Nestory Arc/Privacy Policy

Privacy Policy

Last updated: May 31, 2026

1. Introduction

Nestory Arc (“Service”) is a service for the secure delivery and sharing of photos and videos. This Privacy Policy explains how the Service collects, uses, and protects your personal information. By using this Service, you agree to this Policy.

2. Information We Collect

We collect the following information.

  • Account information: Email address and display name (collected at registration)
  • Google account information: When signing in via Google OAuth, profile information provided by Google (email address and display name)
  • Uploaded files: Photos, videos, and other files you upload to the Service
  • Payment-related information: Payments are processed through Stripe, Inc. Credit card numbers are not stored on our servers; Stripe manages them directly. We only retain the customer identifier (Customer ID) issued by Stripe
  • Usage logs: Access timestamps, IP addresses, and browser information (for service improvement and security purposes)
  • Session information: An anonymous session identifier stored in the browser's localStorage (used for the file selection feature on share pages)

3. How We Use Your Information

  • Account creation, management, and authentication
  • Providing file upload, storage, and sharing functionality
  • Virus and malware scanning (using AttachmentAV, a third-party service)
  • Detecting and preventing unauthorized use
  • Service improvement and new feature development
  • Sending important service notifications

4. Information Sharing

We do not sell or share your personal information with third parties except in the following cases.

  • Infrastructure providers: Cloud database and authentication (Supabase), high-security file storage (Cloudflare R2), hosting (Vercel)
  • Payment service: For paid plan payment processing, we provide your email address and customer identification to Stripe, Inc. Please refer to Stripe's privacy policy at stripe.com/privacy
  • Virus scan service: Files are sent to the scanning engine (AttachmentAV) for safety verification
  • Legal requests: When required by applicable law or regulation

5. Data Storage and Deletion

  • Uploaded files are encrypted and stored in high-security cloud storage (Cloudflare R2)
  • Files moved to trash are retained for 7 days and then automatically and permanently deleted
  • When an account is deleted, all files, albums, and personal information are permanently deleted
  • Recipient data (comments and selections) via share links is also deleted

6. Security

The Service implements the following security measures.

  • HTTPS encryption for all communications
  • Virus and malware scanning on all uploaded files
  • Row-level security (RLS) for data access control
  • Security headers (CSP, HSTS, X-Frame-Options, etc.)
  • Blocking viewing and downloading of infected files

7. Cookies and localStorage

The Service uses cookies and localStorage for the following purposes.

  • Authentication session: Maintaining login state (managed by the authentication system)
  • Anonymous session ID: File selection feature on share pages (no account required). Stored in localStorage and sent to the server

No cookies are used for advertising purposes.

8. Your Rights

You have the following rights.

  • Request disclosure, correction, or deletion of personal information we hold
  • View and change your information through account settings
  • Delete your account (Settings → Account → Delete Account)

9. Contact

For questions about this Policy or requests regarding your personal information, please contact us at:

work@nestory-japan.com

10. Changes to This Policy

This Policy may be updated without prior notice. In the event of significant changes, we will notify you within the Service or by email. Continued use of the Service after changes constitutes acceptance of the revised Policy.