Text Link

Privacy Policy

Last updated: 1 November 2024
Blue documents background vectorBlue documents background vector

This privacy policy sets out how Storypark Limited (“Storypark”, “we”, “us”, “our”) treats the privacy of those who use our Website and associated services and others with whom we interact.

Please take a moment to read this Privacy Policy so you understand how we process Personal Data.

SUMMARY OF PRIVACY POLICY

What Personal Data do we collect?

How do we use Personal Data?

  • To administer accounts.

  • To enable the features of the Services to be utilised and enjoyed, subject always to our terms and conditions at storypark.com/terms-and-conditions.

  • To analyse Service User behaviour (in respect of the Website) and Account Holder behaviour (in respect of the Service) for the purposes of improving, promoting, securing and monitoring the Service.

  • To respond to enquiries, feedback or complaints received from you.

  • To process payment for the Services by you and to help us to manage our accounts and administrative services.

  • To verify your identity.

  • For directly marketing to you (including by email, post, other means, or through functionality within the Service) with information about our Service, and subject to your preferences.

  • On an aggregated non-identifiable basis, to help Storypark understand and promote its market position.

  • Incidentally, where educators at child care organisations and their educational mentors, for their further professional development, may view some Content of an account to which an Early Childhood Provider has lawful access for the purposes of assessing performance and compliance with professional obligations.

  • To protect our legal interests and fulfil our regulatory obligations.

  • For ensuring the trust and safety of any Child and Service Users of the Service.

How do we share Personal Data?

Storypark shares information with service providers who support us to provide our Services and operate our business, including

Your choices with respect to your Personal Data.

  • When you visit the Storypark website, you have the option to accept or reject the non-essential cookies that we use.

  • When you provide your Personal Data to access our content or register for our events, you will have the ability to opt-in to our marketing information.

  • When you are receiving our marketing information, you have the ability to amend your Personal Data or “unsubscribe” from marketing e-mails;

  • Storypark provides push notifications for users of its mobile applications. These are on by default, for registered users, and can be turned off in the application settings.

  • You have the right to access and correct your Personal Data, or that of your minor child that is controlled by us at any time.  Requests for such access and correction requirements can be made to the contact details in section 15 of this Privacy Policy. Please note certain requests must be directed to the Customer or Customer Organisation.

  • You can choose whether you accept cookies when you use the Storypark website and services. If you reject non-essential cookies, you may not receive website content that is relevant to your country, you may need to re-login to Storypark each time you return to use it, and some non-essential content may not appear as intended.

How to contact us:

For more information about this Policy, our privacy practices or to obtain access to or correction of your Personal Data or that of your minor child, please contact us at hello@storypark.com.

FULL VERSION OF PRIVACY POLICY

By accessing our Service, storypark.com (the “Website”), or by providing Personal Data directly to us, you consent to our processing your Personal Data in the manner and for the purposes set out in this Privacy Policy. If relevant to the Purposes set out in this Privacy Policy, Personal Data may at times include Sensitive Data.

1.Definitions

Capitalised terms defined in Storypark’s End User Terms have the same meaning in this Privacy Policy. In addition, the following capitalised terms have the following meanings:

a) “Authorised Users” means all persons expressly authorised by the Customer (or, as applicable, Customer Organisations) and/or Primary Account Holder to access and use the Storypark Service in connection with the Customer Account, including Educators.

b) “Authorised Viewer” means a person who is expressly authorised by the Primary Account Holder to view and/or access Child Content in the Application, being typically (but not exclusively) limited to that Child’s parents, guardians, family members and specialists.

c) “Child Record” means a Family Child Record or an Organisation Child Record.

d) “Content” means any content or materials including (but not limited to) still or moving images, videos, sound recordings or other audiovisual materials, artistic works, written works, administration data and Personal Data posted to the Storypark Service by an Authorised User or otherwise contained in any Child Record.

e) “Customer” means the Storypark customer (or organisation operated by the customer, as applicable) through whose Customer Account you have been authorised to access and use the Storypark Service.

f) “Customer Organisation” means any organisation, group, service or early childhood education and/or childcare centre for Children owned or operated by, or affiliated with, the Customer.

g) “Data Protection Laws” means the data protection and privacy laws applicable to our processing of your Personal Data that we are committed to comply with, including as applicable:

  • the Privacy Act 2020 (New Zealand);

  • the Privacy Act 1988 (Cth, Australia);

