MyStory legal documents. Current version: 2026-05-02, operating entity Crest Advisory Group LLC. These documents are working drafts pending Cooley review; the effective version will be marked at launch.
MyStory Privacy Policy
Effective Date: [DATE TO BE SET AT LAUNCH]
This Privacy Policy explains how Crest Advisory Group LLC ("Crest," "we," "us," or "our") collects, uses, shares, and protects information in connection with the MyStory platform (the "Service"). This Policy is incorporated into the MyStory Terms of Service.
We designed MyStory to safeguard intimate personal stories, voice, and family communications. We treat your data accordingly.
1. Scope and Roles
This Policy applies to information processed when you visit our websites, create a MyStory account, capture stories or recordings, configure a Persona, invite Family Members, or otherwise interact with the Service.
Crest acts as a data controller for personal information of account holders ("Authors"), Family Invitees, and Executors. Where Crest provides the Service to a tenant organization on a per-tenant basis, Crest may act as a processor on behalf of that tenant for tenant-administered data.
2. Information We Collect
2.1 Information You Provide
Account information: name, email, phone (optional), password hash, mailing address (optional), date of birth (optional, used for age verification and recipient unlock logic).
Author Content: voice recordings, transcripts, written stories, chapters, photographs, sealed letters, and any other content you upload.
Voice clone seed data: a consented voice sample used to construct your voice clone, retained per Section 5.
Persona configuration: topic preferences, behavior limits, response tone, persona "guardrails."
Family Invitee directory: names, email addresses, relationships, access scopes, and recipient designations for sealed letters.
Executor designation: name, email, optional secondary contact, scope of access permitted on inactivity trigger.
Payment information: billing name and address, last four digits and brand of payment card, billing history. Full card numbers are tokenized and held by our payment processor; Crest does not store full card numbers.
Communications: support tickets, survey responses, in-Service messages.
2.2 Information Collected Automatically
Device and log data: IP address, device type, OS, browser, timestamps, referring/exit URLs, user-agent.
Cookies and similar technologies: strictly necessary, functional, analytics, and (with consent where required) marketing cookies. See Section 9.
2.3 Information from Third Parties
Payment processors confirm transactions and return tokenized payment status.
Email providers return delivery and bounce status for transactional and family-invite emails.
Substrate providers and analytics processors return inference outputs and aggregated usage; raw inputs (Author Content) are not used to train any third-party general-purpose model.
We intentionally describe these vendors by category rather than by identity for security and competitive reasons. A current list of subprocessors is available on request to legal@crestadvisorygroup.com.
3. How We Use Information
We use information for the following purposes:
Service delivery: to authenticate you, host Author Content, render Persona responses, deliver sealed letters, process payments, and operate Family Invitee features.
Personalization: to tailor prompts, suggested chapters, and recommended next steps within your MyStory book.
Voice clone and Persona generation: processed only with your explicit opt-in; see the Persona Consent Addendum.
Communication: transactional emails (account, billing, security), product updates, and (with consent where required) marketing.
Safety and integrity: to detect fraud, abuse, impersonation, security incidents, and policy violations.
Legal and compliance: to comply with legal obligations, respond to lawful requests, enforce our Terms, and protect rights, safety, and property.
Analytics and product improvement: in aggregated or de-identified form that cannot reasonably be linked back to you.
We do not sell your personal information. We do not use Author Content to train any general-purpose foundation model or to train models for other customers.
4. How We Share Information
We share information only with the following categories of recipients:
Substrate and infrastructure processors that host, encode, transcribe, model, and render your content under contractual confidentiality and data-protection terms. They process data solely on our instructions.
Payment processors to process transactions and combat fraud.
Email and notification providers to deliver transactional and family-invite communications.
Customer support tooling to handle your requests.
Family Invitees and Executors in the access scope you designate.
Legal and safety recipients when we are compelled by law (e.g., subpoena, court order) or believe disclosure is necessary to protect rights, safety, or property. Where lawful, we will notify you.
Successors in connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality.
We never trade or sell Author Content, Persona models, voice clones, or sealed letters.
5. Data Retention
| Category | Retention | |---|---| | Account profile | Life of account, then 30 days after deletion request | | Author Content (recordings, chapters, letters) | Indefinitely while account is active or dormant; destroyed within 30 days of verified deletion request | | Voice clone seed data | Until you disable voice features or delete account; destroyed within 30 days | | Persona model artifacts | Paused on cancellation; destroyed within 30 days of full account deletion | | Conversation history (family chat) | Indefinitely while account active; destroyed within 30 days of full account deletion | | Sealed letters | Until delivered, withdrawn by you, or account deleted | | Payment records | 7 years (tax/accounting) | | Security logs | 13 months | | De-identified analytics | Indefinitely (cannot reasonably be re-linked to you) | | Legal hold | Duration of obligation |
After the Inactivity Protocol triggers, retention follows the Inactivity Protocol document.
