Privacy Policy.
Plain language. Full transparency.

Who We Are

EverStory is operated by Northwren Technologies, a company incorporated in the United States of America ("we," "us," "our"). We operate the website at everstory.digital and all related services (collectively, the "Service").

For EU/UK users, we act as the data controller under GDPR and UK GDPR. For California residents, we are the business under the California Consumer Privacy Act (CCPA/CPRA). For Canadian residents, we are the organization under PIPEDA.

What This Policy Covers

This Privacy Policy applies to all personal data collected when you:

• Visit or use the EverStory website (everstory.digital)
• Create an account or join our waitlist
• Create, upload, or share content through EverStory
• Contact us by any means
• Use any EverStory mobile application or related services

It does not apply to third-party websites we may link to. We are not responsible for the privacy practices of those sites.

Information We Collect

3.1 Information You Provide Directly

• Account registration: Name, email address, password (hashed — we never store plaintext passwords)
• Waitlist signup: Name, email address, and optional "intent" preference
• Profile content: Stories, life events, memories, photographs, videos, audio recordings, written text, and any other content you upload
• Contributor information: Names or email addresses of family members or contributors you invite
• Communications: Messages you send to our support or contact channels
• Payment information: Billing name and email. We do not store your card number, CVV, or banking details — these are processed entirely by Stripe, Inc. under their own privacy policy (stripe.com/privacy)

3.2 Information Collected Automatically

• Usage data: Pages visited, features used, time spent, clicks — aggregated and used only to improve the Service
• Device & browser information: Browser type, operating system, screen resolution, language preference
• IP address: Used for security, fraud prevention, and approximate geolocation (country/region level only)
• Log data: Server logs including access times and error reports, retained for security and debugging purposes

3.3 Information We Do Not Collect

How We Use Your Information

We use your personal data only for the following purposes:

• To provide the Service: Creating and maintaining your account, storing and displaying your stories, enabling sharing with people you authorize
• To process payments: Verifying subscriptions through Stripe; sending receipts and billing notifications
• To send service communications: Account confirmations, security alerts, important product updates, and waitlist notifications. We do not send marketing emails without your explicit consent
• To improve the Service: Analyzing aggregated, anonymized usage patterns to understand what works and what doesn't. No individual user's story content is ever used for this purpose
• To ensure security: Detecting fraud, unauthorized access, abuse, and protecting the integrity of the platform
• To comply with legal obligations: Responding to lawful requests from authorities, as required by applicable law

Legal Basis for Processing (GDPR / UK GDPR)

For users in the EU and UK, we process your personal data on the following legal bases:

• Contract (Art. 6(1)(b)): Processing necessary to perform the Service you signed up for — creating your account, storing your stories, processing your subscription
• Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, and improving the Service through anonymized analytics — where our interests do not override your rights
• Legal obligation (Art. 6(1)(c)): Where processing is required to comply with applicable laws, tax obligations, or respond to lawful authority requests
• Consent (Art. 6(1)(a)): Where we ask for your consent (e.g., optional marketing communications). You may withdraw consent at any time without affecting the lawfulness of prior processing

We do not process any special categories of personal data (Art. 9 GDPR) intentionally. If you choose to include sensitive information (health, religion, ethnicity) in a story, you do so voluntarily and it is processed solely to provide the Service.

How We Share Your Information

We do not sell, rent, or trade your personal data. Ever. We share data only in the following limited circumstances:

6.1 Service Providers (Data Processors)

We use carefully selected third-party providers who process data only on our behalf and under strict contractual terms:

• Stripe, Inc. — Payment processing. Stripe is PCI-DSS Level 1 certified. We share only the minimum data required to process your subscription
• Cloud hosting provider — Secure infrastructure for storing your data (e.g., AWS, Google Cloud, or equivalent). All providers are bound by data processing agreements
• Email delivery provider — Transactional email delivery (account confirmations, receipts). Not used for marketing without your consent
• Analytics — We use privacy-preserving, cookieless analytics (aggregated and anonymized only). No individual user tracking across sites

6.2 User-Authorized Sharing

You control who can view or contribute to your stories. When you share a story with family members or contributors, those individuals receive access only to what you explicitly authorize. We facilitate this sharing but do not access the content ourselves for any commercial purpose.

6.3 Legal Requirements

We may disclose your information if required to do so by law, court order, or governmental authority, or where we believe in good faith that disclosure is necessary to protect our legal rights, protect your safety or the safety of others, or investigate fraud. Where permitted, we will attempt to notify you before any such disclosure.

6.4 Business Transfers

If EverStory is acquired, merged, or substantially all of its assets transferred, your personal data may be transferred to the acquiring entity. In this event: (a) we will notify you at least 30 days in advance; (b) the acquiring entity must agree to honor this Privacy Policy or provide equivalent or greater protections; and (c) you will have the right to delete your account and export your data before any transfer takes effect.

Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law.

• Account data: Retained for the duration of your account. Deleted within 30 days of account deletion request, subject to legal hold obligations
• Story content: Retained for as long as your account is active. Upon deletion, content is removed from active systems within 30 days and from backups within 90 days
• Waitlist data: Retained until you request removal or we permanently delete the waitlist, whichever comes first
• Payment records: Retained for 7 years as required by applicable tax and financial regulations
• Security logs: Retained for up to 12 months for security and fraud investigation purposes
• Communications: Support correspondence retained for up to 3 years to maintain continuity and quality of service

You may request earlier deletion of your data at any time (see Section 9 — Your Rights).

International Data Transfers

EverStory is operated from the United States. If you are located in the European Union, United Kingdom, Canada, or elsewhere outside the US, your data will be transferred to and processed in the United States, which may have different data protection laws than your jurisdiction.

