Stele

§ Legal

Privacy Policy

The short version: your documents are yours, they are processed inside the same edge network that stores them, we never train models on them, we set exactly one cookie, and we sell nothing about you to anyone.

Effective date: 13 July 2026 · Version 1.0

1. Who we are and what this covers

This policy explains how STELE Technologies (“STELE”, “we”) handles personal information when you visit our websites, create an account, or use the STELE platform (the “Service”). It should be read with our Terms of Service and, for business customers, our Data Processing Addendum.

Two roles matter. For account data — who you are, your plan, your usage — we act as the controller. For Customer Content — the documents you upload and the data extracted from them — we act as your processor: we process it only to provide the Service and on your instructions. If someone else’s personal data appears inside documents you upload, the organisation that uploaded them is responsible for having a lawful basis to do so.

2. Information we collect

CategoryExamplesSource
Account dataEmail address, salted password hash (we never store plaintext passwords), plan, workspace roleYou, at signup
Customer ContentUploaded documents and images, extracted fields, confidence scores, your review corrections, chat questionsYou, through use of the Service
Usage and telemetryRequest logs (timestamps, request IDs, status codes), page counts against your plan budget, model latency and outcome metricsGenerated by the Service
Billing dataSubscription status, invoice history, last four card digits and card brandStripe, our payment processor — full card numbers never touch our systems
Support communicationsEmails you send us and our repliesYou

We do not collect advertising identifiers, we do not run third-party analytics or tracking pixels, and we do not buy data about you.

3. How we use information

  • To provide the Service — parsing, classifying, and extracting your documents; building your semantic index; answering your chat queries; producing dashboards and forecasts.
  • To operate accounts and billing — authentication, plan entitlements, page budgets, invoicing via Stripe.
  • To secure the Service — rate limiting, abuse detection, audit logging, incident investigation.
  • To improve the Service — aggregate, de-identified metrics (latency, failure rates, feature usage). Improvement never involves training models on Customer Content.
  • To communicate — service and security notices, billing receipts, and replies to your requests. We send marketing email only with consent, and every marketing email has a working unsubscribe.

Where the GDPR or UK GDPR applies, our lawful bases are contract performance (providing the Service), legitimate interests (security, service improvement), consent (marketing), and legal obligation (tax and accounting records).

4. How AI processing works

Documents are parsed and analysed by machine-learning models hosted inside our infrastructure provider’s edge network — the same network where your documents are stored. Your content is not sent to external AI providers such as OpenAI, Anthropic, or Google. We do not use Customer Content to train machine-learning models. Corrections you make in the review inbox are stored in your workspace and used only as reference examples for future extractions in your own account. Every AI extraction and human correction is recorded in an append-only audit ledger you can query.

5. Cookies

We set exactly one cookie:

CookiePurposeTypeLifetime
stele_sessionKeeps you signed in. HttpOnly, Secure, SameSite — unreadable by scripts and never used for tracking.Strictly necessary30 days or until sign-out

No analytics cookies, no advertising cookies, no cross-site tracking. Because the only cookie is strictly necessary, no cookie banner is required — and you will not see one.

6. When we share information

We share personal information only with the subprocessors needed to run the Service, with parties you direct us to share with, and where the law requires it. We do not sell or rent personal information, and we do not share it for cross-context behavioural advertising.

RecipientRoleWhat they process
Cloudflare, Inc. (USA)Infrastructure: compute, object storage, database, queues, vector index, AI inferenceAll Service data, encrypted in transit and at rest
Stripe, Inc. (USA)Payment processingBilling identity and payment details for paid plans

If we are compelled by law to disclose data, we will — unless legally prohibited — notify you before disclosing, and will challenge overbroad requests. If STELE is involved in a merger or acquisition, this policy continues to apply to data collected before the change, and we will notify you before a materially different policy applies.

7. International transfers

Our infrastructure is a globally distributed edge network; documents are processed at the edge location nearest their storage. Where personal data originating in the EEA, UK, or Switzerland is transferred to countries without an adequacy decision, we rely on the European Commission’s Standard Contractual Clauses and equivalent UK safeguards, as detailed in the DPA.

8. Retention

  • Customer Content — retained while your account is active. Deleting a document removes the stored object, extraction record, and vector entries; residual copies in encrypted backups expire within 35 days.
  • Account data — retained while your account exists and deleted within 30 days of account closure, except records we must keep (e.g. invoices) for statutory periods.
  • Audit ledger — extraction and correction events are retained for the life of the workspace to preserve auditability; they are deleted with the workspace.
  • Request logs and telemetry — retained up to 90 days, then deleted or irreversibly aggregated.

9. Security

All traffic is encrypted with TLS; stored objects and databases are encrypted at rest. Passwords are hashed with PBKDF2 (100,000 iterations, per-user salt); session tokens are stored only as SHA-256 hashes. Workspaces are tenant-isolated at the query layer, uploads are rate-limited and validated, and every privileged action lands in the audit ledger. No system is perfectly secure — if we learn of a breach affecting your personal data, we will notify you without undue delay, consistent with applicable law. Security researchers can reach us at security@stele.example.

10. Your rights

Depending on where you live — including under the New Zealand Privacy Act 2020, the GDPR/UK GDPR, and US state privacy laws such as the CCPA/CPRA — you may have rights to access, correct, delete, export, restrict, or object to the processing of your personal information, and to withdraw consent. You will not be discriminated against for exercising them.

  • Most requests are self-serve: export via the API and dashboard, deletion via document delete and account closure.
  • For anything else, email privacy@stele.example. We respond within 30 days (or the shorter period your law requires) and may need to verify your identity.
  • If your data reached us inside another organisation’s documents, we will refer your request to that organisation, as the law contemplates for processors.
  • You may complain to your supervisory authority — in New Zealand, the Office of the Privacy Commissioner (privacy.org.nz); in the EEA, your national data protection authority.

11. Children

The Service is for business use and not directed at anyone under 18. We do not knowingly collect personal information from children; if you believe a child has provided us data, contact us and we will delete it.

12. Changes to this policy

We will post any changes here and update the effective date. For material changes we will notify you by email or in-product at least 30 days in advance. Archived versions are available on request.

13. Contact

Privacy questions and requests: privacy@stele.example
STELE Technologies — Data Protection