Privacy Policy
Effective Date: July 21, 2025
1. Introduction
Welcome to stagewise! This Privacy Policy explains how tiq UG (haftungsbeschränkt), operating as stagewise ("we," "us," or "our"), collects, uses, and protects your personal data when you use our AI agent and related services (collectively, the "Service"). Our registered address is Obernstraße 50, 33602 Bielefeld, Germany, and we are registered at the local court (Amtsgericht) of Bielefeld under HRB 45829.
This policy applies to all users of our Service ("User," "you"), including individual developers and business customers. We are committed to protecting your privacy in compliance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR).
This Privacy Policy is an integral part of our Terms of Service.
2. Data Controller
The entity responsible for the processing of your personal data (the "data controller") is:
tiq UG (haftungsbeschränkt)
Obernstraße 50
33602 Bielefeld, Germany
Email: privacy@stagewise.io
3. What Personal Data We Collect and Why
We collect different types of data for specific purposes, always ensuring we have a valid legal basis for processing under GDPR.
A. Data You Provide Directly to Us
- Account Information: When you register for our Service, we collect your email address. We use this to create and manage your account, provide you with access via magic links, and send you important service-related communications.
- Legal Basis: Performance of a contract (Art. 6(1)(b) GDPR).
- Payment Information: When you subscribe to a paid plan, our payment provider, Stripe, collects your payment details (e.g., credit card information, billing address). If you register as a business customer, this may include your VAT ID. We do not store your full payment card details on our servers.
- Legal Basis: Performance of a contract (Art. 6(1)(b) GDPR).
B. Data We Process to Provide the Service
- Customer Content (Your Codebase): To enable our AI agent to function, the Service requires temporary access to your project's source code and related files ("Customer Content"). This content is processed ephemerally in memory to understand context and generate code changes. We do not permanently store your codebase on our servers, and we do not share it with third parties.
- Legal Basis: Performance of a contract (Art. 6(1)(b) GDPR). The license to perform these actions is granted in our Terms of Service.
C. Data We Collect Automatically
- Server Logs: When you use our Service, our servers automatically record technical information, including your IP address, request timestamps, and browser/client type. We use this information for security monitoring, preventing abuse, and troubleshooting.
- Legal Basis: Legitimate interest (Art. 6(1)(f) GDPR) to ensure the security and stability of our Service.
- Usage & Analytics Data: We use PostHog, a third-party analytics service, to collect information about how you interact with our Service. This includes events like features used, buttons clicked, and general usage patterns. This helps us understand what is working, what isn't, and how to improve the Service.
- Legal Basis: Legitimate interest (Art. 6(1)(f) GDPR) to improve and develop our product.
D. Data for AI Service Improvement (Requires Your Explicit Consent)
- What it is: We offer you the voluntary opportunity to help us improve the quality and capability of our AI models. The core functionality of the Service is available without this consent.
- What we collect (if you opt-in): If you provide your explicit consent via the settings in your account, we will collect and store your chat history with the agent and the code generated by the Service.
- How we use it: This data is used exclusively for internal research, evaluation ("evals"), and fine-tuning of our AI models to improve their performance for all users. We will never share this raw data with third parties for their own use.
- How to withdraw consent: You can withdraw your consent at any time in your account settings. This will stop any future collection of this data for training purposes and will not affect your ability to use the Service.
- Legal Basis: Consent (Art. 6(1)(a) GDPR).
4. How We Share Your Information (Our Sub-processors)
We do not sell your personal data. We share it only with trusted third-party service providers ("sub-processors") who are necessary for us to operate the Service.
| Provider | Purpose | Location | Data Transfer Mechanism |
|---|---|---|---|
| Railway | Cloud Hosting & Infrastructure | USA | Standard Contractual Clauses |
| Supabase | User authentication | USA | Standard Contractual Clauses |
| OpenRouter | LLM Gateway / AI Model Access | USA | Standard Contractual Clauses |
| Stripe | Payment Processing | USA | EU-U.S. DPF |
| PostHog | Product Analytics | EU | --- |
5. International Data Transfers
Your personal data will be processed on servers located in the United States. This means that when you use our Service from the European Union, your data is transferred outside of the EU. We ensure these transfers are lawful and secure through recognized legal mechanisms:
- EU-U.S. Data Privacy Framework (DPF): For transfers to our providers who are certified under the DPF (Stripe), we rely on the European Commission's adequacy decision for this framework.
- Standard Contractual Clauses (SCCs): For transfers to providers not certified under the DPF (such as OpenRouter or Railway), we enter into the EU's Standard Contractual Clauses. These are contractual commitments that impose EU-level data protection standards on the data importer.
6. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected.
- Account Data: Retained for the duration of your account's existence.
- Payment & Invoicing Data: Retained for 10 years to comply with German tax and commercial law.
- AI Improvement Data (from Opt-in): Retained for up to one (1) year before it is fully anonymized and detached from your account.
- Server Logs: Retained for 90 days for security and troubleshooting purposes.
7. Your Data Protection Rights
Under GDPR, you have the following rights regarding your personal data:
- Right of Access (Art. 15 GDPR): You can request a copy of the personal data we hold about you.
- Right to Rectification (Art. 16 GDPR): You can ask us to correct inaccurate or incomplete data.
- Right to Erasure ("Right to be Forgotten") (Art. 17 GDPR): You can request the deletion of your personal data, subject to legal obligations (like invoice retention).
- Right to Restriction of Processing (Art. 18 GDPR): You can request that we limit the processing of your data.
- Right to Data Portability (Art. 20 GDPR): You can request your data in a machine-readable format.
- Right to Object (Art. 21 GDPR): You can object to processing based on our legitimate interests.
- Right to Withdraw Consent (Art. 7 GDPR): You can withdraw your consent for AI improvement data at any time.
To exercise any of these rights, please contact us at privacy@stagewise.io. We will respond to your request within 30 days. You also have the right to lodge a complaint with a supervisory authority.
8. AI Disclaimer and User Responsibility
Our Service uses artificial intelligence which, despite our best efforts, may produce code or information that is incorrect, incomplete, insecure, or otherwise flawed ("hallucinations"). The Service is an assistive tool that requires human oversight. You are solely responsible for reviewing, testing, and validating all output from the Service before use.
9. Cookies
We use only strictly necessary cookies that are essential for the core functionality of our Service, such as managing your login session and ensuring security. Under EU and German law (§ 25 TTDSG), these cookies do not require your prior consent. We do not use cookies for analytics, marketing, or tracking purposes.
10. Children's Privacy
Our Service is not directed at or intended for use by individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If we become aware that we have, we will take steps to delete that information.
11. Security
We implement appropriate technical and organizational measures, such as encryption and access controls, to protect your personal data. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through a notice in the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes your acceptance of the revised policy.
13. Governing Law
This Privacy Policy and any disputes arising from it shall be governed by the laws of the Federal Republic of Germany.