stn.
Get Started Free

Privacy Policy

Last updated: June 7, 2026 · Effective: June 7, 2026

This Privacy Policy explains how stndp ("we", "us", or "our") collects, uses, and protects your personal information when you use the CLI, API, web dashboard, and website at stndp.io (the "Service"). The Service is operated by an individual developer based in Israel, who acts as the data controller for your personal information. A full legal name and postal address are available on request at support@stndp.io.

We are committed to handling your data in accordance with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), Israel's Protection of Privacy Law (PPL), and the Australian Privacy Act.

1. Information We Collect

  • Account data — your email address, used for authentication and account-related communication.
  • Operational data — the entries, decisions, checkpoints, episodes, and other context you create and submit through the Service.
  • Technical data — your IP address and similar connection metadata.
  • Telemetry / usage data — usage metrics about how the Service is used, to help us operate and improve it.
  • Payment data — handled exclusively by Dodo Payments. We do not collect or store your card or payment account details (see our payment processor below).

We practice data minimization: we collect only what is necessary to provide the Service.

1a. Optional Capture Sources (Off by Default)

To make your context richer, stndp can capture additional signals from your work environment. Every one of these sources is off by default, opt-in per user, and can be hard-disabled for an entire organization by an administrator. When an org hard-off is set, the capture is blocked for everyone regardless of individual settings. Where content is captured, secrets are redacted client-side before anything is uploaded.

  • Shell history capture (stn checkpoint --shell) — opt-in. Recent shell commands are attached to a checkpoint, with secrets and tokens redacted on your machine before upload.
  • AI-session capture (--ai-session) — opt-in. The AI agent's own prompts and actions during a session are saved to a private checkpoint visible only to you unless you choose to share it.
  • Git snapshots attached to checkpoints and entries — branch and commit metadata, redacted of remote credentials. These are off by default for team-visible pushes.
  • Embeddings of content — content may be vectorized so you can search it semantically. Private content is never embedded when your organization has opted out, and embeddings are computed locally by default. Hosted embedding providers are used only if your operator configures one (see Section 4).

1b. Third-party Integrations & Tokens

You can connect GitHub, Jira, and Slack to enrich your context. These connections are opt-in, made by a team administrator via OAuth, and used on a read-only basis to bring related work into your graph. When connected:

  • What we access — GitHub: titles/status of the pull requests and issues you reference, plus your review queue. Jira: project and issue titles/status. Slack: only messages you explicitly capture (a 📌 reaction or the /stndp capture command) and references to tickets/PRs. We do not read your repositories' source code, and we do not archive entire Slack channels — only what you capture or reference.
  • What we store — the connection's access token, encrypted at rest, and the enriched titles/status of the items you link. Tokens are decrypted only by background workers to fetch that data, never on the public request path.
  • Revoking access — disconnect any integration at any time from your dashboard, or revoke stndp's access directly with the provider (GitHub, Atlassian, or Slack). On disconnect we stop using the token and delete it.

2. How and Why We Use Your Information (Legal Bases)

Under the GDPR/UK GDPR we rely on the following lawful bases:

  • Performance of a contract — to create your account, authenticate you, and deliver the Service (account and operational data).
  • Legitimate interests — to secure, maintain, and improve the Service, and to prevent abuse (technical and telemetry data), balanced against your rights.
  • Consent — for non-essential cookies and analytics/marketing tracking. You may withdraw consent at any time.
  • Legal obligation — to comply with applicable law.

3. Cookies and Analytics

We use Google Analytics for site performance measurement and marketing tracking. These are non-essential cookies and are only set with your prior consent. For full details and how to manage your choices, see our Cookie Notice.

We honor browser-based opt-out signals, including Global Privacy Control (GPC) and Do Not Track, where required by law, and treat a valid GPC signal as a request to opt out of the "sale" or "sharing" of personal information.

4. How We Share Information

We do not sell your personal information. We share data only with trusted service providers who help us operate, support, improve, or market the Service, and only as needed for those purposes. These include:

  • Dodo Payments — payment processing (Merchant of Record).
  • Google Analytics — analytics and marketing measurement.
  • Hosting and infrastructure providers — to run the Service.
  • Anthropic — AI draft-assist and decision-extraction. Content you send for assistance is not used to train models.
  • Atlassian (Jira) and GitHub — ticket and pull-request / CI status enrichment, only when your team connects the integration.
  • Voyage AI or OpenAI (optional) — hosted embeddings, used only if your operator configures a hosted embedding backend instead of the default local embeddings.

The full, current list with each provider's purpose and location is published on our Sub-processors page.

We may also disclose information where required by law or to protect our rights, users, or the public. Under CCPA/CPRA, the use of analytics/advertising cookies may be considered "sharing" for cross-context behavioral advertising; you have the right to opt out (see Section 6).

5. International Data Transfers

We are based in Israel and use service providers that may process data in other countries, including outside the EU/EEA, the UK, and Australia. Where we transfer personal information across borders, we rely on appropriate safeguards such as adequacy decisions or Standard Contractual Clauses where required. For Australian users, this means your personal information may be disclosed to overseas recipients, including cloud providers.

6. Your Rights

Depending on where you live, you have some or all of the following rights. To exercise any of them, contact support@stndp.io. We will not discriminate against you for exercising your rights.

EU / UK (GDPR & UK GDPR)

  • Access, rectification, and erasure ("right to be forgotten").
  • Data portability — receive your data in a structured, machine-readable format (supported by the stndp export feature).
  • Restriction of, and objection to, processing.
  • Withdraw consent at any time.
  • Lodge a complaint with your local supervisory authority.

California (CCPA / CPRA)

  • Know what personal information we collect, use, and share.
  • Access, delete, and correct your personal information.
  • Opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising.
  • Limit the use of sensitive personal information.
  • Non-discrimination for exercising your rights, and the use of an authorized agent.

Israel (PPL)

  • Access your personal information, request its correction, and request its deletion.

Australia (Privacy Act)

  • Access and correct your personal information, and complain about how it is handled.

7. Data Retention

We keep your personal information for as long as your account is active or as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. When you delete your account or data, we delete or anonymize it, except for residual copies in routine backups that are removed on our standard cycle.

8. Security

We take reasonable technical and organizational measures to protect personal information, applying security-by-design principles, including encryption and access controls for stored personal data, consistent with the Israeli PPL security regulations. No method of transmission or storage is completely secure, but we work to protect your information from unauthorized access, alteration, or destruction.

9. Data Breach Notification

If a personal data breach occurs, we will notify the relevant supervisory authority and affected users without undue delay and within the timeframes required by applicable law (for example, within 72 hours under the GDPR where feasible).

10. EU / UK Representative

If and where we are required to appoint a representative in the EU or UK, we will publish their contact details here. In the meantime, you may contact us directly at support@stndp.io regarding any privacy matter.

11. Children

The Service is not intended for anyone under 18, and we do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If a change is material, we will make reasonable efforts to notify you. The "Last updated" date above reflects the latest revision.

13. Contact

For any privacy question or to exercise your rights, contact us at support@stndp.io.