Privacy Policy

Last updated: January 1, 2026

At OurStoria, we take your privacy seriously. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our wedding video hosting platform.

1. Information We Collect

1.1 Information You Provide Directly

Account Registration:

  • Full name
  • Email address
  • Business name (optional)
  • Phone number (for account verification)
  • Payment information (processed securely through Creem / Armitage Labs OÜ)

Profile & Portfolio Information:

  • Profile photo/logo
  • Business description
  • Social media links (Telegram, WhatsApp, Instagram)
  • Portfolio customization preferences (fonts, colors)

Content You Upload:

  • Wedding videos and related media files
  • Project metadata (couple names, wedding dates, project titles)
  • Custom branding elements (logos, overlays)

Client Information (CRM Data):

  • Client names (couples)
  • Client email addresses
  • Wedding dates
  • Project access links

1.2 Information We Collect Automatically

Analytics & Viewing Data:

  • Video playback events (play, pause, seek, completion rate)
  • Viewing timestamps and session duration
  • Rewatched segments and attention heatmaps
  • Device type and browser information
  • IP addresses (anonymized for analytics)

Technical Data:

  • Browser type and version
  • Operating system
  • Device identifiers
  • Cookies and similar tracking technologies
  • Log data (access times, pages viewed, errors)

Performance Data:

  • Upload speeds and file processing times
  • Streaming quality metrics
  • Storage usage statistics

1.3 Information from Third Parties

Payment Processor (Creem / Armitage Labs OÜ):

  • Transaction confirmations
  • Billing information
  • Subscription status updates
  • Refund notifications

2. How We Use Your Information

2.1 To Provide Our Service

  • Create and manage your account
  • Process and store your video content
  • Enable video streaming and downloads
  • Generate custom branded galleries
  • Create public portfolio pages
  • Provide customer support

2.2 Analytics & Insights

  • Calculate engagement metrics
  • Provide drop-off analysis and viewing patterns
  • Help you understand how your content performs

2.3 Communication & Marketing

  • Send transactional emails (upload confirmations, payment receipts)
  • Send account notifications (storage warnings, payment failures)
  • Provide product updates and feature announcements (you can opt-out)
  • Respond to your inquiries and support requests

2.4 Business Operations

  • Process payments and prevent fraud
  • Monitor and improve service performance
  • Enforce our Terms of Service
  • Comply with legal obligations
  • Protect against security threats

2.5 Legal Compliance

  • Respond to legal requests and prevent harm
  • Enforce our agreements and policies
  • Protect our rights and property

3. How We Store and Protect Your Data

3.1 Data Storage

Video Content:

  • Stored on cloud storage
  • Located in secure data centers with enterprise-grade infrastructure
  • Encrypted at rest and in transit (SSL/TLS)

Account & Analytics Data:

  • Stored on secure VPS infrastructure
  • Database: MySQL/PostgreSQL with encryption
  • Regular automated backups
  • Access restricted to authorized personnel only

3.2 Security Measures

  • Industry-standard encryption (AES-256 for data at rest, TLS 1.3 for data in transit)
  • Secure authentication with password hashing (bcrypt)
  • Regular security audits and penetration testing
  • DDoS protection through Cloudflare
  • Two-factor authentication available for accounts
  • IDOR protection (users can only access their own content)

3.3 Data Retention

Active Accounts:

  • Content retained as long as your subscription is active
  • Analytics data retained for 24 months

Suspended Accounts (Non-Payment):

  • Days 1-7: All data retained
  • Day 8: Permanent deletion (except Safe Archive projects)

Cancelled Accounts:

  • 7-day grace period for data recovery
  • After 7 days: Permanent deletion

Safe Archive Projects:

  • Retained as long as annual archive fee is paid
  • Deleted 3 days after archive subscription expires

Backups:

  • Backup retention: 10 days
  • After deletion, backups are purged on a rolling basis

3.4 Live Moments — Guest Uploads

When a OurStoria customer (the "Event Host") enables the Live Moments feature for a project, wedding guests may upload photos and short videos directly to that project through a QR code printed by the Event Host.

