Privacy Policy
What we collect, why, how we store it, and what you can do about it. No dark patterns — same posture inside the product as on this page.
Last updated: 2026-05-15.
Who collects what
Stash-Staging-Env is the data controller for everything you upload (boxes, items, photos, tags, room layouts) and everything we observe about your account (sign-in email, IP, audit log, usage meters). The sub-processors we hand data to are listed at /about/sub-processors.
Data we hold
- Identity: the email from your OAuth provider (Google by default), tenant membership, role.
- Inventory content: box / item names, notes, tags, room positions, floorplan images, item photos.
- Audit log: structured records of every mutation in the system, attributed to the actor and tenant. Used for incident response + your own change-tracking.
-
Usage meters: AI call counts, upload byte
totals, daily AI-cost figures. Drives the quota system and
the cost-transparency block in
/usage. - Stripe customer + subscription IDs for paid tenants. Card details live entirely with Stripe.
How we secure it
- Encryption at rest. Item photos and thumbnails are encrypted with a per-tenant data-encryption key wrapped by a deployment-wide key-encryption key. DB columns (names, notes, tags) stay cleartext for searchability in v1.
- Transport. Everything in production rides over HTTPS; the bearer-auth surface refuses non-HTTPS requests for non-localhost.
-
Tenant isolation. Every database query
enforces a
tenant_idfilter; cross-tenant probes 404 by design (no information disclosure). - Auditability. Every mutation writes a row to the audit log with the actor, action, target, and a structured metadata blob.
Your rights (GDPR + similar)
-
Access (Article 15): the in-app
"Download my data" link on
/usagereturns a readable SQLite + decrypted-JPEG zip of everything in your tenant. - Portability (Article 20): same zip, same link. The format is standard SQLite + JPEG, so any tool that reads either format can consume it.
- Rectification (Article 16): edit any row in the app directly, or email us if you need help.
- Erasure (Article 17): account deletion via support@stash.swampcats.life or the operator-mediated tenant hard-delete. 30-day soft-delete grace, then permanent removal from primary storage + backups.
- Restriction (Article 18): suspend processing while a request is being investigated — contact support@stash.swampcats.life.
- Objection / withdrawal of consent: cancel your subscription and request deletion.
Cookies
We use a single cookie set by our OAuth identity proxy
(Google sign-in session) and an optional active_tenant
cookie for multi-tenant users. No third-party advertising or
analytics cookies. We do not sell or share data with
advertisers, period.
Retention
- Account + tenant data: kept while your account is active. Cancelling does not delete; explicit deletion does.
- Soft-deleted tenants: 30 days, then hard-deleted by an operator. Backups containing the tenant age out within the configured B2 retention window (default 90 days).
- Audit log: retained indefinitely while the account is active (incident-response usefulness). Cleared on tenant hard-delete.
Breach notification
If we experience a data breach affecting your personal data, we'll notify you within 72 hours of discovery, including what we know about the scope and our remediation status. This is a GDPR Article 33/34 obligation; we treat it as a hard commitment regardless of jurisdiction.
Contact
Privacy questions: support@stash.swampcats.life. For formal data-subject requests, include the relevant article number in the subject line so we route it correctly.