  • all applicable Canadian federal and provincial privacy laws, including, but not limited to, the Personal Data Protection and Electronic Documents Act(federal); the Personal Data Protection Act (Alberta); the Personal Data Protection Act (British Columbia), and public sector privacy laws as may apply to our Customers and Customer Organisations;

  • all applicable United States federal and state privacy laws, including, but not limited to, the California Consumer Privacy Act of 2018 (CCPA), Early Learning Personal Data Protection Act (ELPIPA);

  • the General Data Protection Regulation (EU) 2016/679 (EU GDPR);

  • the United Kingdom Data Protection Regulation (UK GDPR); and/or

  • any other applicable privacy legislation.

h) “Educator” means any childcare provider or educator at a Child’s Customer Organisation.

i) "End User Terms” means the Storypark end user terms available at Terms (available at storypark.com/terms-and-conditions and, if you are accessing the Service for or on behalf of a Customer, the Customer agreement between Storypark and the relevant Customer.

j) “Family Child Record” means any Content such as a child’s name, Content contributed by Authorised Viewers such as a Child’s parents, guardians, family members, and any other Content pertaining to a given Child that is accessible via the ‘child profile’ page that is not contained only within an Organisation Child Record. For clarity, Family Child Records are separate and distinct from Organisation Child Records.

k) “Organisation Child Record” means the internal Storypark Child record created and maintained by the relevant Customer Organisation and/or Educators to be able to operate the Storypark Service in accordance with the Authorised Purpose. For clarity, Child Content may be added to an Organisation Child Record.

l) “Primary Account Holder” means a Child’s parent or guardian or a person expressly authorised by the Child’s parent or guardian to administer and control a Family Child Record.

m) “Security Incident” means any unauthorised or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Personal Data.

n) “Service” means the Storypark Service.

o) “Sensitive Data” means Personal Data relating to a person’s physical or mental health, race or religion, or other information deemed (or otherwise treated as) “sensitive” under applicable Data Protection Laws.

p) “Service Users” means Customers, Customer Organisations, Primary Account HoldersAuthorised Users and Authorised Viewers.

q) “Storypark” means the Storypark entity that you contract with (and, if you are a Customer, that you pay your fees to). This will be: Storypark Limited (a New Zealand limited liability company, registered in Wellington, New Zealand), or Storypark Canada Limited (an Ontario registered limited liability company), if you are a resident of Canada.

r) “process” or “processing” means any operation or set of operations which is performed on Personal Data, such as collection, recording, organisation, structuring, storage, adaptation, use, disclosure, combination, restriction, or erasure.

2. Application

This Privacy Policy applies to all Personal Data processed by Storypark, including, but not limited to Personal Data submitted by Service Users through the Service. For certainty, this Privacy Policy does not apply to the Personal Data of Storypark employees.

3. Changes

From time to time we will review our Privacy Policy to keep pace with changes in our Service and any Data Protection Laws. This document is our most recently updated Privacy Policy. Your continued use of our Service or provision of Personal Data to us after any such changes constitutes your acceptance of, and agreement to this Privacy Policy, as revised. We encourage you to read it carefully.

4. Questions and concerns

If you have any questions or comments, or want to access, update, or delete the Personal Data we hold about you, or if you have a privacy concern, please contact us using the contact details in section 15 of this Privacy Policy.

Please provide sufficient detail about the information in question to help us locate it. We will respond to any privacy request in compliance with the applicable Data Protection Laws.  Please note that if your Personal Data is contained in an Organisation Child Record under the control of our Customer or Customer Organisation, we may direct your inquiry to our Customer.

5. Collection of Personal Data

We collect Personal Data when you use our Services, and may also collect Personal Data about you or others when Service Users create Family Child Records or Organisation Child Records within the Service. For example, this may include cases where a child care organisation or educational institution your child attends is a user of the Services.

We may collect the following categories of Personal Data in the following situations:

a) Personal Data you voluntarily provide to us: When you give us your Personal Data directly (whether face-to-face, by telephone, email, post, through social media or by communicating with us in any way), when we meet with an organisation wishing to do business with us and an individual from that organisation provides Personal Data about themselves, when you apply for a job with us, or when you sign up or register to become a Service User, or when you enter into a transaction with us you are voluntarily giving us the Personal Data that we collect.

