Privacy Policy
How we collect, use, and protect your data when you use Custory.
Last updated: July 3, 2026
Overview
Custory ("we", "our", or "us") provides software for customer journey mapping, collaboration, integrations, and workflow automation. This Privacy Policy explains what information we collect, how we use it, when we share it, and the choices available to you when you use our website, product, and connected integrations.
This Privacy Policy applies to information we process as a business software provider. It does not apply to third-party services that you connect to Custory, which remain subject to their own terms and privacy policies.
Information We Collect
Account and Authentication Information
When you sign up, sign in, or are invited into a workspace, we may collect:
- Name, email address, profile details, and workspace membership information
- Authentication and session data managed through WorkOS AuthKit
- Organization, sign-in method, and account security details such as MFA or verification state
Workspace and Product Content
We collect and store information you or your team submit in Custory, including:
- Journey maps, stages, steps, personas, comments, attachments, tasks, and workflow data
- Workspace settings, member roles, invitations, and collaboration history
- Support requests, feedback submissions, and messages you send to us through the product
Connected Integration Data
When you connect third-party services, we receive the information needed to provide those integrations. Depending on the service, this may include:
- OAuth access tokens and refresh tokens, stored in encrypted form
- Basic account, workspace, tenant, or installation metadata
- Read-only or scoped content from connected systems such as Figma, Intercom, Google Drive, Jira, Linear, Notion, Slack, Discord, GitHub, and Miro
- Manual credentials and metadata for services such as PostHog or Stripe when you choose to connect them
The exact data available to Custory depends on the permissions you authorize and the functionality you choose to use.
Usage, Device, and Analytics Information
We automatically collect technical and usage information, including:
- Log data such as IP address, browser type, device information, pages visited, and request metadata
- Product usage events, feature interactions, and workspace-level analytics
- Cookie and similar identifier data used for authentication, security, analytics, and product functionality
How We Use Information
We use information we collect to:
- Provide, operate, secure, maintain, and improve Custory
- Authenticate users, manage sessions, and administer workspaces
- Process and maintain connected integrations that you authorize
- Import, display, sync, analyze, or transform data at your direction
- Monitor usage, debug issues, and improve product performance
- Communicate with you about support, security, service updates, and administrative matters
- Prevent abuse, fraud, unauthorized access, and other harmful or unlawful activity
- Comply with legal obligations and enforce our terms
Cookies, Analytics, and Similar Technologies
We use cookies, local storage, session storage, scripts, embeds, and similar technologies to run Custory, remember choices, provide requested features, and measure product usage. Strictly necessary storage is used for site operation, authentication, session security, workspace access, billing flows, interface preferences, and abuse prevention.
Optional categories are disabled until consent where consent is required. You can change or withdraw consent by updating your browser privacy settings or clearing saved site preferences.
- Necessary technologies include WorkOS authentication and session handling, Convex application requests, Autumn billing flows, security and account-management storage, and the Inth/c15t record of your consent choice. They also include basic Sentry error and security monitoring used to keep the service reliable and secure.
- Functionality technologies may include external demo-booking links to Cal.com when you choose to book a demo
- Experience technologies may remember interface choices such as theme, workspace navigation, and editor preferences
- Measurement technologies include PostHog for product analytics, event measurement, and pageview analytics. Where required, optional Sentry replay, session diagnostics, and performance analytics are treated as measurement technologies.
- Marketing technologies are reserved for advertising, retargeting, or campaign measurement. We do not currently load advertising pixels on the website or app.
PostHog and other optional measurement tools are blocked before measurement consent is granted. If measurement consent is withdrawn after a tool has loaded, Custory stores the updated choice through Inth/c15t and reloads the page where needed so optional scripts and requests stop loading under the new preferences.
We do not use your information for third-party advertising networks or sell personal information.
