Privacy Policy

1) Introduction and Scope

a) This Privacy Policy explains how StoryPath, LLC ("StoryPath," "we," "our," or "us") collects, uses, stores, and protects personal information in connection with our websites, mobile journeys, and platform-based services. StoryPath is the owner and operator of the MOBIT platform, a proprietary mobile intelligence platform used to deliver educational content, customer journeys, and SMS-based learning experiences.

b) This Privacy Policy applies to:

i) Visitors to our websites, including www.storypath.us and www.mobit.com

ii) Individuals who interact with our platform at app.mobit.com

iii) Users who engage with content delivered via SMS or email through the MOBIT platform

iv) Representatives of enterprise clients who contract with StoryPath for content delivery

c) This Privacy Policy is incorporated by reference into any Master Services Agreement (MSA) or other agreement governing the use of our platform. Additional privacy and data processing terms may apply when an executed Data Processing Addendum (DPA) is in place between StoryPath and an enterprise client.

d) By accessing or using any part of our platform or services, you acknowledge and agree to the terms outlined in this Privacy Policy.

2) Who We Are

a) StoryPath, LLC is a U.S.-based technology company headquartered at 3505 E. Monarch Sky Lane, Suite 210, Meridian, Idaho 83646. We develop and operate the MOBIT platform, a proprietary mobile intelligence system used to deliver time-released educational content, SMS journeys, and data-driven engagement tools. All MOBIT platform infrastructure is hosted in the United States using Microsoft Azure.

b) We serve both individual users and enterprise clients across a range of regulated and compliance-sensitive industries. While StoryPath is a U.S.-based company and not currently subject to all provisions of international data protection laws, our privacy practices are informed by leading frameworks such as the California Consumer Privacy Act (CCPA/CPRA), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and the EU General Data Protection Regulation (GDPR). We have voluntarily adopted many of their core principles, including transparency, user control, and data minimization, to guide how we handle personal data.

c) Unless otherwise agreed to in writing, all personal data is stored in the United States and retained for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements.

d) Where we act on behalf of an enterprise client, our role is typically that of a data processor, subject to the terms of a Master Services Agreement (MSA) or executed Data Processing Addendum (DPA). For direct relationships with consumers or form-filling users, we act as the data controller responsible for determining the purposes and means of processing.

3) Definitions

a) For purposes of this Privacy Policy, the following terms are used consistently with their meanings under applicable data protection laws and StoryPath's Master Services Agreement:

b) "Platform" means the MOBIT platform and its associated software components, including backend infrastructure, user interfaces, content delivery tools, SMS triggers, analytics systems, and other systems operated by StoryPath.

c) "Personal Data" (or "Personal Information") means any information that can reasonably be used to identify or contact an individual, either alone or when combined with other data. This includes names, phone numbers, email addresses, IP addresses, and any user-submitted answers or free-text responses. Personal Data may be collected directly (e.g., through SMS opt-ins or form submissions) or indirectly (e.g., device information or identifiers tied to platform usage).

d) "Usage Data" means information generated as users interact with the Platform or Services, including engagement metrics (e.g., video views, completion rates), feature usage, click paths, timestamps, device/browser type, and system performance logs. Usage Data may also include metadata associated with a phone number or session ID but does not include user-submitted fields such as name or email. StoryPath retains ownership of all Usage Data for internal business, optimization, and analytics purposes.

e) "Client Data" means any data submitted by an enterprise customer to StoryPath for use within the Platform, including user lists, phone numbers, email addresses, and program configuration details. Clients retain ownership of their Client Data.

f) "Processing" means any operation performed on Personal Data, whether automated or not, such as collection, use, storage, disclosure, or deletion.

g) "Data Controller" means the party that determines the purposes and means of processing Personal Data.

h) "Data Processor" means the party that processes Personal Data on behalf of a Data Controller.

i) "Subprocessor" means a third-party service provider engaged by StoryPath to process Personal Data in support of the Services (e.g., SMS delivery, hosting, video streaming).

j) "You" or "User" means any individual who visits our websites, interacts with StoryPath content via SMS, or engages with any part of the MOBIT platform-either directly or through an enterprise client relationship.

4) How We Collect Data

We collect Personal Data and Usage Data through the following methods:

a) Directly from You

i) When you interact with our Platform or Services, you may voluntarily provide data, including:

ii) Sending an SMS to initiate a mobile journey

iii) Completing a form (e.g., name, email, feedback)

iv) Responding to prompts or questions within a journey

v) In these cases, we collect only the information you choose to submit, which may include your phone number, name, email address, or free-text answers. If you do not provide such information, certain features of the Platform may not be available to you.

b) Provided by an Enterprise Client

i) When you are participating in a journey as part of a program initiated by one of our enterprise clients, they may supply your contact details (e.g., phone number, name, or email) directly to StoryPath to deliver content through the MOBIT platform. In these cases, we act as a data processor on behalf of the client, and they are responsible for obtaining appropriate permissions and consents.

c) Automatically Through Your Interaction

When you use the Platform, we automatically collect certain technical and behavioral data, such as:

i) Device type and operating system

ii) IP address and browser information

iii) Timestamps of content accessed

iv) Video engagement (e.g., completion rates, viewing duration)

v) Clicks, scrolls, and other interaction events

This data is classified as Usage Data and helps us monitor platform performance, improve user experience, and generate analytics insights for both StoryPath and our clients.