  • Categories of Personal Data: The Personal Data we may collect includes your name, physical address, email address, login for the Service, feedback and suggestions for the Service, IP address, phone number, billing information in accordance with our Customer Terms, occupation, employer, job title, area of responsibilities, employment history, and educational qualifications, and other such Personal Data you may provide to us.

b) Our email marketing list: When you become a Service User, or where you elect to sign up to our email marketing list, we may collect your name, email address, and email marketing preferences.

c) Personal Data we collect automatically: When you use our Service or browse our Website, we may collect information about your usage and web browsing. We may collect Personal Data as log files, or through cookies or other tracking technologies (see the “Cookies and tracking” below for more information), store it against the associated Account, and link it to the other Personal Data we hold about an Account.

  • Categories of Personal Data: The Personal Data we may collect includes your IP address, your operating system, your browser ID, time, date, your browsing activity, your interaction with the Service (including any Content, comments, and general location).

d) Personal Data uploaded and transferred to the Service by Service Users: We collect Personal Data about persons (including Children) indirectly when Service Users use the Service, such as when a Service User:

  • creates a Child Record or invites another person to become a Service User (including an invitation to become a Primary Account Holder or Authorised User);

  • uploads and transfers Content that contains Personal Data (including photographs or videos of another person including Children, or uploads and transfers materials created by another person including Children); or

  • posts a comment or tags Content on the Service that contains Personal Data of another person.

In situations where a Service User creates a Family Child Record containing Personal Data or uploads Personal Data to a Family Child Record, the Service User is a joint-controller of that Personal Data alongside us, (i.e. we process the Personal Data directly for the individual (or their parent/guardian) and for those purposes described in this Privacy Policy and our Terms, and exercise control over that processing), to the extent that term applies under applicable Data Protection Laws. In situations where a Service User creates an Organisation Child Record containing Personal Data or uploads Personal Data to an existing Organisation Child Record, we act as a processer in respect of that Personal Data, (i.e. we process the Personal Data for our Customer and for those purposes described in this Privacy Policy and our Terms, and the Customer exercises control over that processing), to the extent that term applies under applicable Data Protection Laws. We may have no direct relationship with the person whose Personal Data you upload or transfer, and for that reason, you are responsible for making sure you have the obtained all consents and issued all notices necessary for us to process information about any such person (including where Sensitive Data relating to a Child is collected and stored in the relevant Child Record). Please see the End User Terms which outline your obligations in this regard.

e) Statistical information: We may collect statistical (non-personal) information about your use of the Website and the Service to improve the features and overall user experience. This may include statistical information such as pages accessed on the Website and the Service, search terms, links that are clicked on, Website and Service visit times, browsers and operating systems, IP address, and cookies.

f) Cookies and tracking:

  • We may use various technologies to collect and store information when you use our Service, and this may include using cookies and similar tracking technologies, such as pixels and web beacons. You may control the use of cookies at the individual browser level, however your use of the Website and Service may be affected.

  • Personal Data may be collected as log files, or through cookies or other tracking technologies, stored against associated Accounts, and linked to the other Personal Data we hold about associated Accounts.

  • We use functionality and experience enhancement cookies that are used to improve the performance and functionality of our Website and Service but are non-essential for the Website or Service to operate as intended. However, without these cookies, certain functionality may become unavailable or you would be required to re-enter your login details each time you visit our Website. These are non-essential cookies that you can manage at any time through "Cookie Settings" on the footer of Storypark.com, or block through your browser settings, noting that blocking or rejecting cookies may affect your experience of the Website and Service. Specifically, these are cookies from

  • We use measurement cookies to monitor and analyse web traffic, and track user behaviour, and help us understand how effective our marketing campaigns are. These cookies connect data from advertising networks with actions performed on our website. These are non-essential cookies that you can manage at any time through “Cookie Settings” on the footer of Storypark.com, or block through your browser settings.

  • Google Analytics (https://www.google.com/policies/privacy/partners/) to analyse non-identifiable web traffic data to improve our services. If you prefer, you can opt out of the Google Analytics tracking cookies we use without affecting your ability to use our Website. You can opt-out of Google Analytics by installing the Google Analytics opt-out browser add-on For information about how to opt out of Google Analytics, visit: https://tools.google.com/dlpage/gaoptout/.

  • Facebook (https://www.facebook.com/about/privacy/)

  • Intercom (https://www.intercom.com/legal/privacy)

  • Hubspot (https://legal.hubspot.com/privacy-policy).

