Privacy Policy
Effective: July 4, 2026 Version: 0.2 (closed-beta draft)
This Privacy Policy explains how STND ("we," "us") collects, uses, and protects your information when you use stnd-os (the "Service"). By using the Service, you agree to this policy.
1. What we collect
To provide the Service, we collect:
You give us directly:
- Account info: email, name (optional), and a password (stored only as a hash by our authentication provider)
- Business context: your business name, niche description, brand guidelines, goals (in your words; free-text)
- Instagram connection: when you connect your Instagram account via Zernio, we receive a Zernio account identifier and can request data from your connected Instagram account on your behalf (profile, posts, performance metrics)
We collect automatically:
- Usage data: which features you use, when, error events (via PostHog and Sentry, when enabled)
- LLM interaction data: your conversations with the agent, including the messages you send and receive (via Helicone for cost + quality monitoring, when enabled)
- Followed-account data: the public Instagram accounts you choose to follow, and public data about those accounts (profile, posts, engagement) — collected via ScrapeCreators and/or RocketAPI
From people who message your connected account:
- Direct messages: if you use the DM assistant, we store inbound Instagram direct messages sent to your connected account — the sender's Instagram ID, username, display name, and message text — to maintain conversation context and (when you enable it) generate replies on your behalf. Senders are typically not users of the Service; a sender may request deletion of their message data at privacy@stnd.store.
We do NOT collect:
- Payment card details directly (Stripe holds these when we add billing)
- Health information, biometric data, or other sensitive categories beyond what's needed for the Service
- Data about non-users beyond what's publicly visible on Instagram — with the one exception of direct messages sent to your connected account, described above
2. How we use it
We use the data above to:
- Provide the Service (research, analysis, content generation, recommendations)
- Improve the Service (anonymized usage metrics, error monitoring)
- Communicate with you (account emails, feature notifications)
- Comply with legal obligations
We do NOT:
- Sell your data to advertisers or data brokers
- Use your conversations or generated content to train third-party AI models without your explicit consent
- Share data with other users (multi-tenancy is enforced at the database layer via Row-Level Security)
3. Who we share with
We share data only with service providers that help us operate the Service. Each receives only the minimum data they need:
We do not share with anyone else without your consent, except as required by law.
4. How long we keep it
- Account data: for as long as your account is active
- Conversation history: for as long as your account is active (you may delete individual conversations anytime)
- Public Instagram data (profiles, posts, engagement of accounts you or other users follow): this is public data, not your personal data — it enters a shared research corpus and is retained after you unfollow an account or delete your own account
- Direct-message data (sender identity + message text): retained while your account is active; senders may request deletion anytime (see §1)
- Anonymized usage metrics: retained indefinitely for product improvement
- Account deletion: deleting your account in Settings removes your personal data — account, business context, brand documents, conversations, drafts, usage records — immediately. Public Instagram corpus data (above) and connection identifiers held by our Instagram connection provider (Zernio) are not personal account data and may persist.
5. Your rights
You can:
- Access your data — request a copy at privacy@stnd.store
- Correct inaccuracies — edit directly in the app or contact us
- Delete your account and personal data — directly in Settings, or request at privacy@stnd.store; processed within 30 days
- Export your data — request at privacy@stnd.store
- Opt out of usage analytics — contact us at privacy@stnd.store
Residents of California, the EEA, the UK, and similar jurisdictions have additional rights under applicable law (e.g., GDPR, CCPA). Contact us to exercise them.
6. Security
We protect your data with:
- HTTPS encryption in transit
- Encryption at rest (via Supabase)
- Multi-tenant isolation via database Row-Level Security
- Industry-standard authentication
- Limited internal access on a need-to-know basis
We are not perfect; in the unlikely event of a breach affecting your data, we will notify you within 72 hours of discovery.
7. Cookies and tracking
We use essential cookies for authentication and session management. We do not use cross-site tracking or third-party advertising cookies. Our analytics provider (PostHog) uses a first-party identifier; contact us to opt out of usage analytics.
8. Children
The Service is not intended for users under 18 and we do not knowingly collect data from anyone under 18.
9. Changes
We may update this policy. Material changes will be communicated by email at least 30 days before they take effect.
10. Contact
Privacy questions or requests: privacy@stnd.store
A specific governing jurisdiction for this policy will be designated when STND incorporates and announced per §9 (Changes). Nothing in this policy limits mandatory protections you have under the law of your place of residence.