6. Your Rights
Depending on where you live, you may have the rights below. To exercise any right, email legal@crestadvisorygroup.com from the email associated with your account, or use in-Service tools where available.
6.1 GDPR (EEA, UK, Switzerland)
Article 15 access: a copy of your personal data.
Article 16 rectification: correction of inaccurate data.
Article 17 erasure: deletion, subject to lawful retention.
Article 18 restriction of processing.
Article 20 data portability: export in machine-readable format.
Article 21 objection to processing based on legitimate interest.
Article 22 rights related to automated decision-making (Persona).
Withdraw consent at any time, including consent to the voice clone and Persona.
Lodge a complaint with your supervisory authority.
6.2 CCPA / CPRA (California)
Right to know what personal information is collected and the purposes.
Right to delete personal information, subject to exceptions.
Right to correct inaccurate information.
Right to opt out of sale or sharing for cross-context behavioral advertising. We do not sell personal information; we do not engage in cross-context behavioral advertising on the MyStory Service.
Right to limit use of sensitive personal information (voice biometrics).
Right to non-discrimination for exercising rights.
6.3 Other U.S. State Privacy Laws
Residents of Virginia, Colorado, Connecticut, Utah, Texas, and other states with comprehensive privacy laws may exercise analogous rights, including access, deletion, correction, portability, and opt-out of targeted advertising and profiling.
We will respond within forty-five (45) days, extendable once for an additional forty-five (45) days as permitted.
7. Children's Privacy and Letters to Minors
The MyStory Service is intended for users eighteen (18) and older. We do not knowingly collect personal information from children under thirteen (13). If we learn we have collected such information, we will delete it promptly.
For sealed letters addressed to minors:
Authors do not provide a minor recipient's account credentials. Minor recipients are not given MyStory accounts.
The recipient field for a minor stores the recipient's name and a custodian (parent or legal guardian of record) email.
At unlock, delivery is made to the custodian, who delivers to the minor in their discretion. Alternatively, if the minor has reached the age of majority by the unlock date, delivery is made to the recipient directly upon their identity verification.
We do not treat the storage of a minor's name and a custodian's email as creating a child user account. We collect no behavior, device, or contact data from the minor through the Service.
If you believe a minor has been improperly enrolled or contacted, email privacy@crestadvisorygroup.com.
8. Security
We implement administrative, technical, and physical safeguards designed to protect your information, including:
TLS 1.2 or higher in transit.
AES-256 encryption at rest.
KMS-managed envelope encryption (data encryption keys wrapped by master keys held in a managed KMS) for Author Content, voice clones, and sealed letters.
Role-based access controls and least-privilege internal policies.
Audit logging of administrative access.
Security review processes for vendors and code.
No system is perfectly secure. You are responsible for maintaining the confidentiality of your credentials and for notifying us promptly of any suspected compromise.
9. Cookies and Tracking
We use:
Strictly necessary cookies to operate the Service (authentication, security).
Functional cookies to remember preferences.
Analytics cookies to understand aggregated product usage.
Marketing cookies only on our marketing pages (not in-app), and only with consent where required.
You can manage cookie preferences through our consent banner (where required) or your browser settings. We honor Global Privacy Control signals where applicable.
10. International Transfers
Crest is based in the United States, and your data will be processed there and in other jurisdictions where our subprocessors operate. For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) and supplementary measures where appropriate.
11. Changes to This Policy
We may update this Policy from time to time. We will provide notice of material changes by email and via in-Service notice at least thirty (30) days before the changes take effect. The "Effective Date" at the top reflects the most recent update.
12. Contact
Crest Advisory Group LLC Attn: Privacy Palm Beach, FL legal@crestadvisorygroup.com | privacy@crestadvisorygroup.com (561) 935-3100
If you are in the EEA or UK and require an EU/UK representative, please contact us; we will identify the representative on request.
[COOLEY REVIEW REQUIRED. voice biometric / sensitive personal information classification (CCPA), SCC mechanism for international transfers, COPPA-adjacent letters-to-minors carveout in Section 7, retention schedule in Section 5, automated decision-making (Persona) under GDPR Article 22.]