  • LinkedIn (https://www.linkedin.com/legal/privacy-policy)

  • Microsoft (https://privacy.microsoft.com/en-ca/privacystatement)

  • Hotjar (https://www.hotjar.com/legal/policies/privacy) is a session recording and heat mapping service provided by Hotjar Ltd. Hotjar honours generic “Do Not Track” headers. This means the browser can tell its script not to collect any of the User's data. This is a setting that is available in all major browsers. Heat mapping services are used to display the areas of this Application that Users interact with most frequently. This shows where the points of interest are. These services make it possible to monitor and analyse web traffic and keep track of User behaviour. Some of these services may record sessions and make them available for later visual playback. Hotjar has an opt-out on their site (https://www.hotjar.com/legal/compliance/opt-out).

  • We use targeting & advertising cookies to collect information over time about your online activity on our Website and other online services to make our online advertisements more relevant to you, possibly based on your interests. These are non-essential cookies that are set if you opt-in to use these cookies in “Cookie Settings” in the footer of Storypark.com. You may also choose to block these cookies through your browser settings. The advertising cookies we set are for:

  • You may set your browser to block any or all of these cookies.  Please note that if you disable cookies, you may be unable to access some features of our Website, however disabling cookies will not prevent you from transacting with us.

  • We use essential cookies on our Website where they are required for particular features to work – for example, if you are a logged in user, to allow you to remain logged in while you complete certain tasks. These cookies are required for you to use Storypark as intended.

6. Use of Personal Data

We process Personal Data for the following purposes:

a) to create and administer accounts.

b) to enable the features of the Service to be utilised and enjoyed, subject always to our End User Terms. This may, for example, entail incidental posting of photographs/videos of a Child on another Child’s Organisation Child Record. Those posts may remain viewable even once a Child no longer attends a Customer Organisation as long as the relevant Organisation Child Record is retained. If you do not agree to such incidental posting, or other transfers of Personal Data to an Organization Child Record, you must contact the administrator of the Organisation Child Record to advise them of your withdrawal or denial of consent;

c) to facilitate Service Users creating and updating Organisation Child Records;

d) to analyse user behaviour (in respect of the Website) and Service User behaviour (in respect of the Service) for the purposes of:

  • determining Service developments;

  • inviting users or Service Users to explore other features within the Website or Service, and otherwise to generally promote our Service;

  • ensuring the security of the Website and the Service; and

  • combating and preventing breaches of our End User Terms, other user agreements, this Privacy Policy and our other policies;

e) to respond to enquiries, feedback or complaints received from you;

f) to perform authorised financial transactions with you and to help us to manage our accounts and administrative services;

g) to verify your identity;

h) for directly marketing to you (including by email, post, other means, or through functionality within the Service) with information about our Service (if you receive direct marketing from us, and would like to opt-out, please see “Direct Marketing” below);

i) on an aggregated non-identifiable basis, to:

  • help Storypark understand its market position;

  • assist with marketing our Services to others, including in respect of any online advertising; and

  • deliver statistical results to help with general Storypark announcements;

j) incidentally, where Educators and their educational mentors, for their further professional development, may view, some content of an account or Child Records to which the relevant Customer or Customer Organisation has lawful access;

k) to protect our legal interests and fulfil our regulatory obligations, including any notification or reporting obligations and any access directions, imposed on us by any Government entity (if and to the extent necessary);

l) for helping ensure the trust and safety of any Child and Authorised Users of the Service; and

m) in other circumstances, provided we comply with applicable Data Protection Laws.

7. Lawful Basis for processing

As permitted or required under applicable Data Protection Laws, we may rely on the following legal bases to process Personal Data.

Consent: In jurisdictions where consent is the only lawful basis for processing, your provision of Personal Data to us means that you agree and consent to our collection, use and disclosure of your Personal Data under this Privacy Policy. Please note that certain aspects of the Service can only be offered if you provide Personal Data to us and we may not be able to offer you certain aspects of the Service if you choose not to provide us with required Personal Data.

We may obtain your consent in different forms depending on the context of processing, such as:

  • if you expressly sign or agree to a document through electronic means or verbally; or

  • implicitly by providing the Personal Data voluntarily.

Please note that there are circumstances where the processing of Personal Data may be permitted without consent, or where we may or must disclose information without consent, in accordance with  applicable law.