  • Data roles: the Event Host acts as the data controller for all content and metadata submitted by their guests. OurStoria acts as the data processor, storing and serving that content strictly on the Event Host's behalf.
  • Data collected from guests: the photo or video file, file size and duration, the display name the guest voluntarily types (optional), timestamp of upload, and a truncated IP address used only for rate-limiting and abuse prevention.
  • No guest accounts: guests do not register, do not set a password, and are not tracked across sessions. A per-session cookie remembers their chosen display name on the same device.
  • Retention: guest uploads follow the same retention rules as the parent project. When the Event Host deletes a session or individual upload, the underlying files are scheduled for permanent deletion within 30 days.
  • Access: only the Event Host and — if they opt in — viewers of the project's public gallery can see guest uploads. OurStoria staff access the files only for abuse investigations or lawful requests.
  • Data-subject rights: guests may contact the Event Host or OurStoria support to request deletion of their uploads at any time.

4. How We Share Your Information

4.1 We DO NOT Sell Your Data

We will never sell, rent, or trade your personal information to third parties for marketing purposes.

4.2 Service Providers

We share data with trusted third parties who help us operate our service:

  • Video storage and delivery
  • Payment processing and subscription management
  • Server infrastructure hosting
  • Transactional and CRM emails

These providers are contractually obligated to protect your data and use it only for specified purposes.

4.3 Public Information

The following information is publicly visible when you choose to make it public:

  • Your public portfolio page content
  • Projects you mark as "public"
  • Your business name and profile logo (if added to galleries)
  • Your contact information displayed in footer

4.4 Legal Requirements

We may disclose information if required by law, subpoena, or court order, or to:

  • Comply with legal processes
  • Protect our rights and property
  • Prevent fraud or security threats
  • Protect the safety of our users

5. Cookies and Tracking Technologies

When you first visit our site, a cookie consent banner lets you accept, reject, or customise which cookie categories you allow. Your preference is stored in your browser's localStorage and respected on every subsequent visit.

5.1 Necessary Cookies (always active)

Required for core functionality. Cannot be disabled.

  • Session cookie — keeps you logged in during your visit
  • CSRF token — protects form submissions from cross-site attacks
  • Cookie consent preference — remembers your cookie choices (stored in localStorage)

5.2 Analytics Cookies (optional)

Help us understand how visitors use the site so we can improve it.

  • Page views and navigation patterns
  • Video playback statistics
  • Feature usage metrics

5.3 Marketing Cookies (optional)

Enable personalized advertising and conversion tracking on third-party platforms.

  • Meta Pixel (Facebook/Instagram ads)
  • Other advertising platform tags (loaded only with your consent)

5.4 Managing Your Cookie Preferences

You can change your cookie preferences at any time by clicking the "Cookie Settings" link in the site footer, which will re-open the consent banner. You can also clear cookies through your browser settings; however, disabling necessary cookies may prevent you from using core features of the platform.

6. Your Privacy Rights

Depending on your location, you may have the following rights:

6.1 Access & Portability

  • Request a termination of your data

6.2 Correction

  • Update or correct inaccurate information
  • Modify your profile and settings

6.3 Deletion

  • Request deletion of your account and data
  • Subject to legal retention requirements

6.4 Objection & Restriction

  • Opt-out of marketing communications
  • Restrict certain data processing activities

6.5 Withdraw Consent

  • Revoke consent for data processing where applicable

To exercise these rights, contact us at [email protected]

7. Children's Privacy

OurStoria is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal data, we will delete it immediately.

8. International Data Transfers

Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place to protect your data in compliance with applicable laws.

9. California Privacy Rights (CCPA)

California residents have additional rights under the California Consumer Privacy Act:

  • Right to know what personal information is collected
  • Right to know if personal information is sold or disclosed
  • Right to opt-out of the sale of personal information (Note: We do not sell personal information)
  • Right to deletion of personal information
  • Right to non-discrimination for exercising privacy rights

To exercise these rights, email us at [email protected] with "California Privacy Rights" in the subject line.

10. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), you have rights under the General Data Protection Regulation:

  • Right to access your personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Right to lodge a complaint with a supervisory authority

Legal basis for processing:

  • Contract performance: To provide our services
  • Legitimate interests: Analytics, security, and improvements
  • Consent: Marketing communications (opt-in)
  • Legal obligations: Compliance with laws

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically. Material changes will be communicated via:

  • Email notification (30 days advance notice)
  • In-app notification
  • Updated "Last Updated" date at the top of this policy

Continued use of OurStoria after changes constitutes acceptance of the updated policy.

12. Data Protection Officer

For privacy-related inquiries, contact our Data Protection Officer:

13. Contact Us

For questions about this Privacy Policy or our privacy practices:

By using OurStoria, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and disclosure of your information as described herein.