Privacy Policy

1. Operator

Stafr is operated by Stafr, Inc., a Delaware corporation. Contact: joi@stafr.app

2. Information We Collect

Information You Provide

• Email address and account credentials (via Firebase Authentication)
• Workspace name and billing information
• Job specifications and AI worker configurations
• Integration credentials (SSH keys, API keys) — stored encrypted via our credential vault
• Webhook URLs and delivery endpoints you configure

We do not request Social Security numbers or government identification.

Automatically Collected Information

We may collect:

• IP address and device/browser information
• Pages and features used within the dashboard
• Worker activity logs (delivery timestamps, status transitions)
• Usage timestamps and session metadata

Cookies

We use cookies and similar technologies to maintain your authenticated session and enable core platform functionality. These are session-essential cookies — we do not use advertising cookies or cross-site tracking.

3. How We Use Information

We use your information to:

• Provision and operate your AI workers
• Write configuration files to your worker infrastructure via SSH
• Process payments and manage your subscription
• Send service-related emails (delivery alerts, billing notices)
• Detect abuse, enforce rate limits, and ensure service integrity
• Improve the platform using aggregated, anonymized usage data

Stafr does not sell personal information.

4. Credential Security

Integration credentials (SSH private keys, API tokens) are stored via Infisical, a dedicated secrets management service. Stafr retrieves plaintext credentials from Infisical only at the moment of use — when writing configuration to your worker infrastructure — and does not persist plaintext credentials in its primary database or return them in API responses.

Webhook secrets are used only for inbound request signature validation and are never exposed in API responses.

5. Data Storage and Security

Data is stored using:

• Firebase / Google Cloud — authentication
• Railway — application hosting and managed PostgreSQL database
• Infisical — encrypted credential vault

Security measures include:

• Encryption in transit (TLS) on all connections
• Encrypted credential storage via Infisical
• Workspace-scoped access control — all data queries are scoped to your workspace
• Firebase Authentication — tokens verified server-side on every request

No system can be guaranteed completely secure.

6. Data Retention and Deletion

We retain your data while your account is active.

When you delete your account:

• Your workspace data, worker configurations, and credentials are permanently deleted
• Backup copies may persist for up to 30 days as part of standard infrastructure operations

You may request a full export of your account data before deletion by contacting joi@stafr.app.

7. Third-Party Data Processing

The following providers process data as part of delivering the Service. Infrastructure providers are subject to data processing terms:

• Firebase / Google Cloud — authentication
• Stripe — payment processing (billing information)
• Railway — application hosting and managed PostgreSQL database
• DigitalOcean — worker compute infrastructure (AI worker VPS instances)
• Infisical — encrypted credential vault

The following AI model providers operate under their own independent terms and privacy policies. Job specification content you submit may be processed by these providers as part of quality gate evaluation and job refinement features:

• Anthropic — language model inference
• Google — language model inference

We encourage you to review the privacy policies of these providers if you have concerns about how they handle data submitted through their APIs.

8. Data Breach Notification

In the event of a data breach that affects your personal information, Stafr will notify you without undue delay in accordance with applicable law. Notification will be sent to the email address associated with your account and, where required, to applicable regulatory authorities.

9. California Privacy Rights (CCPA)

California residents may request:

• Access to personal information we hold about them
• Deletion of personal information
• Information about how their data is shared or used
• Correction of inaccurate personal information

To make a request, contact: joi@stafr.app

Stafr does not sell or share personal information for cross-context behavioral advertising.

10. EEA and UK Users (GDPR)

If you are located in the European Economic Area or the United Kingdom, the following applies:

Legal Basis for Processing

• Contract performance — processing necessary to provide the Service you have subscribed to
• Legitimate interests — fraud prevention, service integrity, aggregated analytics
• Legal obligation — compliance with applicable laws

Your Rights

You have the right to:

• Access, correct, or delete your personal data
• Restrict or object to processing
• Request data portability
• Lodge a complaint with your local supervisory authority

International Transfers

Your data may be transferred to and processed in the United States and other countries where our service providers operate. We take commercially reasonable steps to ensure such transfers comply with applicable data protection law.

To exercise your rights or for questions about our legal basis for processing, contact: joi@stafr.app

11. Children's Privacy

The Service is intended for individuals 18 years or older. We do not knowingly collect information from anyone under 18. If you believe we have inadvertently collected such information, contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy periodically. For material changes, we will notify you via email or in-app notice at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the revised policy. For changes that materially affect how we process your personal data, we will seek your affirmative consent where required by law.

13. Contact

For privacy questions, data requests, or legal notices: joi@stafr.app