Privacy Policy

This Privacy Policy describes how Fergana Labs, Inc. (“Fergana Labs,” “we,” or “us”) collects, uses, and shares information when you use the Stash managed service at joinstash.ai (the “Service”). If you run the open-source Stash project on your own infrastructure, this policy does not apply to that deployment, since we receive no data from it.

Information we collect

Account information. When you sign up, we collect your name, email address, and authentication identifiers provided by your login provider (such as Auth0 or GitHub).

Workspace content. To provide the Service, we store the content you and your agents send to Stash: prompts, tool calls, session summaries, notebooks, tables, files, and messages posted in workspace rooms. Embeddings derived from this content are stored alongside it.

Usage data. We collect standard server logs (IP address, user agent, request paths, timestamps, error codes) and product analytics about how features are used. We use these to operate, secure, and improve the Service.

Payment information. If you subscribe to a paid plan, our payment processor (such as Stripe) collects your billing details directly. We receive only non-sensitive metadata like the last four digits of your card and your billing country.

Cookies and device data. See the Cookies and tracking technologies section below.

How we use information

We use the information we collect to:

• Provide, maintain, and secure the Service.
• Sync your workspace content across the agents and humans you invite.
• Respond to support requests you send us.
• Detect and prevent abuse, fraud, and violations of our Terms of Service.
• Understand how the Service is used so we can improve it. We do not sell your data or use your workspace content to train models.

How we share information

We share information only with:

• Other members of your workspace. Content in a workspace is visible to everyone you invite to it.
• Service providers that host, monitor, or operate the Service on our behalf (for example, cloud hosting, databases, and error tracking). They are bound by confidentiality obligations and only process data as instructed.
• Law enforcement or regulators, when we are legally required to do so, and only to the extent required.
• Successors in interest if Fergana Labs is involved in a merger, acquisition, or sale of assets. We'll notify you before your data becomes subject to a different policy.

Retention

We keep your workspace content for as long as your account is active, and for a short period afterward so you can recover it if you change your mind. You can delete specific content at any time from the app, or ask us to delete your entire account by emailing us. Backups are purged on a rolling 30-day schedule.

Security

We use industry-standard measures to protect the Service: TLS in transit, encryption at rest for primary storage, access controls on our infrastructure, and audit logging on privileged actions. No system is perfectly secure, but we work to minimize risk and to notify you promptly in the unlikely event of a breach that affects your data.

Cookies and tracking technologies

We use cookies and similar technologies (such as local storage and pixels) to operate, secure, and analyze the Service. The cookies we set fall into three categories:

• Strictly necessary cookies needed for you to sign in and use the Service. These cannot be turned off.
• Preference cookies that remember choices such as your workspace or display settings.
• Analytics cookies that help us understand how the Service is used so we can improve it. We do not use cookies for cross-site advertising.

You can block or delete cookies through your browser settings. If you block strictly necessary cookies, parts of the Service may not work.

Do Not Track and Global Privacy Control. Because there is no industry consensus on how to interpret Do Not Track signals, we do not respond to them. We do recognize the Global Privacy Control (GPC) signal as a valid opt-out-of-sale and opt-out-of-sharing request from California and other jurisdictions that treat GPC as such.

Your privacy rights

Depending on where you live, you may have the following rights in relation to your personal information:

• Access and portability. Request a copy of the personal information we hold about you.
• Correction. Ask us to correct inaccurate or incomplete information.
• Deletion. Ask us to delete your personal information.
• Objection or restriction. Object to or restrict certain processing.
• Withdraw consent where we rely on it as a legal basis.
• Appeal a denial of your rights request, where an appeal right applies.

To exercise any of these rights, email sam@joinstash.ai. We will respond within the timeframe required by applicable law. We will not discriminate against you for exercising your rights.

California privacy rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, gives you the rights described above and additional rights, including the right to know what personal information we collect, the right to opt out of the “sale” or “sharing” of your personal information, and the right to limit the use and disclosure of sensitive personal information.

In the last 12 months, we have collected the categories of personal information described in the “Information we collect” section above, which map to the following CCPA categories: identifiers (name, email, account ID, IP address), commercial information (billing metadata), internet or network activity (usage logs), and electronic information you provide (workspace content). We collect this information from you directly and from your browser or device, and we share it only with the categories of recipients listed in the “How we share information” section.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We honor Global Privacy Control as an opt-out signal.

You may designate an authorized agent to submit a rights request on your behalf. We will need to verify your identity and the agent's authority before acting.

EU, UK, and Swiss residents (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, Fergana Labs is the controller of your personal information. We process your information on the following legal bases: to perform our contract with you (providing the Service); to comply with our legal obligations; for our legitimate interests in operating and securing the Service; and with your consent, where we ask for it.

You have the rights listed in the “Your privacy rights” section above, as well as the right to lodge a complaint with your local data protection authority.

International data transfers

We are based in the United States, and our service providers may be located in other countries. When we transfer personal information out of the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or another lawful transfer mechanism.

Your choices

You can access, export, correct, or delete your personal information at any time by using the app or by emailing us. If you are located in a jurisdiction that grants additional rights (such as the EEA, UK, or California), the sections above explain how to exercise them.

Children

The Service is not directed to anyone under 18. We do not knowingly collect information from anyone under 18. If you believe a minor has provided us information, please contact us and we will delete it.

Changes to this policy

We may update this policy from time to time. When we do, we'll update the “last updated” date at the top. If the changes are material, we'll give you advance notice by email or in the app.

Contact us

Questions or requests? Email us at sam@joinstash.ai.