Privacy Policy

How we collect, use, and protect your data when you use Custory.

Last updated: July 3, 2026

Overview

Custory ("we", "our", or "us") provides software for customer journey mapping, collaboration, integrations, and workflow automation. This Privacy Policy explains what information we collect, how we use it, when we share it, and the choices available to you when you use our website, product, and connected integrations.

This Privacy Policy applies to information we process as a business software provider. It does not apply to third-party services that you connect to Custory, which remain subject to their own terms and privacy policies.

Information We Collect

Account and Authentication Information

When you sign up, sign in, or are invited into a workspace, we may collect:

  • Name, email address, profile details, and workspace membership information
  • Authentication and session data managed through WorkOS AuthKit
  • Organization, sign-in method, and account security details such as MFA or verification state

Workspace and Product Content

We collect and store information you or your team submit in Custory, including:

  • Journey maps, stages, steps, personas, comments, attachments, tasks, and workflow data
  • Workspace settings, member roles, invitations, and collaboration history
  • Support requests, feedback submissions, and messages you send to us through the product

Connected Integration Data

When you connect third-party services, we receive the information needed to provide those integrations. Depending on the service, this may include:

  • OAuth access tokens and refresh tokens, stored in encrypted form
  • Basic account, workspace, tenant, or installation metadata
  • Read-only or scoped content from connected systems such as Figma, Intercom, Google Drive, Jira, Linear, Notion, Slack, Discord, GitHub, and Miro
  • Manual credentials and metadata for services such as PostHog or Stripe when you choose to connect them

The exact data available to Custory depends on the permissions you authorize and the functionality you choose to use.

Usage, Device, and Analytics Information

We automatically collect technical and usage information, including:

  • Log data such as IP address, browser type, device information, pages visited, and request metadata
  • Product usage events, feature interactions, and workspace-level analytics
  • Cookie and similar identifier data used for authentication, security, analytics, and product functionality

How We Use Information

We use information we collect to:

  • Provide, operate, secure, maintain, and improve Custory
  • Authenticate users, manage sessions, and administer workspaces
  • Process and maintain connected integrations that you authorize
  • Import, display, sync, analyze, or transform data at your direction
  • Monitor usage, debug issues, and improve product performance
  • Communicate with you about support, security, service updates, and administrative matters
  • Prevent abuse, fraud, unauthorized access, and other harmful or unlawful activity
  • Comply with legal obligations and enforce our terms

Cookies, Analytics, and Similar Technologies

We use cookies, local storage, session storage, scripts, embeds, and similar technologies to run Custory, remember choices, provide requested features, and measure product usage. Strictly necessary storage is used for site operation, authentication, session security, workspace access, billing flows, interface preferences, and abuse prevention.

Optional categories are disabled until consent where consent is required. You can change or withdraw consent by updating your browser privacy settings or clearing saved site preferences.

  • Necessary technologies include WorkOS authentication and session handling, Convex application requests, Autumn billing flows, security and account-management storage, and the Inth/c15t record of your consent choice. They also include basic Sentry error and security monitoring used to keep the service reliable and secure.
  • Functionality technologies may include external demo-booking links to Cal.com when you choose to book a demo
  • Experience technologies may remember interface choices such as theme, workspace navigation, and editor preferences
  • Measurement technologies include PostHog for product analytics, event measurement, and pageview analytics. Where required, optional Sentry replay, session diagnostics, and performance analytics are treated as measurement technologies.
  • Marketing technologies are reserved for advertising, retargeting, or campaign measurement. We do not currently load advertising pixels on the website or app.

PostHog and other optional measurement tools are blocked before measurement consent is granted. If measurement consent is withdrawn after a tool has loaded, Custory stores the updated choice through Inth/c15t and reloads the page where needed so optional scripts and requests stop loading under the new preferences.

We do not use your information for third-party advertising networks or sell personal information.

Legal Bases for Processing

Depending on where you are located, we rely on one or more of the following legal bases for the typical processing activities below:

Consent is relied on where required by law, including for optional analytics or other processing for which we specifically request consent.

