Privacy Policy.
01Introduction and Scope
This Privacy Policy explains how StoryPath, LLC ("StoryPath," "we," "our," or "us") collects, uses, stores, and protects personal information in connection with our websites, mobile journeys, and platform-based services. StoryPath is the owner and operator of the MOBIT platform, a proprietary mobile intelligence platform used to deliver educational content, customer journeys, and SMS-based learning experiences.
This Privacy Policy applies to:
- Visitors to our websites, including www.storypath.us and www.mobit.com
- Individuals who interact with our platform at app.mobit.com
- Users who engage with content delivered via SMS or email through the MOBIT platform
- Representatives of enterprise clients who contract with StoryPath for content delivery
This Privacy Policy is incorporated by reference into any Master Services Agreement (MSA) or other agreement governing the use of our platform. Additional privacy and data processing terms may apply when an executed Data Processing Addendum (DPA) is in place between StoryPath and an enterprise client.
By accessing or using any part of our platform or services, you acknowledge and agree to the terms outlined in this Privacy Policy.
02Who We Are
StoryPath, LLC is a U.S.-based technology company headquartered at 3505 E. Monarch Sky Lane, Suite 210, Meridian, Idaho 83646. We develop and operate the MOBIT platform, a proprietary mobile intelligence system used to deliver time-released educational content, SMS journeys, and data-driven engagement tools. All MOBIT platform infrastructure is hosted in the United States using Microsoft Azure.
We serve both individual users and enterprise clients across a range of regulated and compliance-sensitive industries. While StoryPath is a U.S.-based company and not currently subject to all provisions of international data protection laws, our privacy practices are informed by leading frameworks such as the California Consumer Privacy Act (CCPA/CPRA), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and the EU General Data Protection Regulation (GDPR). We have voluntarily adopted many of their core principles, including transparency, user control, and data minimization, to guide how we handle personal data.
Unless otherwise agreed to in writing, all personal data is stored in the United States and retained for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements.
Where we act on behalf of an enterprise client, our role is typically that of a data processor, subject to the terms of a Master Services Agreement (MSA) or executed Data Processing Addendum (DPA). For direct relationships with consumers or form-filling users, we act as the data controller responsible for determining the purposes and means of processing.
03Definitions
For purposes of this Privacy Policy, the following terms are used consistently with their meanings under applicable data protection laws and StoryPath's Master Services Agreement:
- "Platform" means the MOBIT platform and its associated software components, including backend infrastructure, user interfaces, content delivery tools, SMS triggers, analytics systems, and other systems operated by StoryPath.
- "Personal Data" (or "Personal Information") means any information that can reasonably be used to identify or contact an individual, either alone or when combined with other data. This includes names, phone numbers, email addresses, IP addresses, and any user-submitted answers or free-text responses. Personal Data may be collected directly (e.g., through SMS opt-ins or form submissions) or indirectly (e.g., device information or identifiers tied to platform usage).
- "Usage Data" means information generated as users interact with the Platform or Services, including engagement metrics (e.g., video views, completion rates), feature usage, click paths, timestamps, device/browser type, and system performance logs. Usage Data may also include metadata associated with a phone number or session ID but does not include user-submitted fields such as name or email. StoryPath retains ownership of all Usage Data for internal business, optimization, and analytics purposes.
- "Client Data" means any data submitted by an enterprise customer to StoryPath for use within the Platform, including user lists, phone numbers, email addresses, and program configuration details. Clients retain ownership of their Client Data.
- "Processing" means any operation performed on Personal Data, whether automated or not, such as collection, use, storage, disclosure, or deletion.
- "Data Controller" means the party that determines the purposes and means of processing Personal Data.
- "Data Processor" means the party that processes Personal Data on behalf of a Data Controller.
- "Subprocessor" means a third-party service provider engaged by StoryPath to process Personal Data in support of the Services (e.g., SMS delivery, hosting, video streaming).
- "You" or "User" means any individual who visits our websites, interacts with StoryPath content via SMS, or engages with any part of the MOBIT platform, either directly or through an enterprise client relationship.
04How We Collect Data
We collect Personal Data and Usage Data through the following methods:
Directly from You
When you interact with our Platform or Services, you may voluntarily provide data, including:
- Sending an SMS to initiate a mobile journey
- Completing a form (e.g., name, email, feedback)
- Responding to prompts or questions within a journey
In these cases, we collect only the information you choose to submit, which may include your phone number, name, email address, or free-text answers. If you do not provide such information, certain features of the Platform may not be available to you.