5) Categories of Data We Process

The types of Personal Data and Usage Data we collect depend on how you interact with the Platform. Below is a summary of the categories of data we process:

a) Personal Data (may be submitted by you or provided by a client)

i) Phone number (submitted via SMS or provided by a client)

ii) First and last name (if entered in a form or submitted by a client)

iii) Email address (optional or client-provided)

iv) Feedback responses (open text fields or survey answers)

v) IP address (captured automatically during platform access)

b) Usage Data (automatically collected through platform interaction)

i) Video interaction data (e.g., time watched, % completed, replays)

ii) Content engagement (e.g., clicks on buttons, CTAs, navigation paths)

iii) Device information (e.g., mobile vs. desktop, browser type)

iv) Access timestamps (e.g., journey start time, session duration)

v) System performance logs (e.g., load time, errors)

We do not collect sensitive personal information such as government-issued IDs, health data, payment information, or biometric identifiers unless explicitly required in a custom enterprise configuration (and only with proper contractual and legal safeguards in place).

6) Purposes of Processing and Legal Basis

We process Personal Data and Usage Data to deliver, improve, and support our Services. The lawful basis for processing depends on your relationship to StoryPath and the type of data involved. Below are the primary purposes and applicable legal justifications:

a) Service Delivery

We process Personal Data (e.g., phone number, name, engagement data) to:

i) Deliver mobile learning journeys and content via SMS

ii) Authenticate participants and trigger relevant messages

iii) Track journey progress and personalize user experience

Legal basis: Performance of a contract (if you're part of a client program) or legitimate interest (if you initiate the journey directly).

b) Platform Functionality and Optimization

We process Usage Data to:

i) Monitor platform performance

ii) Identify and resolve technical issues

iii) Improve content design, timing, and relevance

Legal basis: Legitimate interest (ensuring platform quality, user experience, and operational integrity).

c) Support and Communication

We may use Personal Data to:

i) Respond to inquiries or support requests

ii) Notify you about technical issues, updates, or usage-related info

Legal basis: Legitimate interest or consent, depending on context.

d) Analytics and Reporting

We process Usage Data to:

i) Provide engagement metrics to enterprise clients

ii) Conduct aggregate-level analysis to improve outcomes

Legal basis: Legitimate interest (client reporting and platform improvement).

e) Legal Compliance and Security

We may process any data required to:

i) Comply with applicable legal obligations

ii) Investigate misuse or abuse of the platform

iii) Respond to lawful requests from authorities

Legal basis: Legal obligation and legitimate interest.

f) Marketing (Limited)

We do not use Personal Data for general marketing or behavioral advertising. We may send platform-related updates or demo-related follow-ups, but only with your prior consent or were allowed by law.

Legal basis: Consent or legitimate interest (enterprise demo follow-up).

7) Your Rights and Choices

Depending on your location and how you interact with the Platform, you may be entitled to certain rights under applicable data protection laws. These may include laws such as the California Consumer Privacy Act (CCPA/CPRA), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and the EU General Data Protection Regulation (GDPR).

While StoryPath is a U.S.-based company and does not currently target or serve users in the European Union and therefore is not subject to the full scope of the GDPR. We have voluntarily adopted many of its core principles. Similarly, while we do not sell personal data or meet the revenue thresholds required for mandatory compliance under CCPA/CPRA, our practices are informed by its requirements. We strive to support transparency, data minimization, and user control across all jurisdictions in which we operate.

a) Right to Access

You have the right to request confirmation of whether we process your Personal Data and to obtain a copy of that data in a commonly used format.

b) Right to Rectification

You may request correction of inaccurate or incomplete Personal Data that we hold about you.

c) Right to Erasure ("Right to Be Forgotten")

You may request deletion of your Personal Data, subject to legal exceptions and data retention obligations (see Section 9).

d) Right to Restrict Processing

You may request that we restrict how we use your Personal Data—for example, while we investigate a correction request.

e) Right to Object

If we process your Personal Data based on legitimate interests, you may object to that processing.

f) Right to Data Portability

You may request that your Personal Data be transferred to you or to another controller in a machine-readable format.

g) Right to Withdraw Consent

Where our processing relies on your consent (e.g., SMS opt-in, demo form), you may withdraw your consent at any time without affecting prior processing.

h) Right to Non-Discrimination (CPRA)

We will not discriminate against you for exercising your privacy rights.

i) Right to File a Complaint

If you believe we have violated your privacy rights, you may contact your local data protection authority. We encourage you to contact us first so we can resolve your concerns directly.

