Privacy Policy

• Account info — email, name, optional avatar, timezone.
• Work content — everything you put in projects, work items, comments, attachments, queries.
• Usage metadata — pages visited, API and MCP call counts, errors, request timing. Used to run the service and debug issues.
• Security & audit logs — for accountability and abuse prevention we record significant actions taken within an organization, including the acting user and the IP address the request came from.
• Billing info — handled by Stripe. We store a customer reference; we do not see your card details.
• GitHub data — only if you connect a repo; only the events we need to auto-transition work items.

• We don’t sell your data.
• We don’t train AI models on your content.
• We don’t run analytics cookies or tracking pixels.

• Contract — to provide the account and service you signed up for.
• Legitimate interests — to keep the service secure, prevent abuse, and maintain audit logs.
• Legal obligation — e.g. retaining billing records required by tax law.
• Consent— only where we explicitly ask for it. We don’t currently rely on consent for anything.

• Hetzner Cloud — hosting and Postgres database. Germany (EU).
• Amazon Web Services (SES) — transactional email (sign-in links, invites, billing). Frankfurt (EU).
• Stripe — billing and payments. USA.
• Backblaze — encrypted off-site backups. USA.
• Healthchecks.io — monitoring pings for our backup jobs (no customer content). USA.

These are data processors acting on our behalf; we only send them what’s needed for the function they provide. Our error tracking is self-hosted on our own server in Germany — error reports are not sent to a third party. See the full sub-processor list for locations and transfer mechanisms.

Our database, attachments, email provider, and error tracking are in the EU. Stripe, Backblaze, and Healthchecks.io are in the USA; those transfers rely on the EU Standard Contractual Clauses and, where available, the EU–US Data Privacy Framework.

You can connect an MCP client to Stori. When you do, the client authenticates against Stori and reads/writes data on your behalf. Stori doesn’t call any AI provider server-side — the LLM runs in your client. What you send to the model goes to that provider under their terms, not ours.

We keep your data as long as your account exists. To delete your account, use the danger zone in your account settings (or email us) — we purge within 30 days (backups roll off within 90). Security and audit logs are kept as long as needed for security and accountability.

Session cookie only — required to keep you signed in. No tracking, no marketing, no third-party pixels.

Access, correction, deletion, portability, and objection — email us and we’ll act within 30 days. You can also export most of your data yourself via the REST API / MCP. You have the right to lodge a complaint with a supervisory authority — for us that’s the Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI).

Controller: Johannes Nanninga — full details in the Impressum.

hey@stori.zone.