You have the right to revoke your consent to the collection, use and disclosure of your Personal Data that is under our control at any time. However, revocation of your consent does not have retroactive effect, and may prevent us from providing certain aspects of the Service to you; in such circumstances, we will discuss with you the reason we need your Personal Data and why the revocation of your consent affects our ability to provide the Service to you. Where your Personal Data is under the custody and/or control of our Customer or Customer Organization and we act as Data Processor on behalf of the Customer or Customer Organization, we may not be able to give effect to your request and will direct you to the Customer or Customer Organization.

Performance of a contract: Where contractual performance is a lawful basis for processing under Data Protection Laws, you acknowledge and agree that the processing identified below is necessary for the performance of a contract to which the data subject is party (being the Agreement):

  • to carry out user and account administration tasks;

  • to manage and deliver the Service; and

  • to manage any disputes (including disputes over invoices or delivery of the Service).

Legitimate interests:  Where legitimate interests is a lawful basis for processing under Data Protection Laws, in respect of all other processing of Personal Data detailed in this Privacy Policy (including direct marketing activities), such processing is necessary for the purposes of a legitimate interest pursued by Storypark, and we have assessed that such interests are not overridden by the interests or fundamental rights and freedoms of the persons to whom the Personal Data relates.

You have the right to object to the way we process your Personal Data where the processing is based on legitimate interests. For more information see “Your Rights” section below.

Data Processor:  In respect of Personal Data uploaded and transferred to the Service by Service Users, to the extent the term applies under applicable Data Protection Laws, we are a joint data-controller alongside the relevant Service User who creates or updates a Family Child Record (i.e. we process the Personal Data directly for the individual (or their parent/guardian) and for those purposes described in this Privacy Policy and our Terms, and exercise control over that processing).  We are a Data Processor to the relevant Service User who creates or updates an Organisation Child Record, to the extent that terms applies under applicable Data Protection Laws (i.e. we process the Personal Data for our Customer and for those purposes described in this Privacy Policy and our Terms, and the Customer exercises control over that processing). In such circumstances, the relevant Service User has custody and/or control of the Personal Data and is responsible for determining the legal basis upon which that Personal Data is processed. Please see the End User Terms which outline the Service User’s obligations in this regard.

8. Direct Marketing

All those to whom we send direct marketing communications have the option to opt-out of receiving further direct marketing communications from us. If you do not wish to continue to receive direct marketing communications from us and/or selected third parties you should opt-out by clicking on the “unsubscribe” link in any email communications that we might send you.

Please note that some features of the Service may involve us providing, through the functionality within the Service, recommendations or suggestions for goods, services or benefits that we offer.

9. Retention and deletion of Personal Data

a) in some cases, retain a copy of your Personal Data to comply with our legal obligations, resolve disputes, enforce our agreements and to comply with our trust and safety obligations. Personal Data retained for these purposes will be archived and stored in a secure manner after your Account has been closed, and will not be accessed unless required for any of these reasons; and

b) retain Personal Data in an aggregated, de-identified or otherwise anonymous form, as permitted or required by applicable laws, such that there is no serious possibility of identifying you from the information.

10. Disclosure of Personal Data

We will not sell Personal Data to anyone.We share Personal Data with third parties for limited purposes, such as to help us run our business and provide the Website and Service. Those third parties can be categorised as follows:

a) Service Users: At the direction of a Customer, Customer Organisation or Primary Account Holder (as applicable) Storypark may disclose Content (which may contain Personal Data) through the Service to other Service Users. For example:

  • The family version of the Service enables Service Users to tag posts and Content in a way as to identify particular interests of a Child or features of a Child’s development or progress. Storypark may be directed to disclose this Personal Data to an Authorised User (such as an Educator), to facilitate their understanding of the Child’s progress, development, interests etc.

  • the Service will enable an Authorised User to access (and upload) sensitive information relating to a Child, solely for the purpose of their understanding of the Child’s progress, development, interests, etc.

  • Educators may share stories from an Organisation Child Record with Authorised Users and Authorised Viewers.

  • Authorised Viewers may view and/or access Child Content within the Application only to the extent authorised by a Primary Account Holder.

  • Stories from an Organisation Child Record (which may include sensitive information of a Child) may also be shared by Authorised Users with other family members of a Child’s Storypark community. However, Authorised Users cannot disclose notes, routines or plans from an Organisation Child Record with any other family members of a Child’s Storypark community or any other parents or families.

  • Educators may share group stories (which may include sensitive information of a Child) relating to two or more Children with family members from the Storypark community for the relevant Children.

