§ Legal
Privacy Policy
The short version: your documents are yours, they are processed inside the same edge network that stores them, we never train models on them, we set exactly one cookie, and we sell nothing about you to anyone.
Effective date: 13 July 2026 · Version 1.0
1. Who we are and what this covers
This policy explains how STELE Technologies (“STELE”, “we”) handles personal information when you visit our websites, create an account, or use the STELE platform (the “Service”). It should be read with our Terms of Service and, for business customers, our Data Processing Addendum.
Two roles matter. For account data — who you are, your plan, your usage — we act as the controller. For Customer Content — the documents you upload and the data extracted from them — we act as your processor: we process it only to provide the Service and on your instructions. If someone else’s personal data appears inside documents you upload, the organisation that uploaded them is responsible for having a lawful basis to do so.
2. Information we collect
| Category | Examples | Source |
|---|---|---|
| Account data | Email address, salted password hash (we never store plaintext passwords), plan, workspace role | You, at signup |
| Customer Content | Uploaded documents and images, extracted fields, confidence scores, your review corrections, chat questions | You, through use of the Service |
| Usage and telemetry | Request logs (timestamps, request IDs, status codes), page counts against your plan budget, model latency and outcome metrics | Generated by the Service |
| Billing data | Subscription status, invoice history, last four card digits and card brand | Stripe, our payment processor — full card numbers never touch our systems |
| Support communications | Emails you send us and our replies | You |
We do not collect advertising identifiers, we do not run third-party analytics or tracking pixels, and we do not buy data about you.
3. How we use information
- To provide the Service — parsing, classifying, and extracting your documents; building your semantic index; answering your chat queries; producing dashboards and forecasts.
- To operate accounts and billing — authentication, plan entitlements, page budgets, invoicing via Stripe.
- To secure the Service — rate limiting, abuse detection, audit logging, incident investigation.
- To improve the Service — aggregate, de-identified metrics (latency, failure rates, feature usage). Improvement never involves training models on Customer Content.
- To communicate — service and security notices, billing receipts, and replies to your requests. We send marketing email only with consent, and every marketing email has a working unsubscribe.
Where the GDPR or UK GDPR applies, our lawful bases are contract performance (providing the Service), legitimate interests (security, service improvement), consent (marketing), and legal obligation (tax and accounting records).
4. How AI processing works
Documents are parsed and analysed by machine-learning models hosted inside our infrastructure provider’s edge network — the same network where your documents are stored. Your content is not sent to external AI providers such as OpenAI, Anthropic, or Google. We do not use Customer Content to train machine-learning models. Corrections you make in the review inbox are stored in your workspace and used only as reference examples for future extractions in your own account. Every AI extraction and human correction is recorded in an append-only audit ledger you can query.
5. Cookies
We set exactly one cookie:
| Cookie | Purpose | Type | Lifetime |
|---|---|---|---|
stele_session | Keeps you signed in. HttpOnly, Secure, SameSite — unreadable by scripts and never used for tracking. | Strictly necessary | 30 days or until sign-out |
No analytics cookies, no advertising cookies, no cross-site tracking. Because the only cookie is strictly necessary, no cookie banner is required — and you will not see one.
6. When we share information
We share personal information only with the subprocessors needed to run the Service, with parties you direct us to share with, and where the law requires it. We do not sell or rent personal information, and we do not share it for cross-context behavioural advertising.
| Recipient | Role | What they process |
|---|---|---|
| Cloudflare, Inc. (USA) | Infrastructure: compute, object storage, database, queues, vector index, AI inference | All Service data, encrypted in transit and at rest |
| Stripe, Inc. (USA) | Payment processing | Billing identity and payment details for paid plans |
If we are compelled by law to disclose data, we will — unless legally prohibited — notify you before disclosing, and will challenge overbroad requests. If STELE is involved in a merger or acquisition, this policy continues to apply to data collected before the change, and we will notify you before a materially different policy applies.
7. International transfers
Our infrastructure is a globally distributed edge network; documents are processed at the edge location nearest their storage. Where personal data originating in the EEA, UK, or Switzerland is transferred to countries without an adequacy decision, we rely on the European Commission’s Standard Contractual Clauses and equivalent UK safeguards, as detailed in the DPA.
8. Retention
- Customer Content — retained while your account is active. Deleting a document removes the stored object, extraction record, and vector entries; residual copies in encrypted backups expire within 35 days.
- Account data — retained while your account exists and deleted within 30 days of account closure, except records we must keep (e.g. invoices) for statutory periods.
- Audit ledger — extraction and correction events are retained for the life of the workspace to preserve auditability; they are deleted with the workspace.
- Request logs and telemetry — retained up to 90 days, then deleted or irreversibly aggregated.
9. Security
All traffic is encrypted with TLS; stored objects and databases are encrypted at rest. Passwords are hashed with PBKDF2 (100,000 iterations, per-user salt); session tokens are stored only as SHA-256 hashes. Workspaces are tenant-isolated at the query layer, uploads are rate-limited and validated, and every privileged action lands in the audit ledger. No system is perfectly secure — if we learn of a breach affecting your personal data, we will notify you without undue delay, consistent with applicable law. Security researchers can reach us at security@stele.example.
10. Your rights
Depending on where you live — including under the New Zealand Privacy Act 2020, the GDPR/UK GDPR, and US state privacy laws such as the CCPA/CPRA — you may have rights to access, correct, delete, export, restrict, or object to the processing of your personal information, and to withdraw consent. You will not be discriminated against for exercising them.
- Most requests are self-serve: export via the API and dashboard, deletion via document delete and account closure.
- For anything else, email privacy@stele.example. We respond within 30 days (or the shorter period your law requires) and may need to verify your identity.
- If your data reached us inside another organisation’s documents, we will refer your request to that organisation, as the law contemplates for processors.
- You may complain to your supervisory authority — in New Zealand, the Office of the Privacy Commissioner (privacy.org.nz); in the EEA, your national data protection authority.
11. Children
The Service is for business use and not directed at anyone under 18. We do not knowingly collect personal information from children; if you believe a child has provided us data, contact us and we will delete it.
12. Changes to this policy
We will post any changes here and update the effective date. For material changes we will notify you by email or in-product at least 30 days in advance. Archived versions are available on request.
13. Contact
Privacy questions and requests: privacy@stele.example
STELE Technologies — Data Protection