Privacy Policy
Last Updated: 12 April 2026
Stori (“we,” “our,” or “us”) is committed to protecting your privacy and handling personal information responsibly. This Privacy Policy explains how we collect, use, store, share, and protect information when you use our platform at https://www.onestori.com (the “Site”) and related services (the “Services”).
By accessing or using Stori, you agree to the practices described in this Privacy Policy.
Information We Collect
We collect the following categories of information:
Account Information
When you create an account, we collect your name, email address, authentication credentials, and related account details.
Google Account Information (OAuth)
If you choose to sign in using Google, we may access your basic Google profile information, such as your name, email address, and profile photo. We do not access your Gmail content, contacts, calendar data, files, or any other Google services unless explicitly disclosed.
Candidate Data
This includes information you choose to provide, such as:
- Digital resumes
- Interview recordings and transcripts
- Psychometric assessments
- Any additional profile or narrative content
Recruiter / Employer Data
If you use Stori as a recruiter or hiring manager, we may collect your name, company name, role, and contact details.
Usage Data
We collect technical and usage information, including IP address, browser type, device information, pages visited, and interaction data.
Payment Information
If you purchase a subscription or credits, payment information is processed by third-party payment providers. Stori does not store full credit card numbers.
How We Use Information
We use collected information to:
- Provide, operate, and maintain the Services
- Authenticate users and manage accounts
- Enable candidates to create, control, and share their digital resumes and interviews
- Allow recruiters and employers to review candidate information only when shared by the candidate
- Facilitate communications and outreach
- Process payments and manage subscriptions
- Improve, personalize, and secure the platform
- Comply with legal and regulatory obligations
Legal Basis for Processing
Under the General Data Protection Regulation (GDPR) and similar data protection laws, we rely on the following legal bases to process your personal data:
Contract Performance
Processing is necessary to provide the services you signed up for, including account creation, interview hosting, candidate profile management, and subscription billing.
Consent
Where required by law, we obtain your consent before processing data for specific purposes, such as analytics cookies and marketing email communications. You may withdraw consent at any time through your account settings or by contacting us.
Legitimate Interest
We process certain data based on our legitimate interests, including maintaining platform security, preventing fraud, improving our services, and ensuring system reliability. We balance these interests against your rights and freedoms before relying on this basis.
Legal Obligation
We may process personal data where required to comply with applicable laws, regulations, or legal processes.
Google User Data Usage (Required Disclosure)
Information obtained from Google APIs is used solely to:
- Authenticate users
- Create and manage user accounts
- Enable secure access to Stori features
Stori does not use Google user data for advertising purposes and does not sell Google user data.
Stori's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
How We Share Information
We do not sell personal data.
We may share information in the following limited circumstances:
With Recruiters / Employers
Candidates control when and with whom their information is shared. Recruiters and employers can only access candidate data when a candidate explicitly shares it.
With Service Providers
We use trusted third-party providers for services such as:
- Secure hosting and data storage
- Authentication
- Analytics
- Payment processing
- Email delivery and customer support
These providers may process data only to perform services on our behalf and are subject to confidentiality and security obligations.
Legal Requirements
We may disclose information if required by law, legal process, or to protect the rights, safety, or property of Stori or others.
Business Transfers
If Stori is involved in a merger, acquisition, or asset sale, user information may be transferred as part of that transaction.
Sub-Processors
We use the following third-party sub-processors to operate our services. Each sub-processor is bound by data processing agreements and processes personal data only as necessary to perform their designated function.
| Sub-Processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | United States |
| OpenAI | AI-powered interview analysis, trait assessment | United States |
| Stripe | Payment processing, subscription billing | United States |
| Mux | Video hosting, transcoding, playback | United States |
| People Data Labs | Contact enrichment for candidate sourcing | United States |
| Resend | Transactional email delivery | United States |
| Sentry | Error monitoring, performance tracking | United States |
| Vercel | Application hosting, edge delivery, analytics | United States |
| OAuth authentication | United States | |
| TextKernel | Resume parsing | Netherlands / EU |
Candidate Data Ownership
A core principle of Stori is candidate ownership and control:
- Candidates own their resumes, interviews, and assessments
- Candidates choose when and how their data is shared
- Recruiters only see candidate information that has been explicitly shared
Data Storage & Security
We use industry-standard technical, administrative, and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. While we take reasonable safeguards, no system is completely secure.
Data Retention & Deletion
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected. Specific retention periods are as follows:
- Active accounts: Data is retained for as long as your account remains active and in use
- Cancelled subscriptions: Profile data is retained for 30 days following cancellation, then permanently purged
- Payment records: Transaction and billing records are retained as required by applicable tax law, typically 7 years
- Server logs: Technical and access logs are retained for 30 days, then automatically deleted
- Users may delete their account and associated data at any time via account settings
- Upon deletion, data is removed from active systems, though limited backups may persist for a short period for operational or legal reasons
Users may request deletion by contacting hi@onestori.com or through account settings where available.
Your Rights Under GDPR
If you are located in the European Economic Area (EEA), United Kingdom, or a jurisdiction with similar data protection laws, you have the following rights under the General Data Protection Regulation (GDPR):
Right of Access (Article 15)
You have the right to obtain confirmation of whether we process your personal data and to request a copy of that data.
Right to Rectification (Article 16)
You have the right to request correction of inaccurate personal data or completion of incomplete data. You can update most information directly through your account settings.
Right to Erasure (Article 17)
You have the right to request deletion of your personal data (“right to be forgotten”). You can delete your account and all associated data at any time using the Delete Account feature in your account settings, or by contacting us.
Right to Restrict Processing (Article 18)
You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of your data or object to processing.
Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format. You can export your data at any time using the Export Data feature in your account settings.
Right to Object (Article 21)
You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes. Upon receiving an objection, we will cease processing unless we demonstrate compelling legitimate grounds.
We will respond to all rights requests within 30 days. In complex cases, this may be extended by an additional 60 days, and we will notify you of any such extension.
If you believe we have not adequately addressed your request, you have the right to lodge a complaint with your local data protection supervisory authority.
Requests can be made by contacting hi@onestori.com.
Cookies and Tracking Technologies
We use cookies and similar technologies to operate and improve our services. The types of cookies we use are:
Essential Cookies
These cookies are necessary for the platform to function and cannot be disabled. They include authentication session cookies, security tokens, and preferences required to deliver the service.
Analytics Cookies
We use Vercel Analytics to understand how users interact with our platform. For users in the European Economic Area, analytics cookies are only activated with your explicit consent via our cookie consent banner.
You may manage your cookie preferences through our cookie consent banner or your browser settings. Disabling essential cookies may prevent parts of the platform from functioning correctly.
Children's Privacy
Stori is not intended for children under the age of 16. We do not knowingly collect personal information from children.
International Data Transfers
Your personal data is primarily stored and processed in the United States. If you access Stori from outside the United States, including from the European Economic Area or the United Kingdom, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.
To ensure adequate protection for international data transfers, we rely on the following safeguards:
- Standard Contractual Clauses (SCCs): We use European Commission-approved Standard Contractual Clauses with our sub-processors where required to provide appropriate safeguards for data transferred outside the EEA
- EU-US Data Privacy Framework: Where applicable, we rely on sub-processors that participate in the EU-US Data Privacy Framework as an additional transfer mechanism
- Data Processing Agreements: All sub-processors are bound by data processing agreements that require them to protect personal data to standards consistent with GDPR
Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date.
Contact Us
If you have questions about this Privacy Policy or our data practices, contact us at: hi@onestori.com