  • Educators may share group plans (which may include sensitive information of a Child) with the Primary Account Holders for all Children included in the group plan.

  • Storypark may be directed to allow a Customer Organisation (or, if applicable a Customer that operates the Customer Organisation) to access an Educator portfolio and its associated Personal Data (where that Customer or Customer Organisation maintains the Account to which an Educator portfolio relates).

We may have no direct relationship with persons whose Personal Data you upload or transfer. For that reason and in relevant circumstances, you are responsible for making sure you have the appropriate consent and make the appropriate notifications for us to disclose any Content (which may contain Personal Data) in the manner you direct through the Service. To the extent necessary consent is not obtained, you must remove the applicable Personal Data from the Family Child Record without undue delay. Please see the End User Terms which outline your obligations in this regard.

If you no longer want to be contacted by one of our Service Users, please contact the relevant Customer or Customer Organisation directly.

b) Service providers:  We share your Personal Data with our third party service providers, who help us provide and support our Service. For example:

  1. Client relationship management services from Hubspot

  2. Payment processing services from PayPal and Stripe

  3. Subscription management and billing from Chargebee

  4. Cloud server hosting services from Amazon Web Services

  5. Content delivery services from Sendgrid, Transloadit, Brightcove

  6. Customer feedback services from Savio

  7. Customer support and communication services from Intercom and Survey Monkey

  8. Marketing services from Mixmax and Autopilot

  9. IT services from Google Workspace and Microsoft Azure

  10. Bookkeeping services from Xero

  11. Data Warehousing and Reporting Services from Snowflake and GoodData

  12. Video and phone call conversation recording and transcription from Gong

  13. Customer research findings and analysis from Dovetail

We limit the information we provide to third parties to the information they need to help us provide or facilitate the provision of goods and services and associated purposes. We ensure that third parties are required to meet the privacy standards required by law in handling your Personal Data, and use your Personal Data only for the purposes that we give it to them.

c) Sale, merger, consolidation, liquidation, reorganisation, or acquisition: If Storypark or substantially all of its assets were acquired by a third party, Personal Data which we hold may be one of the transferred assets (subject to the same constraints on use and disclosure as under this policy).

d) Legal obligation: If we are under a duty or have a legal right to disclose or share Personal Data in order to comply with any legal obligation or request or investigation issued by any Government entity, or in order to enforce or apply our terms and conditions or to protect our rights, property, or the safety of our personnel or third parties. This includes exchanging information with other companies and organisations for the purposes of fraud protection, trust and safety and credit risk reduction.

CCPA: If you are based in California in the USA, we agree that we will not: (a) sell your Personal Data to any third party; (b) retain, use or disclose your Personal Data for any purpose other than as set out in this Privacy Policy and any other agreement you sign up to with us; (c) retain, use, or disclose your Personal Data for a commercial purpose other than as set out in this Privacy Policy and any other agreement you sign up to with us; or (d) retain, use, or disclose the Personal Data outside of the direct business relationship between them, other than as set out in this Privacy Policy and any other agreement you sign up to with us.

11. Trans-border Personal Data flows

Storypark’s head office is located in New Zealand, so some limited Personal Data is transferred and/or stored there. For the purposes of the EU GDPR and the UK GDPR, New Zealand has been recognized as providing adequate protection

The vast majority of Personal Data we handle is stored and hosted in Australia. All Personal Data relating to Children on Storypark is hosted in Australia.

Some limited Personal Data may be provided to companies located in the USA who offer software as a service products that process content for inclusion on the Service (for example, conversion of images and videos to make them suitable for viewing online/ through a web browser). Those third parties located overseas are not permitted to (and are contractually obligated to not) access or use the Personal Data provided except for those limited purposes. We only choose reputable service providers and have agreements with such third parties that prevent them from using or disclosing to others the Personal Data we share with them, other than as is necessary to assist us.

In respect of the transfer of Personal Data to New Zealand, Canada, Australia, the USA and other countries, we will use reasonable efforts to obtain assurances from any third parties that they will safeguard Personal Data consistent with this Privacy Policy and all applicable Data Protection Laws.

While the information resides outside of the territory where you reside, it may be accessible to the local courts, law enforcement and national security authorities in a foreign jurisdiction.