ActivityTypical legal basis
Account creation, workspace access, and providing CustoryPerformance of a contract
Security logs, authentication, fraud detection, and abuse preventionLegitimate interests
Billing, invoicing, refunds, and tax recordsPerformance of a contract and compliance with legal obligations
Optional PostHog analytics and similar measurement toolsConsent where required
Service communications, support, and administrative noticesPerformance of a contract and legitimate interests
Marketing messagesConsent or legitimate interests, as applicable

Where we process connected integration data to provide features your workspace enables, we generally do so under your workspace's instructions and our contractual relationship with the customer, rather than on the basis of individual privacy consent from each person whose data may appear in the connected service.

Controller and Processor Roles

Custory generally acts as a controller for account, billing, support, security, and website information.

When we process Customer Content and connected-service data on behalf of a customer workspace, we generally act as a processor under that customer's instructions.

How We Share Information

We may share information in the following circumstances:

  • With service providers and infrastructure partners that help us run Custory, such as authentication, hosting, analytics, support, and security vendors
  • With third-party services you choose to connect, when required to complete actions you request or maintain an authorized integration
  • Within your workspace, according to your team settings, roles, and collaboration activity
  • When required by law, regulation, legal process, or to protect rights, safety, and security
  • In connection with a merger, financing, acquisition, reorganization, or sale of assets

We do not sell personal information or share personal information with third parties for their own advertising purposes.

Third-Party Integrations and OAuth

If you connect an integration, your workspace instructs Custory to access and process the information made available by that service within the scope of the permissions approved for the connection. We use that access only to provide the integration features your workspace requests.

  • OAuth tokens are stored in encrypted form and used to maintain the connection
  • Connected data may be imported, displayed, synchronized, searched, or analyzed within your workspace
  • Integration data is generally processed on behalf of the customer under the customer's instructions and applicable contractual terms
  • You can revoke access by disconnecting the integration in Custory or through the third-party provider
  • Third-party providers may continue to process your data under their own policies after disconnection

Google API Data

If you connect Google Drive or related Google Workspace content, Custory requests read-only access to the Google files and account details needed to provide the feature, including Google Docs, Sheets, Slides, basic profile information, and email address.

We use Google user data only to provide and support the user-facing features you request. We do not use data obtained from Google Workspace APIs to develop, improve, or train generalized artificial intelligence or machine learning models.

Custory's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Data Retention

We retain information for as long as reasonably necessary to provide the service, maintain your workspace, comply with legal obligations, resolve disputes, and enforce our agreements. Retention periods may vary depending on the type of data and whether the information is needed for security, backup, billing, or legal compliance.

Data Security

We use technical and organizational measures designed to protect information, including:

  • Encryption in transit using HTTPS/TLS
  • Encrypted storage of OAuth tokens and credentials
  • Authentication and session management through WorkOS
  • Access controls, role-based permissions, and operational safeguards

No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

International Data Transfers

We and our service providers may process information outside your country, including outside the European Economic Area. Where required, we rely on applicable transfer mechanisms and safeguards for cross-border transfers, which may include adequacy decisions, the EU-U.S. Data Privacy Framework where applicable, and Standard Contractual Clauses. The mechanism used may vary by provider and processing context.

Your Rights and Choices

Depending on your location and applicable law, you may have rights to:

  • Access, correct, update, or delete personal information
  • Object to or restrict certain processing
  • Request portability of certain information
  • Withdraw consent where processing is based on consent
  • Disconnect integrations or revoke third-party access
  • Opt out of non-essential communications

You may also have rights to appeal a decision we make about a privacy request, depending on your jurisdiction.

Children's Privacy

Custory is intended for business users and is not directed to children. We do not knowingly collect personal information from children under 16.

Changes to This Policy

We may update this Privacy Policy from time to time. If we make a material change, we will update the "Last updated" date and, where appropriate, provide additional notice.

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us through our contact page or at support@usecustory.com.