How STORI handles your personal data.
We’re required by law to keep this record. We’d keep it anyway, because you should be able to read it.
Controller and contact
STORI is operated by Stori Provenance Ltd, a company registered in England and Wales (company number to be assigned at incorporation). Our registered address is 27 Old Gloucester Street, London, WC1N 3AX, United Kingdom.
If you have a question about how we handle your personal data, or you’d like to exercise a right under the UK GDPR (access, rectification, erasure, portability, objection, restriction), write to our Data Protection Officer at dpo@stori.life. We aim to respond within seven days, and we’re required to respond within thirty.
You can also complain to the Information Commissioner’s Office (ICO) at any time. Their address is Wycliffe House, Water Lane, Wilmslow, SK9 5AF, and their helpline is 0303 123 1113. We’d rather you came to us first, but the right exists either way.
Categories of personal data, lawful basis, and retention
The data STORI processes, why we process it, on what lawful basis, and how long we keep it.
| Category | Purpose | Lawful basis | Retention |
|---|---|---|---|
| Account identity (name, email, password hash) | Sign-in, account ownership, transactional emails | Contract (UK GDPR Art. 6(1)(b)) | Until account closure + 14 days (cooling-off, see §5) |
| Studio profile (business name, address, VAT number) | Issuing invoices, displaying the studio to customers and brand partners | Contract | Until account closure + 6 years (HMRC) |
| Customer contact (name, email, phone, postal address) | Communicating about a piece, dispatching it, sending logbook access | Contract — between the studio and their customer; STORI processes on the studio's behalf | 7 years from last activity (insurance and dispute window) |
| Piece records (photographs, descriptions, repair notes, condition reports) | The provenance log itself — STORI's core product | Contract | Indefinite. The customer can request the piece's record be sealed (read-only with their permission required) or deleted at any time. |
| Payment data (card last four, billing address; full card details never touch our servers) | Subscription billing; payouts via Stripe Connect | Contract; also legal obligation (HMRC) for invoices | 6 years (HMRC) |
| Audit trail (who did what, when, on which record) | Security, regulator reporting, dispute resolution | Legitimate interest (UK GDPR Art. 6(1)(f)) | 7 years |
| Web analytics (page views, referrer, screen size — no IP after geolocation, no cookies on first paint) | Improving the product | Legitimate interest, with a clear opt-out in the footer | 26 months (Google Analytics 4 default; we'll lower this if we can) |
| Marketing (email opt-ins for product updates) | The launch newsletter and feature announcements | Consent (UK GDPR Art. 6(1)(a)) | Until withdrawn, plus 30 days |
Recipients and sub-processors
These are the third parties STORI shares data with, why, and where they sit. We don’t sell or rent personal data, ever. We use sub-processors only for the operational reasons listed.
| Sub-processor | Purpose | Region | Contractual basis |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, file storage (piece photographs, certificates, dispatch labels) | EU-West (Ireland) primary; US fallback for backups | Data Processing Addendum (incorporates SCCs); Supabase is SOC 2 Type II |
| Resend, Inc. | Transactional email delivery (sign-in links, quote and invoice notifications, dispatch updates) | US, with EU sending option used for UK recipients | DPA with SCCs |
| Vercel, Inc. | Application hosting and edge caching | Multi-region; UK traffic served from London POP | DPA with SCCs |
| Stripe Payments UK, Ltd. | Subscription billing, Connect payouts to studios, brand statement payments | UK (Stripe Payments UK is the contracting entity for UK studios) | DPA |
| Stripe Payments Europe, Ltd. | The above for EU studios where applicable | Ireland | DPA with SCCs |
| Cloudflare, Inc. | DNS, DDoS protection, edge image transforms (no log retention beyond 24 hours) | Global edge | DPA with SCCs |
| Sentry (Functional Software, Inc.) | Application error reporting (we strip personal data from payloads before sending) | EU region | DPA with SCCs |
| Postmark / ActiveCampaign | Marketing email (separate from transactional, opt-in only, with a clear opt-out in every send) | US | DPA with SCCs |
We review this list quarterly. The table above is the authoritative list; changes trigger an email to all studio owners 30 days before a new sub-processor is brought into scope.
International transfers and safeguards
Most of your data lives in the EU (Supabase Ireland, Stripe Ireland for EU studios, Sentry EU, Vercel London edge). Some processing happens in the United States — Resend, Cloudflare, Vercel control plane, Stripe Payments US for cross-border settlement, Postmark for marketing email.
When personal data leaves the UK for a country without an adequacy decision (the United States, principally), we rely on the UK International Data Transfer Agreement (the UK addendum to the EU Standard Contractual Clauses, Module 2 — controller to processor). We’ve also performed a Transfer Risk Assessment for each US sub-processor, and we apply supplementary measures: encryption in transit (TLS 1.2 minimum), encryption at rest, contractual prohibitions on government access requests outside the EU/UK, and a commitment to challenge any such request we receive on UK or EU subjects’ behalf.
If the legal landscape changes — for instance, if a successor to the EU-US Data Privacy Framework is invalidated again — we’ll move the affected processing to a different sub-processor or to a different region rather than continue under inadequate safeguards.
Per-record retention schedule
Beyond the table in §2, the following specific retention rules apply.
- Studio deletion cooling-off — when a studio owner deletes their studio, we keep the data live for 14 days before permanent erasure. During that window, we send three reminder emails (day 1, day 7, day 13) and the owner can restore the studio with a single click. After 14 days, all studio-private data is hard-deleted from primary storage and queued for backup-tier deletion within 90 days.
- Piece records — pieces outlive accounts on purpose. If the studio that logged a piece deletes their account, the piece’s record is transferred to the customer’s vault (which is a separate, customer-owned account). If the customer also deletes, the record is sealed (encrypted with the customer’s deletion key, no longer queryable) for 2 years, then permanently erased.
- Photographs — original-resolution photographs are retained as long as the piece record exists. Derived web-resolution copies are regenerated on demand and not retained beyond CDN cache.
- Backups — primary data is backed up daily to encrypted, region-locked storage. Backups are retained for 30 days. Erasure requests propagate to backups within 90 days (Supabase point-in-time-recovery rotation).
- Audit trail — kept for 7 years even after account deletion, but with personally-identifying fields pseudonymised after the cooling-off period (the audit row references a stable user-hash, not the email).
- Communications with STORI support — kept for 3 years from the close of the conversation.
If you’d like a record of what we currently hold about you specifically, write to dpo@stori.life and we’ll send a portable export within 30 days.