Legal · DPA
Data processing terms, adapted to how Story actually operates.
Effective April 22, 2026. This addendum supplements Story's membership, services, or other written agreement with an organization that uses Story's tools to manage members, bookings, guests, visitors, billing contacts, or related workspace activity.
Fast wifiBottomless Quills coffeeCommunity24/7 accessPhone boothsWellness roomEventsElixir kombucha on tapFast wifiBottomless Quills coffeeCommunity24/7 accessPhone boothsWellness roomEventsElixir kombucha on tap
When it applies
It covers customer data Story handles on behalf of an organization.
This addendum applies when a company, team, or other customer organization provides personal data to Story, or instructs Story to process it, in connection with memberships, employee rosters, guest preregistration, bookings, visitor handling, billing contacts, or other workspace-administration workflows.
It does not replace Story's own privacy obligations where Story acts as a controller, such as for the public website, direct member relationships, facility security, marketing, or Story's own business records.
It does not replace Story's own privacy obligations where Story acts as a controller, such as for the public website, direct member relationships, facility security, marketing, or Story's own business records.
Processing details
The people, data, and purposes in scope are operational, not abstract.
- Data subjects may include company admins, employees, contractors, members, guests, visitors, applicants, billing contacts, and event or booking participants.
- Relevant data may include identity and contact details, company affiliation, membership and booking information, guest and visitor details, communications, invoice and payment-status records, and system logs tied to workspace use.
- Story processes that data to deliver workspace services, manage access and reservations, support member administration, communicate about operations, troubleshoot issues, and maintain accurate service records.
- Processing continues for the service term and for any limited period needed for security, accounting, backups, dispute resolution, or legal compliance.
Processor commitments
The main protections Story commits to when it acts as a processor.
Instructions and scopeWhen Story acts as a processor, it handles personal data only to deliver the agreed services, follow documented customer instructions, or meet legal and security obligations.
ConfidentialityStory requires personnel and contractors with access to customer data to handle it confidentially and only on a need-to-know basis.
SubprocessorsStory may use subprocessors for hosting, payments, communications, support, access control, analytics, and similar operations, while remaining responsible for managing those vendors appropriately.
Security measuresStory maintains reasonable administrative, technical, and organizational safeguards, including role-based access controls, encryption in transit, logging, backup practices, and vendor oversight appropriate to the services.
Incident responseIf Story confirms a security incident affecting customer personal data, Story will investigate, contain, and notify the customer organization without undue delay, subject to law and the governing agreement.
Assistance and deletionStory will reasonably assist with data-subject requests and end-of-term deletion or return requests, taking into account the nature of the processing and any retention duties that still apply.
Transfers, retention, and support
Cross-border vendors and end-of-term cleanup are handled directly, not vaguely.
Story may use service providers that process data in the United States or other countries. Where those transfers occur, Story uses reasonable contractual or technical safeguards that fit the service relationship and the data involved.
At the end of the relationship, Story will delete or return relevant customer personal data upon request where feasible, except to the extent retention is required for legal, security, accounting, dispute-resolution, or backup purposes.
Questions about handling instructions, subprocessors, security incidents, or deletion requests should go to info@storylouisville.com.
At the end of the relationship, Story will delete or return relevant customer personal data upon request where feasible, except to the extent retention is required for legal, security, accounting, dispute-resolution, or backup purposes.
Questions about handling instructions, subprocessors, security incidents, or deletion requests should go to info@storylouisville.com.