Privacy - Custory

Overview

Custory ("we", "our", or "us") provides software for customer journey mapping, collaboration, integrations, and workflow automation. This Privacy Policy explains what information we collect, how we use it, when we share it, and the choices available to you when you use our website, product, and connected integrations.

This Privacy Policy applies to information we process as a business software provider. It does not apply to third-party services that you connect to Custory, which remain subject to their own terms and privacy policies.

Information We Collect

Account and Authentication Information

When you sign up, sign in, or are invited into a workspace, we may collect:

Name, email address, profile details, and workspace membership information
Authentication and session data managed through WorkOS AuthKit
Organization, sign-in method, and account security details such as MFA or verification state

Workspace and Product Content

We collect and store information you or your team submit in Custory, including:

Journey maps, stages, steps, personas, comments, attachments, tasks, and workflow data
Workspace settings, member roles, invitations, and collaboration history
Support requests, feedback submissions, and messages you send to us through the product

Connected Integration Data

When you connect third-party services, we receive the information needed to provide those integrations. Depending on the service, this may include:

OAuth access tokens and refresh tokens, stored in encrypted form
Basic account, workspace, tenant, or installation metadata
Read-only or scoped content from connected systems such as Figma, Intercom, Google Drive, Jira, Linear, Notion, Slack, Discord, GitHub, and Miro
Manual credentials and metadata for services such as PostHog or Stripe when you choose to connect them

The exact data available to Custory depends on the permissions you authorize and the functionality you choose to use.

Usage, Device, and Analytics Information

We automatically collect technical and usage information, including:

Log data such as IP address, browser type, device information, pages visited, and request metadata
Product usage events, feature interactions, and workspace-level analytics
Cookie and similar identifier data used for authentication, security, analytics, and feature flag delivery

How We Use Information

We use information we collect to:

Provide, operate, secure, maintain, and improve Custory
Authenticate users, manage sessions, and administer workspaces
Process and maintain connected integrations that you authorize
Import, display, sync, analyze, or transform data at your direction
Monitor usage, debug issues, run feature flags, and improve product performance
Communicate with you about support, security, service updates, and administrative matters
Prevent abuse, fraud, unauthorized access, and other harmful or unlawful activity
Comply with legal obligations and enforce our terms

Cookies, Analytics, and Similar Technologies

We use cookies and similar technologies for essential site operation, account authentication, fraud prevention, product analytics, and feature flag delivery.

WorkOS provides authentication and session-related cookies and identifiers for login and account security
PostHog is used for product analytics, event measurement, and feature flag evaluation
PostHog may use cookies or similar identifiers to recognize returning users and keep feature flag assignments consistent
We do not use your information for third-party advertising networks or sell personal information

Legal Bases for Processing

Depending on where you are located, we rely on one or more of the following legal bases to process personal information:

Performance of a contract, including providing the services you request
Legitimate interests, such as securing, maintaining, and improving our service
Consent, where required by law or where you choose to authorize a connected integration
Compliance with legal obligations

How We Share Information

We may share information in the following circumstances:

With service providers and infrastructure partners that help us run Custory, such as authentication, hosting, analytics, support, and security vendors
With third-party services you choose to connect, when required to complete actions you request or maintain an authorized integration
Within your workspace, according to your team settings, roles, and collaboration activity
When required by law, regulation, legal process, or to protect rights, safety, and security
In connection with a merger, financing, acquisition, reorganization, or sale of assets

We do not sell personal information or share personal information with third parties for their own advertising purposes.

Third-Party Integrations and OAuth

If you connect an integration, you authorize Custory to access and process the information made available by that service within the scope of the permissions you approve. We use that access only to provide the integration features you request.

OAuth tokens are stored in encrypted form and used to maintain the connection
Connected data may be imported, displayed, synchronized, searched, or analyzed within your workspace
You can revoke access by disconnecting the integration in Custory or through the third-party provider
Third-party providers may continue to process your data under their own policies after disconnection

Google API Data

If you connect Google Drive or related Google Workspace content, Custory requests read-only access to the Google files and account details needed to provide the feature, including Google Docs, Sheets, Slides, basic profile information, and email address.

We use Google user data only to provide and support the user-facing features you request. We do not use data obtained from Google Workspace APIs to develop, improve, or train generalized artificial intelligence or machine learning models.

Custory's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Data Retention

We retain information for as long as reasonably necessary to provide the service, maintain your workspace, comply with legal obligations, resolve disputes, and enforce our agreements. Retention periods may vary depending on the type of data and whether the information is needed for security, backup, billing, or legal compliance.

Data Security

We use technical and organizational measures designed to protect information, including:

Encryption in transit using HTTPS/TLS
Encrypted storage of OAuth tokens and credentials
Authentication and session management through WorkOS
Access controls, role-based permissions, and operational safeguards

No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

International Data Transfers

We and our service providers may process information in countries other than your own. Where required, we take steps intended to provide appropriate safeguards for cross-border transfers.

Your Rights and Choices

Depending on your location and applicable law, you may have rights to:

Access, correct, update, or delete personal information
Object to or restrict certain processing
Request portability of certain information
Withdraw consent where processing is based on consent
Disconnect integrations or revoke third-party access
Opt out of non-essential communications

You may also have rights to appeal a decision we make about a privacy request, depending on your jurisdiction.

Children's Privacy

Custory is intended for business users and is not directed to children. We do not knowingly collect personal information from children under 16.

Changes to This Policy

We may update this Privacy Policy from time to time. If we make a material change, we will update the "Last updated" date and, where appropriate, provide additional notice.

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us through our contact page.