Provided by an Enterprise Client
When you are participating in a journey as part of a program initiated by one of our enterprise clients, they may supply your contact details (e.g., phone number, name, or email) directly to StoryPath to deliver content through the MOBIT platform. In these cases, we act as a data processor on behalf of the client, and they are responsible for obtaining appropriate permissions and consents.
Automatically Through Your Interaction
When you use the Platform, we automatically collect certain technical and behavioral data, such as:
- Device type and operating system
- IP address and browser information
- Timestamps of content accessed
- Video engagement (e.g., completion rates, viewing duration)
- Clicks, scrolls, and other interaction events
This data is classified as Usage Data and helps us monitor platform performance, improve user experience, and generate analytics insights for both StoryPath and our clients.
05Categories of Data We Process
The types of Personal Data and Usage Data we collect depend on how you interact with the Platform. Below is a summary of the categories of data we process:
Personal Data (may be submitted by you or provided by a client)
- Phone number (submitted via SMS or provided by a client)
- First and last name (if entered in a form or submitted by a client)
- Email address (optional or client-provided)
- Feedback responses (open text fields or survey answers)
- IP address (captured automatically during platform access)
Usage Data (automatically collected through platform interaction)
- Video interaction data (e.g., time watched, % completed, replays)
- Content engagement (e.g., clicks on buttons, CTAs, navigation paths)
- Device information (e.g., mobile vs. desktop, browser type)
- Access timestamps (e.g., journey start time, session duration)
- System performance logs (e.g., load time, errors)
We do not collect sensitive personal information such as government-issued IDs, health data, payment information, or biometric identifiers unless explicitly required in a custom enterprise configuration (and only with proper contractual and legal safeguards in place).
06Purposes of Processing and Legal Basis
We process Personal Data and Usage Data to deliver, improve, and support our Services. The lawful basis for processing depends on your relationship to StoryPath and the type of data involved. Below are the primary purposes and applicable legal justifications:
Service Delivery
We process Personal Data (e.g., phone number, name, engagement data) to:
- Deliver mobile learning journeys and content via SMS
- Authenticate participants and trigger relevant messages
- Track journey progress and personalize user experience
Legal basis: Performance of a contract (if you're part of a client program) or legitimate interest (if you initiate the journey directly).
Platform Functionality and Optimization
We process Usage Data to:
- Monitor platform performance
- Identify and resolve technical issues
- Improve content design, timing, and relevance
Legal basis: Legitimate interest (ensuring platform quality, user experience, and operational integrity).
Support and Communication
We may use Personal Data to:
- Respond to inquiries or support requests
- Notify you about technical issues, updates, or usage-related info
Legal basis: Legitimate interest or consent, depending on context.
Analytics and Reporting
We process Usage Data to:
- Provide engagement metrics to enterprise clients
- Conduct aggregate-level analysis to improve outcomes
Legal basis: Legitimate interest (client reporting and platform improvement).
Legal Compliance and Security
We may process any data required to:
- Comply with applicable legal obligations
- Investigate misuse or abuse of the platform
- Respond to lawful requests from authorities
Legal basis: Legal obligation and legitimate interest.
Marketing (Limited)
We do not use Personal Data for general marketing or behavioral advertising. We may send platform-related updates or demo-related follow-ups, but only with your prior consent or where allowed by law.
Legal basis: Consent or legitimate interest (enterprise demo follow-up).
07Your Rights and Choices
Depending on your location and how you interact with the Platform, you may be entitled to certain rights under applicable data protection laws. These may include laws such as the California Consumer Privacy Act (CCPA/CPRA), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and the EU General Data Protection Regulation (GDPR).
While StoryPath is a U.S.-based company and does not currently target or serve users in the European Union and therefore is not subject to the full scope of the GDPR. We have voluntarily adopted many of its core principles. Similarly, while we do not sell personal data or meet the revenue thresholds required for mandatory compliance under CCPA/CPRA, our practices are informed by its requirements. We strive to support transparency, data minimization, and user control across all jurisdictions in which we operate.
Right to Access
You have the right to request confirmation of whether we process your Personal Data and to obtain a copy of that data in a commonly used format.
Right to Rectification
You may request correction of inaccurate or incomplete Personal Data that we hold about you.
Right to Erasure ("Right to Be Forgotten")
You may request deletion of your Personal Data, subject to legal exceptions and data retention obligations (see Section 9).
Right to Restrict Processing
You may request that we restrict how we use your Personal Data, for example, while we investigate a correction request.
Right to Object
If we process your Personal Data based on legitimate interests, you may object to that processing.
Right to Data Portability
You may request that your Personal Data be transferred to you or to another controller in a machine-readable format.
