Effective Date: November 2025
Applies To: All data collected, stored, or processed by The Storywell Studio LLC
Jurisdiction: Colorado, United States (El Paso County)

1. PURPOSE OF THIS POLICY

The purpose of this Data Security Policy is to protect the confidentiality, integrity, and availability of all personal information collected and processed by The Storywell Studio LLC (“Company,” “we,” “our,” or “us”). This Policy outlines the administrative, technical, and physical safeguards we use to secure client information in compliance with Colorado data protection requirements and general best practices for online businesses.

2. SCOPE

This Policy applies to:

• All client information collected through our website, email, forms, payment platforms, and interviews

• All digital files, drafts, notes, transcripts, and project materials

• All systems and devices used for business operations

• All contractors or service providers who may access personal data

It covers all information belonging to:

• Clients

• Prospective clients

• Website visitors

• Newsletter subscribers

3. TYPES OF DATA WE PROTECT

The Storywell Studio handles and protects the following categories of data:

3.1. Personal Identifying Information (PII)

• Name

• Email address

• Phone number

• Location details

• Social media handles

• Business name and website

3.2. Client Story Information

• Personal stories shared for projects

• Background, life experiences, and sensitive emotional content

• Audio/video interview recordings

• Written drafts and transcripts

3.3. Billing & Transaction Data

• Invoice details

• Payment confirmations

• Payment history (excluding full credit card numbers)

3.4. Website & Analytics Data

• IP addresses

• Browser/device details

• Website engagement metrics

4. DATA SECURITY MEASURES

The Storywell Studio uses a multi-layered data protection strategy, including administrative, technical, and physical safeguards.

4.1. Administrative Safeguards

We maintain the following practices:

• Limit access to client data only to individuals who need it to perform their duties

• Require secure credentials for all systems (email, drive, website, payment platforms)

• Use strong, unique passwords for all business accounts

• Enable multi-factor authentication (MFA) wherever available

• Do not share client information with third parties unless necessary for service delivery

• Keep client data only as long as necessary to fulfill the service or meet legal obligations

• Require any contractors or subcontractors to sign confidentiality agreements

4.2. Technical Safeguards

The Storywell Studio employs the following technology protections:

• Password-protected devices used exclusively by the business owner

• MFA-enabled Google Workspace and cloud storage

• Encrypted connections (HTTPS) on our website

• Industry-standard encryption used by third-party processors such as Stripe, PayPal, Squarespace, Calendly, Zoom, and Google Drive

• Regular updates to software, apps, and devices

• Secure storage of digital files on reputable cloud-based systems

• Automatic data backup through Google Workspace

• Avoiding storage of sensitive data on unencrypted local drives

4.3. Physical Safeguards

Even as a virtual business, we take physical precautions:

• Devices storing client data (laptops, phones) are kept in secure locations

• Devices are locked when not in use

• No printed copies of client stories or transcripts are created unless absolutely necessary

• If paper copies are created, they are stored securely and shredded after use

5. THIRD-PARTY SERVICE PROVIDERS

We use trusted third-party vendors that maintain their own security standards. These may include:

• Squarespace (website + forms)

• Google Workspace (email, storage, documents)

• Stripe / PayPal (payments)

• Calendly or similar (scheduling)

• Zoom or Google Meet (recording sessions)

• AI transcription tools (used only with client consent; stored securely)

We require vendors to maintain industry-standard security, and we never sell client data.

6. RETENTION & DELETION OF DATA

6.1. Retention

We retain client information only as long as necessary to:

• Complete their project

• Comply with tax, accounting, or legal obligations

• Maintain business records for protection and documentation

6.2. Client Requests for Deletion

Clients may request deletion of:

• Story data

• Interview recordings

• Drafts and transcripts

• Personal identifying information

We will comply unless retention is required by law.

6.3. Secure Disposal

Data is securely deleted by:

• Secure digital deletion practices

• Shredding of physical copies (if any exist)

• Removal from cloud storage after project closure + retention period

7. INCIDENT RESPONSE & BREACH PROCEDURES

If a data breach occurs (unauthorized access, disclosure, or loss of data), The Storywell Studio will:

1. Immediately secure systems and stop further unauthorized access

2. Assess the type and extent of data involved

3. Notify affected clients as required by Colorado law (within 30 days for certain types of data)

4. Provide guidance on steps clients may need to take

5. Document the incident and corrective measures

We will cooperate with law enforcement if necessary.

8. INTERNATIONAL CLIENTS

For clients outside the United States:

• Data may be processed in the U.S.

• By using our services, you consent to this processing

• We follow internationally recognized data protection standards

9. UPDATES TO THIS POLICY

We may revise this Policy at any time. The effective date at the top will reflect the most recent update. Continued use of our website or services indicates acceptance of updated terms.

10. CONTACT INFORMATION

If you have questions, concerns, or requests related to this Data Security Policy, please contact:

The Storywell Studio
📧 Email: hello@thestorywellstudio.com
🌐 Website: www.thestorywellstudio.com

Please include “Data Security Policy” in your subject line for quick routing.