Privacy Policy

Last updated: March 28, 2026

1. Introduction

Redstick AI, Inc. ("we", "us", or "our") operates the redstick.ai platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service, in accordance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

2. Data Controller

Redstick AI, Inc. is the data controller for personal data processed through the Service. Each tenant (workspace) acts as an independent data controller for the data they upload or generate within their workspace.

3. Information We Collect

  • Account data: email address, display name, and hashed password when you create an account.
  • Session data: IP address, user agent, and timestamps for authentication and security monitoring.
  • Audit logs: records of security-relevant events (logins, password changes, role changes) for compliance and security.
  • Billing data: we use Stripe to process payments. We store your Stripe customer ID and subscription status but never store credit card numbers or full payment details.
  • API keys: third-party provider keys you configure are encrypted at rest using AES-256-GCM.
  • Project data: code, files, and execution outputs you create within your workspace.

4. How We Use Your Information

  • To provide, maintain, and improve the Service.
  • To authenticate you, manage sessions, and enforce access controls.
  • To process payments and manage your subscription via Stripe.
  • To monitor security events, detect threats, and maintain audit trails.
  • To send transactional emails (password resets, invitations, notifications) that you have subscribed to.
  • To comply with legal obligations and respond to lawful requests.

5. Legal Basis for Processing (GDPR)

  • Contract performance (Art. 6(1)(b)): account data, project data, and billing data necessary to provide the Service.
  • Legitimate interest (Art. 6(1)(f)): session data, audit logs, and security monitoring to protect the Service and its users.
  • Consent (Art. 6(1)(a)): optional notification preferences and marketing communications.
  • Legal obligation (Art. 6(1)(c)): audit logs required for compliance purposes.

6. Data Retention

  • Account data: retained for the lifetime of your account plus a 30-day deletion grace period.
  • Session data: automatically expires after 7 days.
  • Audit logs: retained for 365 days, then automatically purged.
  • Billing data: retained as required by tax and accounting regulations.

7. Data Sharing & Third Parties

We do not sell your personal data. We share data only with:

  • Stripe: for payment processing (PCI DSS Level 1 compliant).
  • AI providers (Anthropic, OpenRouter): API keys you provide are used to execute agent tasks. Project context may be sent to these providers during agent execution.
  • Email service provider: for transactional email delivery.

8. Your Rights

Under GDPR, CCPA, and other applicable laws, you have the right to:

  • Access: request a copy of your personal data via your profile settings (Export Data).
  • Rectification: update your profile information at any time.
  • Erasure: delete your account and associated data via your profile settings (Delete Account).
  • Portability: export your data in a machine-readable JSON format.
  • Object: opt out of non-essential data processing.
  • Restrict processing: request limitations on how we process your data.

9. Security

We implement industry-standard security measures including AES-256-GCM encryption for secrets at rest, TLS for data in transit, Argon2id password hashing, multi-factor authentication (TOTP), row-level database security for tenant isolation, and HMAC-chained tamper-evident audit logs.

10. Cookies

We use only strictly necessary cookies for authentication and security. See our Cookie Policy for details.

11. Children's Privacy

The Service is not intended for children under 16. We do not knowingly collect personal data from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at privacy@redstick.ai.