Right to Withdraw Consent
Where our processing relies on your consent (e.g., SMS opt-in, demo form), you may withdraw your consent at any time without affecting prior processing.
Right to Non-Discrimination (CPRA)
We will not discriminate against you for exercising your privacy rights.
Right to File a Complaint
If you believe we have violated your privacy rights, you may contact your local data protection authority. We encourage you to contact us first so we can resolve your concerns directly.
How to Exercise Your Rights
You may submit a request to exercise any of the above rights by contacting us at support@storypath.us. We may need to verify your identity before processing your request. In some cases, we may refer your request to the enterprise client who controls the relevant data.
08Data Sharing and Subprocessors
We do not sell your Personal Data. However, we may share your data with trusted third parties (subprocessors) to help us deliver and support the Platform. These subprocessors process data on our behalf and only as necessary to perform their services in accordance with our instructions and applicable data protection laws.
Subprocessors We Use
We may share Personal Data and Usage Data with the following subprocessors:
| Subprocessor | Purpose | Data Types | Location |
|---|---|---|---|
| Twilio | SMS message delivery and routing | Phone number, message metadata | USA |
| Vibes | SMS orchestration and delivery | Phone number, SMS content metadata | USA |
| Vimeo | Video hosting and streaming analytics | Viewing data, session metadata | USA |
| Microsoft Azure | Cloud hosting and database infrastructure | All stored data | USA |
| Zapier | Workflow automation and backend triggers | Phone number, user-entered information | USA |
| Stripe | Payment processing | Payment method, transaction history, phone number | USA |
These providers are contractually bound to maintain appropriate security and confidentiality standards.
Other Disclosures
We may also disclose Personal Data:
- To enterprise clients who own or control the data (if you are participating in a program they sponsor)
- To legal or regulatory authorities, if required to comply with a legal obligation or protect StoryPath's rights or safety
- In connection with a corporate transaction, such as a merger, sale, or acquisition, where permitted by law
We do not share Personal Data with advertisers or ad networks. We do not engage in cross-context behavioral advertising or third-party remarketing.
09Data Storage and Retention
All data collected through the Platform is securely stored on U.S.-based servers hosted by Microsoft Azure. We implement technical and organizational safeguards to protect data against unauthorized access, alteration, or disclosure (see Section 10).
Retention Periods
We retain your personal information as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements.
This means we may retain your data for extended periods to:
- Provide long-term analytics and reporting to our enterprise clients
- Maintain records of your participation in educational journeys
- Support performance reporting and engagement trend analysis
- Comply with legal, regulatory, or contractual requirements
- Establish or defend legal claims
- Protect against fraudulent or abusive activity
Deletion Requests
You may request deletion of your Personal Data (see Section 7). However:
- We may be required to retain certain data for legal compliance
- Deletion may not be possible if the data has been anonymized or aggregated
- If we are acting as a data processor on behalf of an enterprise client, we may refer your request to them for fulfillment
Usage Data that is not directly tied to an individual (e.g., aggregate video engagement, anonymous session data) may be retained indefinitely for system performance, research, and internal analytics.
10Data Transfers and EU-U.S. Data Privacy Framework
StoryPath is based in the United States, and all data processed through the Platform is stored on secure, U.S.-based servers (Microsoft Azure). If you are located outside the United States, such as in the European Union (EU), United Kingdom (UK), or Canada, your Personal Data may be transferred to and processed in the United States.
Where required by law, we implement appropriate safeguards to ensure that cross-border data transfers are lawful, secure, and subject to adequate protections.
EU-U.S. Data Privacy Framework (DPF)
While StoryPath has not formally certified under the EU-U.S. Data Privacy Framework (DPF), our data handling practices are designed to align with its principles. Should we receive personal data from the EU or UK, we implement appropriate safeguards to ensure secure cross-border transfers.
If there is any conflict between the terms in this Privacy Policy and the DPF Principles, the Principles shall govern. To learn more about the DPF program or view our certification, please visit: dataprivacyframework.gov.
StoryPath remains liable for the processing of Personal Data under the DPF, including for onward transfers to third parties acting as agents, unless we can demonstrate we are not responsible for the event giving rise to the damage.
Dispute Resolution and Enforcement
If you are located in the EU or UK and have an unresolved privacy or data use concern that we have not addressed to your satisfaction, you may contact your local Data Protection Authority (DPA) or the UK Information Commissioner's Office (ICO). Under certain conditions, you may also invoke binding arbitration through the DPF Panel.
We are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC) with respect to our compliance with the Data Privacy Framework.
11Security Measures
StoryPath implements appropriate technical and organizational safeguards to protect the confidentiality, integrity, and availability of the data we collect and process. These security measures are designed to prevent unauthorized access, alteration, disclosure, or destruction of data stored on our Platform.
