Staxa Privacy Policy

1. Information We Collect

1.1 Account Information

When you register for the Service, we collect:

• Email address: required for account creation and communication.
• Display name: optional, used within the dashboard.
• Authentication data: managed by our authentication provider (Clerk). This includes session tokens and your Clerk user ID. We do not store passwords directly.

1.2 Waitlist Information

If you join our waitlist before or during the beta, we collect:

• Email address: required.
• Source identifier: which page or campaign referred you (e.g., "landing_page," "reddit_ad").
• UTM parameters: campaign tracking data passed via URL, if present.

1.3 Deployment and Configuration Data

When you use the Service to deploy applications, we store:

• Tenant configuration: application name, source type, repository URL, branch, framework, runtime, database engine, resource size, and port settings.
• Environment variables: key-value pairs you provide for your deployments. Values are encrypted at rest using AES-256-GCM before storage in our database. We decrypt these values only when syncing them to your tenant's runtime environment during deployment.
• Build and deployment logs: status, timestamps, error messages, and stage progression for each deployment.
• Domain records: subdomains assigned to your tenants, and any custom domains you configure.

1.4 API Key Data

When you create API keys, we store:

• Key name: a label you assign.
• Key prefix: the first 8 characters of the key, used for identification.
• Key hash: a SHA-256 hash of the full key. We never store the plaintext key after initial creation.
• Metadata: scopes, mode (live/test), creation date, last-used timestamp, and expiration date if set.

1.5 Automatically Collected Information

When you interact with the Service, we may automatically collect:

• IP address: logged in audit records for security purposes.
• User agent: browser and device information included in API requests.
• Usage data: actions performed (e.g., tenant created, deployment triggered, API key generated), recorded in our audit log with timestamps.

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service.
• Provision and manage your tenant deployments, databases, and domains.
• Authenticate your identity and authorize API requests.
• Communicate with you about the Service, including beta updates, maintenance notices, and responses to support inquiries.
• Monitor platform health, diagnose errors, and improve the Service.
• Detect and prevent abuse, fraud, and security incidents.
• Generate aggregated, non-identifying analytics (e.g., total deployment count, framework popularity) to guide product development.

We do not use your information for advertising, and we do not sell your personal data.

3. Third-Party Services

The Service relies on the following third-party providers, each of which may process your data under their own privacy policies:

Provider	Purpose	Data Shared
Clerk (clerk.com)	Authentication and session management	Email, name, session data
Hetzner (hetzner.com)	Infrastructure hosting (Nuremberg, Germany)	Tenant containers and databases run on Hetzner servers
Cloudflare (cloudflare.com)	DNS management and email routing	Domain records, inbound email to support@staxa.dev
Resend (resend.com)	Transactional email delivery	Recipient email address, email content
Let's Encrypt (letsencrypt.org)	SSL/TLS certificate issuance	Domain names for certificate requests

We select providers that maintain reasonable security practices. However, we are not responsible for the privacy practices of third-party services.

4. Data Storage and Security

(a) Location. Platform data (accounts, tenant configuration, audit logs) is stored in a PostgreSQL database hosted on a Hetzner server located in Germany. Tenant application containers and databases also run on Hetzner infrastructure.

(b) Encryption. Environment variable values are encrypted at rest using AES-256-GCM. The encryption key is stored separately from the database in a Kubernetes Secret. API keys are hashed with SHA-256 before storage.

(c) Isolation. Each tenant deployment runs in its own Kubernetes namespace with dedicated resources, database, and network boundaries.

(d) Access. Access to production infrastructure is restricted to authorized Stackforge Labs personnel. We do not access the content of your deployed applications or tenant databases except as necessary to provide the Service or as required by law.

(e) Beta Caveat. During the beta period, security measures are under active development. While we employ industry-standard encryption and isolation practices, we cannot guarantee that the Service is free from vulnerabilities.

5. Data Retention

(a) Account data is retained for the duration of your account. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law or for legitimate security purposes (e.g., audit logs related to abuse investigations).

(b) Tenant data (containers, databases, environment variables, domains) is deleted when you delete a tenant or your account. Some data may persist in encrypted backups for up to 30 days after deletion.

(c) Audit logs are retained for up to 12 months for security and debugging purposes, after which they are deleted.

(d) Waitlist data is retained until you request removal or the waitlist is closed.

6. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

6.1 All Users

• Access: request a copy of the personal data we hold about you.
• Correction: request that we correct inaccurate data.
• Deletion: request that we delete your account and associated data.
• Portability: request your data in a structured, machine-readable format.

To exercise any of these rights, contact us at support@staxa.dev. We will respond within 30 days.

6.2 Jamaica Data Protection Act (DPA) 2020

If you are located in Jamaica, your data is processed in accordance with the Jamaica Data Protection Act, 2020. You have the right to lodge a complaint with the Office of the Information Commissioner of Jamaica if you believe your data rights have been violated.

6.3 European Economic Area (GDPR)

If you are located in the EEA, our legal basis for processing your data is:

• Contract performance: processing necessary to provide the Service you requested.
• Legitimate interests: security monitoring, fraud prevention, and service improvement.
• Consent: where applicable (e.g., marketing communications), which you may withdraw at any time.

You also have the right to restrict processing, object to processing based on legitimate interests, and lodge a complaint with your local data protection authority.

6.4 California (CCPA)

If you are a California resident, you have the right to know what personal information we collect, request its deletion, and opt out of the sale of personal information. We do not sell personal information.

7. Cookies and Tracking

The Service uses essential cookies for authentication and session management (provided by Clerk). We do not use advertising cookies or third-party tracking pixels on the Staxa dashboard.

Our public website (staxa.dev) may use analytics or ad-platform tracking pixels for campaign measurement. These are limited to the public-facing website and do not apply to the authenticated dashboard.

8. Children's Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from minors. If we learn that we have collected data from a person under 18, we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or through the Service dashboard. Your continued use of the Service after notification constitutes acceptance of the updated policy.

10. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

Stackforge Labs

Email: support@staxa.dev

Website: https://staxa.dev