12. Security of Personal Data

We have implemented reasonable technical, physical, and organizational security measures to protect Personal Data. We take reasonable steps to protect Personal Data, including through internal and external security, restricting access to Personal Data to those who have a need to know, maintaining technological products to prevent unauthorised computer access and regularly reviewing our technology to help maintain security. We choose technology partners considering their security and privacy policies and practices.

Personal Data stored in our system is protected by electronic and procedural safeguards. We take reasonable precautions to protect Personal Data from accidental loss and theft by storing it in secure data centres with off-site backups. Communication between Service Users and our servers is encrypted via industry-standard transport layer security (TLS).

The Service is protected by a secure and encrypted password that each Service User must choose themselves. Service Users should never share their passwords. Storypark is not responsible for any loss of data or breach of privacy if a Service User shares their password with someone else. We do not store your password on our servers, instead we store a one-way hash of your password.

Because internet transmissions cannot be guaranteed to be 100% secure, you acknowledge and agree that we cannot guarantee the security of Personal Data, and to the fullest extent permitted by applicable law, that you use the Service at your own risk.

In case of a security incident or any other breach of security safeguards, such as the loss of, unauthorised access to or unauthorised disclosure of Personal Data under Storypark’s control, we will respond in accordance with our obligations under applicable Data Protection Laws.

13. Your Rights

Under certain circumstances and subject to applicable laws, you have the right to access your Personal Data that we hold about you, and to ask for it to be corrected if you think it is wrong.

If you are based in Canada, you also have the right to withdraw your consent to our disclosure or use of your Personal Data, if we are the party with control over the Personal Data.  With respect to Personal Data for which a Customer or Customer Organization has custody and/or control, we will provide you with information to allow you to direct your request to the Customer or Customer Organisation.

If you are based in the European Union or the United Kingdom you have the right, under the EU GDPR or the UK GDPR (as applicable), to:

  • in certain circumstances, have your Personal Data erased;

  • restrict the processing of your Personal Data;

  • move, copy or transfer your Personal Data easily for your own purposes across different services in a safe and secure way;

  • object to processing where we rely on our legitimate interests as the lawful basis for processing;

  • withdraw your consent at any time, where our processing of your Personal Data is based on consent; and

  • lodge a complaint with an appropriate supervisory authority, if you consider that our processing of your Personal Data has breached the EU GDPR or the UK GDPR (as applicable).

If you are a resident of California, you have the right under the CCPA:

  • to request and obtain from us, once a year and free of charge, information about categories of Personal Data (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared Personal Data in the immediately preceding calendar year;

  • subject to certain exceptions, to request the deletion of your Personal Data that we have collected from you; and

  • subject to certain exceptions, not to receive discriminatory treatment for the exercise of your CCPA privacy rights.

We will respond to any request made in respect of the above in accordance with the applicable Data Protection Laws.

Please note that in certain circumstances we may refuse to respond to a rights request where we have the right to do so under applicable Data Protection Laws, for example, where a request is manifestly unfounded or excessive.

Requests for such access and correction requirements can be made to the contact details in section 15 of this Privacy Policy.

Please note that where we are not, or are no longer, in a position to identify you within the information we hold (including because of any de-identification techniques we may have employed), then your rights as described above shall not apply.

We will respond to any request made in respect of the above without delay, but in any case within one (1) month of a request, or two (2) months where the requests are complex or numerous (in which case, we will inform you of such delay), unless otherwise required by applicable Data Protection Laws.

14. Cancelling your Account

If your Storypark Account terminates (for whatever reason), the Personal Data associated with it may no longer be accessible to you via your account. Any Content you have posted from your Account may still be available to other Service Users that the Content has been associated with. There may continue to be residual copies of such Content due to ongoing data back-up and archiving.

15. How to Contact us

If you wish to exercise your rights under this Privacy Policy or any applicable Data Protection Laws or otherwise raise any privacy issue or complaint with us, you can do this by emailing our Privacy Officer at privacy@storypark.com 

Your email should provide evidence of who you are and set out the details of your request (e.g., the Personal Data, or the correction, that you are requesting).

If you are located in New Zealand and believe we are unlawfully processing your Personal Data, you can lodge a complaint with us directly using the above contact details, or you can lodge a complaint with the New Zealand Privacy Commissioner. Information about how to lodge a complaint is available at Privacy Commissioner’s website.

If you are located outside New Zealand, you may also lodge a complaint regarding our Personal Data processing activities as they relate to your Personal Data with your relevant privacy law supervisory authority.