Infrastructure & Data Security
- All platform data is hosted on secure, U.S.-based servers managed by Microsoft Azure, which complies with major certifications such as ISO/IEC 27001, SOC 2, and others.
- Data is encrypted in transit using TLS/SSL protocols and at rest using industry-standard encryption algorithms.
Access Controls
- Access to client and end-user data is role-based and restricted to authorized personnel on a need-to-know basis.
- Administrative access is protected by multi-factor authentication (MFA), audit logging, and session timeouts.
- Internal access is logged and periodically reviewed for compliance and potential anomalies.
Application-Level Protections
- Our platform employs input validation, rate limiting, and anti-CSRF/anti-XSS mechanisms to prevent common web vulnerabilities.
- Regular vulnerability scans and patching cycles are maintained to address emerging security threats.
Breach Notification
In the event of a data breach affecting Personal Data, StoryPath will notify affected individuals and, where required, applicable regulatory authorities in accordance with relevant data protection laws. While we are not currently subject to all provisions of laws such as the GDPR, CCPA/CPRA, or PIPEDA, our breach response practices are designed to align with the core principles of transparency and timely notification set forth in those frameworks.
12Cookies & Tracking
StoryPath does not use third-party advertising cookies, behavioral tracking scripts, or embedded analytics tools (such as Google Analytics or Facebook Pixel) on our Platform or public websites.
Minimal Cookie Use
We may use strictly necessary cookies or local storage mechanisms for the following purposes:
- Maintaining secure sessions during enterprise admin logins
- Remembering simple form preferences or opt-in confirmations
- Supporting accessibility or system performance settings
These technical mechanisms are limited in scope and do not track users across third-party websites or services.
No Cross-Site Tracking
Our Platform does not:
- Use retargeting or ad cookies
- Employ third-party web beacons
- Track users across websites or over time for behavioral profiling
Managing Preferences
Because we do not use advertising or analytics tracking cookies, StoryPath is not currently required to display cookie consent banners under laws such as the GDPR or CCPA/CPRA. However, users may still manage cookie behavior through their browser settings. Please note that disabling certain cookies may impact the functionality of Platform features, particularly for enterprise administrators.
13Children's Privacy
The StoryPath Platform is not intended for, and may not be used by, individuals under the age of 13. We do not knowingly collect Personal Data from children under 13 years of age in accordance with COPPA. If we learn that we have inadvertently collected information from a child under 13 without appropriate parental or legal guardian consent, we will delete such data promptly.
Intended Use
- The Platform and its Services are designed for use by enterprise clients and consenting adult end users.
- Clients are responsible for ensuring that any Personal Data they submit to the Platform has been lawfully obtained, including compliance with applicable age-related consent laws.
GDPR Note
In jurisdictions where data protection laws such as the GDPR apply, we do not knowingly collect Personal Data from anyone under the age of 16, unless a lower age threshold is permitted by local law and appropriate parental or guardian consent has been obtained. While StoryPath does not currently target users in the EU, our children's privacy practices are designed to reflect the core intent of relevant regulations.
14Changes to This Policy
StoryPath may update this Privacy & Data Usage Policy from time to time to reflect changes in legal requirements, operational practices, or enhancements to our Platform.
Version Tracking
Each version of this Policy will be marked with an effective date. If the changes materially affect how we collect or use Personal Data, we will provide advance notice where required by applicable law.
Notification Methods
If you are a Platform end user, updates may be communicated via:
- A banner or pop-up on the Platform or website
- Direct email (if contact information is available)
- Updated language in the footer or within login portals
If you are an enterprise client, updates may also be provided via:
- Email to the designated account administrator
- Notification through your assigned Client Success contact
Your Continued Use
Your continued use of the Platform or Services after the effective date of an updated Policy constitutes your acknowledgment and acceptance of the revised terms.
15Contact Information
If you have any questions about this Privacy Policy, your data, or how we handle personal information, please contact us:
StoryPath, LLC
3505 E. Monarch Sky Lane, Suite 210
Meridian, Idaho 83646
United States
Data Protection Officer (DPO)
Email: support@storypath.us
If you are located in the European Union or United Kingdom and have questions about how your data is handled or if you would like to inquire about the EU-U.S. Data Privacy Framework, you may contact us for additional information. While StoryPath does not currently target or serve users in the EU/UK and is not subject to all provisions of GDPR, we are committed to upholding strong privacy practices and will provide support where appropriate. For privacy-related inquiries, you may reach our Data Protection Officer at support@storypath.us.