How to Exercise Your Rights

You may submit a request to exercise any of the above rights by contacting us at support@storypath.us. We may need to verify your identity before processing your request. In some cases, we may refer your request to the enterprise client who controls the relevant data.

8) Data Sharing and Subprocessors

We do not sell your Personal Data. However, we may share your data with trusted third parties (subprocessors) to help us deliver and support the Platform. These subprocessors process data on our behalf and only as necessary to perform their services in accordance with our instructions and applicable data protection laws.

a) Subprocessors We Use

We may share Personal Data and Usage Data with the following subprocessors:

SubprocessorPurposeData TypesLocationTwilioSMS message delivery and routingPhone number, message metadataUSAVibesSMS orchestration and deliveryPhone number, SMS content metadataUSAVimeoVideo hosting and streaming analyticsViewing data, session metadataUSAMicrosoft AzureCloud hosting and database infrastructureAll stored dataUSAZapierWorkflow automation and backend triggersPhone number, user entered informationUSAStripePayment processingPayment method, transaction history, phone numberUSA

(Chart 1)

These providers are contractually bound to maintain appropriate security and confidentiality standards.

b) Other Disclosures

We may also disclose Personal Data:

i) To enterprise clients who own or control the data (if you are participating in a program they sponsor)

ii) To legal or regulatory authorities, if required to comply with a legal obligation or protect StoryPath's rights or safety

iii) In connection with a corporate transaction, such as a merger, sale, or acquisition, where permitted by law

We do not share Personal Data with advertisers or ad networks. We do not engage in cross-context behavioral advertising or third-party remarketing.

9) Data Storage and Retention

All data collected through the Platform is securely stored on U.S.-based servers hosted by Microsoft Azure. We implement technical and organizational safeguards to protect data against unauthorized access, alteration, or disclosure (see Section 10).

a) Retention Periods

We retain your personal information as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements.

This means we may retain your data for extended periods to:

i) Provide long-term analytics and reporting to our enterprise clients

ii) Maintain records of your participation in educational journeys

iii) Support performance reporting and engagement trend analysis

iv) Comply with legal, regulatory, or contractual requirements

v) Establish or defend legal claims

vi) Protect against fraudulent or abusive activity

b) Deletion Requests

You may request deletion of your Personal Data (see Section 7). However:

i) We may be required to retain certain data for legal compliance

ii) Deletion may not be possible if the data has been anonymized or aggregated

iii) If we are acting as a data processor on behalf of an enterprise client, we may refer your request to them for fulfillment

Usage Data that is not directly tied to an individual (e.g., aggregate video engagement, anonymous session data) may be retained indefinitely for system performance, research, and internal analytics.

10) Data Transfers and EU-U.S. Data Privacy Framework

StoryPath is based in the United States, and all data processed through the Platform is stored on secure, U.S.-based servers (Microsoft Azure). If you are located outside the United States—such as in the European Union (EU), United Kingdom (UK), or Canada—your Personal Data may be transferred to and processed in the United States.

Where required by law, we implement appropriate safeguards to ensure that cross-border data transfers are lawful, secure, and subject to adequate protections.

a) EU-U.S. Data Privacy Framework (DPF)

i) While StoryPath has not formally certified under the EU-U.S. Data Privacy Framework (DPF), our data handling practices are designed to align with its principles. Should we receive personal data from the EU or UK, we implement appropriate safeguards to ensure secure cross-border transfers.

ii) If there is any conflict between the terms in this Privacy Policy and the DPF Principles, the Principles shall govern. To learn more about the DPF program or view our certification, please visit: https://www.dataprivacyframework.gov.

iii) StoryPath remains liable for the processing of Personal Data under the DPF, including for onward transfers to third parties acting as agents, unless we can demonstrate we are not responsible for the event giving rise to the damage.

b) Dispute Resolution and Enforcement

i) If you are located in the EU or UK and have an unresolved privacy or data use concern that we have not addressed to your satisfaction, you may contact your local Data Protection Authority (DPA) or the UK Information Commissioner's Office (ICO). Under certain conditions, you may also invoke binding arbitration through the DPF Panel.

ii) We are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC) with respect to our compliance with the Data Privacy Framework.

