Overview
Stoatify (“Stoatify,” “we,” “us,” or “our”) provides a private document vault that lets you upload, organize, search and share your documents on the web and on iOS (the “Service”). This Privacy Policy describes how we handle information when you use the Service.
Our guiding principle is simple: your documents are yours. We do not sell your personal information, we do not use the contents of your documents for advertising, and we do not train AI models on your documents.
Information we collect
Account information
Authentication is handled by our identity provider, Clerk. When you create an account we receive a unique user identifier and basic profile details such as your email address and name. We never see or store your password.
Documents and content you provide
When you upload a document, image, or note, we store the file and the metadata you add, titles, categories, tags, custom fields, folders and similar. If full-text search is enabled, text extracted from your files (via on-device OCR) is stored so your documents are searchable.
Organization data
If you create or join an organization, we store the organization’s name, its members, roles, groups, invitations and the access permissions you configure.
Usage and device information
We collect limited technical information needed to operate the Service reliably and securely, such as log data (for example, IP address and timestamps used for rate limiting and abuse prevention) and basic device or browser information.
Cookies
We and our authentication provider use strictly necessary cookies and similar technologies to keep you signed in and to operate the Service. We do not use third-party advertising or cross-site tracking cookies, and our own analytics (described below) are cookieless.
Analytics we run ourselves
To understand how our website, help center and app are used, and to measure how well our marketing works, we run first-party analytics that we built and host ourselves. We do not use Google Analytics or any other third-party analytics or advertising tracker, and we never sell or share this data.
When you visit a Stoatify page, we record a lightweight, privacy-preserving event that includes:
- the page you viewed and, if you arrived from another site, the referring website;
- campaign parameters (the standard
utm_source,utm_medium,utm_campaign,utm_termandutm_contenttags) present in the link you followed, so we can see which ads and campaigns bring people to Stoatify; and - the general type of device, browser and operating system you use.
To count unique visitors without cookies or any persistent identifier, we generate a daily-rotating, one-way hash from your IP address and browser details. That hash resets every day and cannot be reversed, so it does not identify you or follow you across days or sites. We do not store your raw IP address or full browser user-agent with these analytics events. Because it is cookieless and stored only in a coarse, de-identified form, this is analytics we can run responsibly on a privacy-first product.
How we use information
We use the information described above to:
- Provide, maintain and improve the Service;
- Authenticate you and keep your account and documents secure;
- Store, organize, index and return the documents you upload;
- Enable collaboration features you choose to use, such as organizations and sharing;
- Enforce rate limits, prevent abuse, and maintain the integrity of the Service;
- Measure traffic and understand how well our marketing and advertising campaigns perform;
- Communicate with you about service-related matters; and
- Comply with legal obligations.
Storing your documents
Your files are stored in encrypted object storage. The browser and mobile apps never talk to object storage directly, every byte is proxied through our API behind your authenticated session, and storage buckets are private with no public URLs. Document access is verified on every request; an item you are not authorized to see returns a “not found” response rather than revealing its existence.
Data is encrypted in transit using industry-standard TLS.
How we share information
We do not sell your personal information or the contents of your documents. We share information only in these limited circumstances:
- With service providers who process data on our behalf to operate the Service (see below), under contractual confidentiality and security obligations.
- With people you choose, for example, members of an organization you create, or recipients of a share link you generate.
- For legal reasons, if required to comply with applicable law, regulation, legal process, or an enforceable governmental request, or to protect the rights, property and safety of Stoatify, our users, or the public.
- In a business transfer, such as a merger, acquisition or sale of assets, in which case we will continue to protect your information and notify you of any material change.
Service providers
We rely on a small set of trusted subprocessors to deliver the Service:
- Clerk, authentication and identity management (and any single sign-on connections you configure).
- Backblaze B2, encrypted object storage for your files.
- Cloud hosting and database providers, to run the API and store document metadata.
- Optional AI assistants, only if you explicitly connect one (for example over MCP) or enable AI-assisted classification. These integrations operate under scoped, revocable access that you control, and are off by default.
Data retention
We retain your information for as long as your account is active or as needed to provide the Service. When you delete a document it is moved to Trash and then permanently removed after a retention period. When you delete your account, we delete or de-identify your personal information and documents within a commercially reasonable period, except where we are required to retain it to comply with legal obligations or resolve disputes.
Your rights & choices
Depending on where you live, you may have rights to access, correct, export, or delete your personal information, and to object to or restrict certain processing. You can:
- Access and edit your documents and account details directly in the app;
- Download the original of any document at any time;
- Delete documents, leave organizations, or delete your account; and
- Contact us at privacy@stoatify.com to exercise any applicable rights.
We will not discriminate against you for exercising these rights.
Security
We use technical and organizational measures designed to protect your information, including encryption in transit, proxied file access behind authentication, server-side storage credentials, scoped and short-lived capabilities for shares and AI access, and per-request authorization. No method of transmission or storage is 100% secure, but we work continuously to protect your data and to respond promptly to any incident.
International data transfers
We and our service providers may process and store information in countries other than the one in which you live. Where required, we use appropriate safeguards for such transfers.
Children’s privacy
The Service is not directed to children under 13 (or the minimum age required in your jurisdiction), and we do not knowingly collect personal information from them. If you believe a child has provided us personal information, please contact us and we will take appropriate steps to delete it.
Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you through the Service.
Contact us
If you have questions about this Privacy Policy or our data practices, contact us at privacy@stoatify.com.