOGIES
We use cookies and similar technologies to keep you signed in, remember your preferences, and understand how the Services are used so we can maintain and improve them. We use first-party and limited third-party analytics tools for this purpose. We do not use cookies to serve targeted third-party advertising. You can control cookies through your browser settings; disabling certain cookies may affect how the Services function.
6. DATA RETENTION AND DELETION
We retain personal information only for as long as necessary to provide the Services or as required by law. Specifically:
- Active accounts: we retain your Submissions and account information for as long as your account (or your organization's subscription) remains active.
- After an agreement ends: recordings are retained for up to 30 days after your account or your organization's agreement with us ends, after which they are permanently deleted, unless you export or request retention of specific content before that period expires.
- Deletion requests: if you or your organization submit a written request to delete personal data, we will delete or anonymize it within 60 days, except to the extent we are required to retain it by law.
You are responsible for exporting or downloading any recordings you wish to keep before your account or your organization's agreement ends.
7. DATA SECURITY
7.1 Safeguards
TheirStory maintains a risk-based information security programme designed to protect personal information against unauthorized access, disclosure, alteration, or destruction, and to support the confidentiality, integrity, and availability of the Services. Security is integrated into our governance, technology, and day-to-day operations, and is reviewed on an ongoing basis to address evolving threats and business requirements. Access to personal information is restricted to authorized personnel based on role, responsibility, and least privilege, with periodic access reviews and multi-factor authentication used where supported. We follow secure development and change management practices, including review and testing of code and system changes before release, and we maintain a vendor risk management process for reviewing the security and privacy practices of our third-party service providers. We also maintain a defined incident response process covering detection, escalation, investigation, and remediation, and vulnerability management and continuous monitoring practices to help maintain the security of our production environment.
Where applicable, independent certifications, attestations, or audit reports may be made available to customers under appropriate confidentiality arrangements.
7.2 Encryption
Data transmitted between users, applications, and supporting services is protected using secure communication protocols, including HTTPS/TLS where applicable. Data stored within our production systems is protected using encryption at rest, where supported by the underlying infrastructure and service providers.
7.3 Breach Notification
If we become aware of a confirmed security incident involving unauthorized access to or disclosure of your personal data, we will notify affected individuals and/or the relevant Subscriber without undue delay, and in no event later than seventy-two (72) hours after we become aware of the incident, to the extent required by applicable law. Notice will describe, to the extent known, the nature of the incident, the categories and approximate number of individuals and records affected, and the steps we are taking in response.
8. CHILDREN'S PRIVACY AND USERS UNDER 18
8.1 Children Under 13 (COPPA)
TheirStory does not knowingly collect personal information from children under 13 without verifiable parental consent. If we learn that a child under 13 has provided personal information without such consent, we will take steps to delete it. Parents and guardians may contact us using the information in Section 14 to review, request deletion of, or stop further collection of their child's personal information; we will take reasonable steps to verify the requester's identity before granting access.
8.2 Users Age 13 to 17
If a Subscriber's authorized users include individuals between the ages of 13 and 17, the Subscriber is responsible for obtaining and retaining verifiable parental or guardian consent before those individuals use the Services, and for providing copies of that consent to TheirStory upon request. We do not knowingly use information about users under 18 for behavioral advertising.
9. YOUR PRIVACY RIGHTS
9.1 European Economic Area and United Kingdom
If the GDPR or UK GDPR applies to you, you have the right to request access to, correction of, restriction of, or erasure of your personal data; to receive a copy of your data in a portable format; to object to processing based on our legitimate interests or for direct marketing; and to lodge a complaint with your local data protection authority. To exercise these rights, contact us using the information in Section 14.
9.2 California (CCPA/CPRA)
If you are a California resident, you have the right to know what personal information we collect, use, and disclose about you; to request deletion or correction of your personal information; to opt out of the sale or sharing of personal information (we do not sell or share personal information, so no action is needed to exercise this right); to limit the use of sensitive personal information; and to not receive discriminatory treatment for exercising these rights. To submit a request, contact us using the information in Section 14.
9.3 Other U.S. States
Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws have similar rights to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of targeted advertising, the sale of personal data, or certain profiling, rights that are already satisfied by our practices described in this Policy. Contact us using the information in Section 14 to exercise these rights.
9.4 How We Respond
We will verify your identity before responding to a rights request and will respond within the time required by applicable law. You may designate an authorized agent to submit a request on your behalf where permitted by law.
10. SENSITIVE PERSONAL DATA
Because the Services are used to record personal oral histories, your Submissions may reveal sensitive information such as health conditions, racial or ethnic origin, religious beliefs, sexual orientation, or immigration status. We do not use sensitive personal data to infer characteristics about you for advertising, and we limit access to Submissions to what is necessary to provide the Services, respond to your instructions, and comply with law.
11. INTERNATIONAL DATA TRANSFERS
TheirStory is based in the United States, and personal information we collect is generally stored and processed in the United States. If you access the Services from outside the United States, your information will be transferred to, stored, and processed in the United States, which may not have the same data protection laws as your home jurisdiction. Where required, we rely on appropriate safeguards, such as standard contractual clauses, for such transfers.
12. LINKS TO OTHER WEBSITES
The Services may contain links to third-party websites. We are not responsible for the privacy practices of those websites, and we encourage you to review their privacy policies before providing them with information.
13. CHANGES TO THIS POLICY
We may update this Policy from time to time. If we make material changes, we will notify you by posting a notice on the Services, by email, or by another reasonable method, before the changes take effect. The "Last Updated" date above indicates when this Policy was last revised.
14. CONTACT US
If you have questions about this Policy or wish to exercise any of the rights described above, contact us at:
Email: privacy@theirstory.io
TheirStory, Inc., 55 Branford Rd, Rochester, NY 14618
For GDPR purposes, TheirStory, Inc. is the data controller of personal information processed through the Services.