Legal

Privacy Policy.

Last updated April 10, 2026. Short version: we collect what we need, we don't sell it, and we delete it when you ask.

1. What we collect

We collect three categories of data:

  • Account data — email, name, organization, hashed password, API keys
  • Product data — action proposals, policy evaluations, execution receipts, audit trail entries
  • Usage data — logs, metrics, and request traces for operating the Service

2. How we use it

We process your data only to:

  • Provide, operate, and improve the Service
  • Enforce the policies and receipts you configure
  • Send service-related announcements (outages, security, billing)
  • Respond to support requests
  • Comply with legal obligations

3. What we don't do

  • We do not sell your data to third parties
  • We do not use your action payloads to train AI models
  • We do not read your private data outside of support requests you initiate
  • We do not share data with advertisers

4. Data retention

Account data is retained while your account is active. Product data (receipts, audit entries) is retained according to your plan's retention window, minimum 90 days. Deleted data is purged from all backups within 30 days.

5. Data location

By default, data is stored in US data centers. Enterprise customers may choose EU residency. Self-hosted deployments keep all data on your own infrastructure.

6. Your rights

Depending on your jurisdiction, you may have rights to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Export your data in a portable format
  • Object to certain processing activities

To exercise any of these rights, email privacy@statis.dev.

7. Cookies

We use essential cookies for authentication and session management. We do not use advertising cookies or third-party trackers. We use privacy-respecting analytics (Plausible) that do not use cookies or collect personal data.

8. Subprocessors

We use a small set of vetted infrastructure providers:

  • Neon — primary database (PostgreSQL)
  • Render — API hosting
  • Vercel — console and landing hosting
  • Resend — transactional email

We update this list as it changes. Current list always at statis.dev/privacy.

9. Security

See our Security page for details on how we protect your data in transit, at rest, and in incident response.

10. Changes

We may update this policy. Material changes will be announced at least 30 days before taking effect.

11. Contact

Privacy questions? Email privacy@statis.dev.