Legal Bases for Processing
Depending on where you are located, we rely on one or more of the following legal bases for the typical processing activities below:
Consent is relied on where required by law, including for optional analytics or other processing for which we specifically request consent.
| Activity | Typical legal basis |
|---|---|
| Account creation, workspace access, and providing Custory | Performance of a contract |
| Security logs, authentication, fraud detection, and abuse prevention | Legitimate interests |
| Billing, invoicing, refunds, and tax records | Performance of a contract and compliance with legal obligations |
| Optional PostHog analytics and similar measurement tools | Consent where required |
| Service communications, support, and administrative notices | Performance of a contract and legitimate interests |
| Marketing messages | Consent or legitimate interests, as applicable |
Where we process connected integration data to provide features your workspace enables, we generally do so under your workspace's instructions and our contractual relationship with the customer, rather than on the basis of individual privacy consent from each person whose data may appear in the connected service.
Controller and Processor Roles
Custory generally acts as a controller for account, billing, support, security, and website information.
When we process Customer Content and connected-service data on behalf of a customer workspace, we generally act as a processor under that customer's instructions.
How We Share Information
We may share information in the following circumstances:
- With service providers and infrastructure partners that help us run Custory, such as authentication, hosting, analytics, support, and security vendors
- With third-party services you choose to connect, when required to complete actions you request or maintain an authorized integration
- Within your workspace, according to your team settings, roles, and collaboration activity
- When required by law, regulation, legal process, or to protect rights, safety, and security
- In connection with a merger, financing, acquisition, reorganization, or sale of assets
We do not sell personal information or share personal information with third parties for their own advertising purposes.
Third-Party Integrations and OAuth
If you connect an integration, your workspace instructs Custory to access and process the information made available by that service within the scope of the permissions approved for the connection. We use that access only to provide the integration features your workspace requests.
- OAuth tokens are stored in encrypted form and used to maintain the connection
- Connected data may be imported, displayed, synchronized, searched, or analyzed within your workspace
- Integration data is generally processed on behalf of the customer under the customer's instructions and applicable contractual terms
- You can revoke access by disconnecting the integration in Custory or through the third-party provider
- Third-party providers may continue to process your data under their own policies after disconnection
Google API Data
If you connect Google Drive or related Google Workspace content, Custory requests read-only access to the Google files and account details needed to provide the feature, including Google Docs, Sheets, Slides, basic profile information, and email address.
We use Google user data only to provide and support the user-facing features you request. We do not use data obtained from Google Workspace APIs to develop, improve, or train generalized artificial intelligence or machine learning models.
Custory's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Data Retention
We retain information for as long as reasonably necessary to provide the service, maintain your workspace, comply with legal obligations, resolve disputes, and enforce our agreements. Retention periods may vary depending on the type of data and whether the information is needed for security, backup, billing, or legal compliance.
Data Security
We use technical and organizational measures designed to protect information, including:
- Encryption in transit using HTTPS/TLS
- Encrypted storage of OAuth tokens and credentials
- Authentication and session management through WorkOS
- Access controls, role-based permissions, and operational safeguards
No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
International Data Transfers
We and our service providers may process information outside your country, including outside the European Economic Area. Where required, we rely on applicable transfer mechanisms and safeguards for cross-border transfers, which may include adequacy decisions, the EU-U.S. Data Privacy Framework where applicable, and Standard Contractual Clauses. The mechanism used may vary by provider and processing context.
Your Rights and Choices
Depending on your location and applicable law, you may have rights to:
- Access, correct, update, or delete personal information
- Object to or restrict certain processing
- Request portability of certain information
- Withdraw consent where processing is based on consent
- Disconnect integrations or revoke third-party access
- Opt out of non-essential communications
You may also have rights to appeal a decision we make about a privacy request, depending on your jurisdiction.
Children's Privacy
Custory is intended for business users and is not directed to children. We do not knowingly collect personal information from children under 16.
Changes to This Policy
We may update this Privacy Policy from time to time. If we make a material change, we will update the "Last updated" date and, where appropriate, provide additional notice.
Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us through our contact page or at support@usecustory.com.