For transfers from the EU/UK, we rely on the following safeguards:

• Standard Contractual Clauses (SCCs): We use the EU Commission-approved SCCs for transfers to the US and other third countries where no adequacy decision applies
• UK International Data Transfer Agreements (IDTAs): For transfers from the UK, we use UK-approved transfer mechanisms
• Adequacy decisions: Where available, we transfer data to countries with an EU/UK adequacy decision

You may request a copy of the safeguards we have in place by contacting privacy@everstory.digital.

Your Rights

Depending on where you are located, you may have the following rights regarding your personal data. We honor all of these rights regardless of your jurisdiction — they reflect our values, not just our legal obligations.

To exercise any of these rights, email privacy@everstory.digital with your request. We will verify your identity before responding and will not charge a fee for legitimate requests. If you believe we have violated your rights, you have the right to lodge a complaint with your local supervisory authority.

California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with specific rights:

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months, the categories of sources, the purposes for collection, and the categories of third parties with whom we share it
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions
• Right to Correct: You may request correction of inaccurate personal information
• Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is necessary, but we honor all opt-out requests
• Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond what is necessary to provide the Service
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights — you will not receive different pricing, service quality, or treatment

Categories of personal information collected in the past 12 months: Identifiers (name, email, IP address); commercial information (subscription records); internet/network activity (usage logs); and content you voluntarily provide (stories, photos, memories).

We have not sold or shared California consumers' personal information with any third party for monetary or other valuable consideration.

To submit a CCPA request, email privacy@everstory.digital with "CCPA Request" in the subject line. We will respond within 45 days (extendable by an additional 45 days with notice).

UK & EU Residents (GDPR / UK GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, the General Data Protection Regulation (GDPR) and UK GDPR apply to our processing of your personal data.

In addition to the rights described in Section 9, you have the right to lodge a complaint with your local Data Protection Authority (DPA):

• EU residents: Contact your national DPA (list available at edpb.europa.eu)
• UK residents: Contact the Information Commissioner's Office (ICO) at ico.org.uk

We are committed to cooperating with supervisory authorities and resolving complaints. Please contact us first at privacy@everstory.digital — we aim to resolve all complaints within 30 days.

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects (Art. 22 GDPR).

Canadian Residents (PIPEDA)

If you are a Canadian resident, the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws govern our handling of your personal information. We comply with PIPEDA's 10 fair information principles:

• We collect only the personal information necessary for identified purposes
• We obtain meaningful consent before or at the time of collection
• We use and disclose information only for the purposes for which it was collected
• We retain information only as long as necessary
• We keep information accurate, complete, and up-to-date
• We protect information with appropriate safeguards
• We are open about our policies and practices
• We provide individuals access to their information upon request
• We provide a means to challenge our compliance

To submit a PIPEDA access or correction request, or to challenge our compliance, contact privacy@everstory.digital. If not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada at priv.gc.ca.

Children's Privacy

EverStory is not directed to children under the age of 13, and we do not knowingly collect personal data from children under 13. If you are between 13 and 18, you must have parental or guardian consent before using EverStory.

If we become aware that we have collected personal data from a child under 13 without verifiable parental consent, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal data, please contact us immediately at privacy@everstory.digital.

For users in the EU/UK, the minimum age threshold may be higher depending on applicable national law (up to 16 years in some EU member states). We will comply with the applicable threshold in each jurisdiction.

Cookies & Tracking Technologies

EverStory uses a minimal and privacy-respecting approach to cookies:

• Essential cookies: Required for the Service to function — session authentication, security tokens, and user preferences. These cannot be disabled without breaking core functionality
• Analytics: We use privacy-preserving, cookieless analytics that collect only aggregated, anonymized data. No individual tracking, no cross-site tracking, no fingerprinting
• No advertising cookies: We do not use advertising networks, retargeting pixels, or any third-party tracking for commercial purposes
• No third-party social media trackers: We do not embed Facebook Pixel, Google Analytics (with tracking), or similar surveillance tools

Where required by law (e.g., for EU/UK users), we will present a cookie consent banner for any non-essential cookies. You may withdraw consent at any time through your browser settings or our cookie preference center.

Security

We take the security of your data — and the irreplaceable nature of what you're trusting us with — seriously. Our security measures include:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
• Encryption at rest: Stored data, including all story content, is encrypted at rest using AES-256 or equivalent
• Password security: Passwords are hashed using bcrypt or equivalent. We never store or transmit plaintext passwords
• Access controls: Strict internal access controls — staff access to user data is logged, audited, and limited to what is necessary for support
• Regular audits: We conduct regular security reviews and aim to engage independent security researchers through a responsible disclosure program
• Incident response: In the event of a data breach affecting your rights and freedoms, we will notify affected users and relevant authorities within 72 hours of discovery, as required by GDPR

No method of transmission or storage is 100% secure. If you have reason to believe your account has been compromised, contact us immediately at privacy@everstory.digital.

Changes to This Policy

We may update this Privacy Policy from time to time. Our commitment:

• Material changes — Changes that affect your rights or how we use your data — will be communicated by email and in-app notice at least 30 days before they take effect
• Minor changes — Corrections, clarifications, or changes that do not affect your rights — will be posted with an updated "Last Updated" date and noted in a change log
• Your options — If you disagree with material changes, you may delete your account and export your data before the changes take effect
• No retroactive changes — We will never apply new data use policies retroactively to data already collected without your consent

The current version of this Policy is always available at everstory.digital/privacy-policy. We maintain a version history of all past policies.

Contact Us

We welcome questions, requests, and feedback about this Privacy Policy or our data practices. A real person reads every message.

If you are in the EU/UK and have an unresolved privacy concern, you also have the right to contact your local Data Protection Authority (DPA). We encourage you to contact us first — we are committed to resolving all complaints.