11) Security Measures

StoryPath implements appropriate technical and organizational safeguards to protect the confidentiality, integrity, and availability of the data we collect and process. These security measures are designed to prevent unauthorized access, alteration, disclosure, or destruction of data stored on our Platform.

a) Infrastructure & Data Security

i) All platform data is hosted on secure, U.S.-based servers managed by Microsoft Azure, which complies with major certifications such as ISO/IEC 27001, SOC 2, and others.

ii) Data is encrypted in transit using TLS/SSL protocols and at rest using industry-standard encryption algorithms.

b) Access Controls

i) Access to client and end-user data is role-based and restricted to authorized personnel on a need-to-know basis.

ii) Administrative access is protected by multi-factor authentication (MFA), audit logging, and session timeouts.

iii) Internal access is logged and periodically reviewed for compliance and potential anomalies.

c) Application-Level Protections

i) Our platform employs input validation, rate limiting, and anti-CSRF/anti-XSS mechanisms to prevent common web vulnerabilities.

ii) Regular vulnerability scans and patching cycles are maintained to address emerging security threats.

d) Breach Notification

i) In the event of a data breach affecting Personal Data, StoryPath will notify affected individuals and, where required, applicable regulatory authorities in accordance with relevant data protection laws. While we are not currently subject to all provisions of laws such as the GDPR, CCPA/CPRA, or PIPEDA, our breach response practices are designed to align with the core principles of transparency and timely notification set forth in those frameworks.

12) Cookies & Tracking

StoryPath does not use third-party advertising cookies, behavioral tracking scripts, or embedded analytics tools (such as Google Analytics or Facebook Pixel) on our Platform or public websites.

a) Minimal Cookie Use

We may use strictly necessary cookies or local storage mechanisms for the following purposes:

i) Maintaining secure sessions during enterprise admin logins

ii) Remembering simple form preferences or opt-in confirmations

iii) Supporting accessibility or system performance settings

These technical mechanisms are limited in scope and do not track users across third-party websites or services.

b) No Cross-Site Tracking

Our Platform does not:

i) Use retargeting or ad cookies

ii) Employ third-party web beacons

iii) Track users across websites or over time for behavioral profiling

c) Managing Preferences

Because we do not use advertising or analytics tracking cookies, StoryPath is not currently required to display cookie consent banners under laws such as the GDPR or CCPA/CPRA. However, users may still manage cookie behavior through their browser settings. Please note that disabling certain cookies may impact the functionality of Platform features, particularly for enterprise administrators.

13) Children's Privacy

The StoryPath Platform is not intended for, and may not be used by, individuals under the age of 13. We do not knowingly collect Personal Data from children under 13 years of age in accordance with COPPA. If we learn that we have inadvertently collected information from a child under 13 without appropriate parental or legal guardian consent, we will delete such data promptly.

a) Intended Use

i) The Platform and its Services are designed for use by enterprise clients and consenting adult end users.

ii) Clients are responsible for ensuring that any Personal Data they submit to the Platform has been lawfully obtained, including compliance with applicable age-related consent laws.

b) GDPR Note

In jurisdictions where data protection laws such as the GDPR apply, we do not knowingly collect Personal Data from anyone under the age of 16, unless a lower age threshold is permitted by local law and appropriate parental or guardian consent has been obtained. While StoryPath does not currently target users in the EU, our children's privacy practices are designed to reflect the core intent of relevant regulations.

14) Changes to This Policy

StoryPath may update this Privacy & Data Usage Policy from time to time to reflect changes in legal requirements, operational practices, or enhancements to our Platform.

a) Version Tracking

Each version of this Policy will be marked with an effective date. If the changes materially affect how we collect or use Personal Data, we will provide advance notice where required by applicable law.

b) Notification Methods

If you are a Platform end user, updates may be communicated via:

i) A banner or pop-up on the Platform or website

ii) Direct email (if contact information is available)

iii) Updated language in the footer or within login portals

If you are an enterprise client, updates may also be provided via:

iv) Email to the designated account administrator

v) Notification through your assigned Client Success contact

c) Your Continued Use

Your continued use of the Platform or Services after the effective date of an updated Policy constitutes your acknowledgment and acceptance of the revised terms.

15) Contact Information

If you have any questions about this Privacy Policy, your data, or how we handle personal information, please contact us:

StoryPath, LLC 3505 E. Monarch Sky Lane, Suite 210 Meridian, Idaho 83646 United States

Data Protection Officer (DPO) Email: support@storypath.us

If you are located in the European Union or United Kingdom and have questions about how your data is handled or if you would like to inquire about the EU-U.S. Data Privacy Framework, you may contact us for additional information. While StoryPath does not currently target or serve users in the EU/UK and is not subject to all provisions of GDPR, we are committed to upholding strong privacy practices and will provide support where appropriate. For privacy-related inquiries, you may reach our Data Protection Officer at Support@storypath.us.

Privacy & Data Usage Policy

Effective Date: This Privacy Policy is effective as of June 10, 2025, and supersedes all previous versions.

Last Updated: N/A

Version: 1.0