data processing agreement
Effective: 2026-05-08 · Version 1.0
This Data Processing Agreement ("DPA") governs the processing of personal data by storyflo ("Processor") on behalf of any publisher or partner ("Controller") who integrates with the storyflo platform. By using storyflo to receive listener-attributed plays, RSS-ingested article renders, or any other listener-data-touching service, the Controller accepts the terms of this DPA in addition to the general Terms of Service.
A counter-signed PDF version is available on request — email story@storyflo.com with your company details.
1. parties + scope
Processor: storyflo, a private company operating at storyflo.com, with operations contact story@storyflo.com.
Controller: the publisher / partner / organisation accepting these terms.
Subject matter: processing of personal data relating to listeners (subscribers to private podcast feeds), publisher staff (dashboard users), and end-users of embedded audio surfaces (story page visitors, share-link recipients).
2. nature of processing
- Listener data: email address (when provided), feed token (random 32-hex), wallet address (if the listener bound one), verticals selected, listening history (article slug, timestamp, completion percentage), tier (free / plus / pro), Spotify display name (if connected).
- Publisher data: tenant slug, contact email, dashboard access token, Stripe Connect account ID, payout wallet addresses.
- Article data:title, body text, summary, cover image — public per the publisher's RSS feed.
We do not collect: payment-card numbers (handled by Stripe), passwords (we use magic-link auth), full IP addresses (we hash for rate limiting + drop the raw value), or biometric data.
3. duration + retention
We retain listener data for the lifetime of the subscription. On unsubscribe, we hard-delete from our primary database within 7 days. Encrypted backups are retained for 30 days, then expire.
Article render audio (cached in R2) is retained for 90 days after the article last received a play; older audio is evicted by R2 lifecycle policy.
4. obligations of the processor
- process personal data only on documented instructions from the Controller (the integration itself constitutes standing instructions);
- ensure all personnel with access to personal data are under a written confidentiality obligation;
- implement appropriate technical + organisational measures (see the trust page) including encryption-in-transit (TLS 1.2+), encryption-at-rest (Postgres + R2 + Fernet for listener-supplied API keys), secret-scoped tokens, and a documented vulnerability disclosure policy;
- notify the Controller without undue delay (within 72 hours of becoming aware) of any personal data breach affecting their data;
- assist the Controller in responding to data-subject requests via the self-service flows at /legal/gdpr;
- return or delete personal data on contract termination at the Controller's choice.
5. sub-processors
The Controller authorises storyflo to engage the following sub-processors. We commit to giving 30-day notice of any material change to this list (notice posted at /changelog).
| sub-processor | purpose | data location |
|---|---|---|
| Vercel | frontend hosting | Global (CDN) |
| Fly.io | backend + Postgres + worker | US (sjc) + EU (fra) — see trust page |
| Cloudflare R2 | audio cache storage | WEUR + APAC (per-region buckets) |
| Postmark (ActiveCampaign) | transactional email | US |
| Stripe | publisher payouts + listener subscriptions | US (per Stripe DPA) |
| Circle Programmable Wallets | custodial USDC wallets | US (per Circle DPA) |
| OpenAI / Groq / Together / ElevenLabs / Cartesia | LLM summary + premium TTS | US (per provider DPAs) |
| Sentry | error tracking | US (per Sentry DPA) |
6. international data transfers
Where personal data of EU/UK residents is transferred to a sub-processor outside the EU/UK, the transfer is governed by the EU Standard Contractual Clauses (Module 3: Processor-to-Processor) incorporated by reference. We use Cloudflare R2's EU jurisdiction bucket (storyflo-audio-eu) for audio originating from EU listener renders to keep European data European.
7. data-protection contact
storyflo's designated data-protection contact (acting as DPO for GDPR purposes during the alpha period):
- Name: storyflo data-protection team
- Email: story@storyflo.com (subject prefix:
GDPR:) - Response SLA: 5 business days for acknowledgement; 30 days for substantive response (per GDPR Article 12).
8. termination
On termination of the Controller's storyflo account, storyflo will, at the Controller's choice:
- return all personal data via a JSON export (the
GET /v1/publisher/{tenant_slug}/articlesendpoint + a one-shot listener-data dump, on request); - delete all personal data within 30 days. Encrypted backups expire on the standard rolling 30-day cycle.