Privacy Policy

Your privacy matters. Here is exactly how we handle your data — in plain English.

Last updated: April 6, 2026

Introduction

STOA Tools ("we," "our," or "us") is operated by STOA Digital Solutions (stoa.agency). This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our website at tools.stoa.agency and related services (collectively, the "Service").

We are committed to being transparent about your data. We wrote this policy in simple language so you can actually understand it. If you have questions, email us at hello@stoa.agency.

What We Collect

We collect information in a few different ways:

Information You Give Us

Account information: When you sign up, we collect your email address, name, and password. If you sign in with Google, we receive your name and email from Google.
Business profile: During onboarding, we collect your company name, industry, number of employees, annual revenue range, your role in the company, whether you make software purchasing decisions, how many team members use software daily, and your biggest technology frustration.
Business processes: We ask which business processes you manage (such as sales, marketing, HR, or operations), how each process is currently handled, your top priorities, your monthly software budget range, and when you plan to make changes.
Current software stack: We collect which software tools you currently use, how satisfied you are with each one (love it, it's fine, frustrating, or want to replace it), why you are dissatisfied if applicable, and which business processes each tool supports.
Primary goal: We ask what you most want to accomplish with better software so we can tailor your recommendations.
AI conversations: When you chat with our AI Tech Advisor, we store the conversation history. To personalize responses, we also include a summary of your business profile (industry, company size, current tools) as context for the AI.
Assessment responses: When you use our Tech Stack Assessment, we collect your answers so we can generate personalized recommendations.
Newsletter subscription: If you subscribe to our weekly digest, we collect your email address.
Payment information: If you subscribe to a paid plan (monthly, yearly, or lifetime), your payment details are processed securely by Stripe. We never see or store your full credit card number.
Feedback and ratings: If you rate an AI response or leave a comment, we store that feedback to improve our recommendations.
Contact form submissions: If you reach out to us, we collect the information you include in your message.
Consultant client data: If you use our Consultant plan, you may enter information about your clients, including their company name, contact name, contact email, industry, company size, revenue range, pain points, notes, and their current software stack with satisfaction ratings. You are responsible for having permission to share this data with us.

Information We Collect Automatically

Usage data: We track which pages you visit, which tools you view, searches you perform, and how you interact with the platform. This helps us improve the experience.
Device information: We collect basic information about your browser, operating system, and device type.
IP address: We collect your IP address for security purposes and to understand where our users are located (at a country/region level).
AI usage metrics: When you use AI-powered features, we log which AI model was used, the number of tokens processed, response time, and estimated cost. This helps us manage service quality and enforce plan-based usage limits.

Information We Store Temporarily

Session storage: While you are completing onboarding, your form progress is saved in your browser's session storage so you do not lose your work if you navigate away. This data is cleared when you close the browser tab and is never sent to our servers until you complete onboarding.

Cookies and Tracking

We use cookies and similar technologies to keep you signed in, remember your preferences, and understand how you use our site. Here is a breakdown:

Essential cookies: Our authentication provider (Supabase) sets a session cookie to keep you signed in. These are required for the site to work properly. You cannot opt out of these.
Analytics cookies: We use OpenPanel to understand how people use STOA Tools. When you are signed in, analytics events are tied to your account so we can understand feature usage across subscription tiers. Analytics data is self-hosted on our own servers and not shared with advertisers. You can opt out of analytics tracking by using your browser's Do Not Track setting.
Survey cookies: We use Formbricks for in-app surveys and feedback. Formbricks may set cookies to track which surveys you have seen or completed so we do not show you the same survey twice.

We do not use advertising cookies or sell your data to ad networks.

Third-Party Services

We use trusted third-party services to run STOA Tools. Here is who has access to what, organized by function:

Data Storage and Authentication

Supabase (database and authentication): Stores your account data, business profile, tool ratings, AI conversations, and assessment results. Supabase provides our authentication system and database hosting.
Upstash Redis (caching): Temporarily caches your profile data and tracks monthly usage counts for rate-limited features (like AI chat limits). Cached data expires automatically, typically within 24 hours.

AI and Recommendations

OpenRouter (AI model routing): Routes AI requests to language models from providers including Anthropic (Claude), Google (Gemini), and OpenAI (GPT). Your conversation messages and a summary of your business profile (industry, company size, current tools) are sent to generate personalized recommendations. OpenRouter does not store your data beyond processing the request. Each provider's own data policies apply to their processing of your messages.
Qdrant Cloud (search): Stores vector embeddings (mathematical representations) of tool descriptions, integrations, and use cases to power our semantic search. Your search queries are converted to vectors for matching but are not stored permanently in Qdrant.

Payments

Stripe (payment processing): Processes subscription payments securely. Stripe stores your payment method details (card number, billing address) on their servers. We only receive a token — we never see your full card number.

Communications

Resend (email delivery): Sends transactional emails (confirmation emails, password resets) and our weekly digest newsletter. Resend processes your email address to deliver these messages.

Analytics and Feedback

OpenPanel (analytics): Tracks usage patterns to help us improve the product. When you are signed in, events are associated with your account to help us understand feature usage per subscription tier. Analytics data is self-hosted on our own infrastructure and not shared with any third parties.
Formbricks (surveys and feedback): Powers in-app surveys and feedback collection. We share your email, name, and subscription plan with Formbricks to target relevant surveys. Formbricks is self-hosted on our infrastructure.

Infrastructure and Monitoring

Vercel (hosting): Hosts our website. Vercel may process server logs that include IP addresses and request data.
Sentry (error monitoring): Helps us identify and fix bugs. Sentry may receive error reports that include technical information about your session, but not personal data.
OneUptime / OpenTelemetry (performance monitoring): Collects performance traces and system metrics to help us monitor service health and debug issues. May include request timing and error context but does not include personal data.

How We Use Your Data

We use your information to:

Provide and improve the STOA Tools platform
Personalize your tool recommendations based on your business profile, processes, current stack, and goals
Power AI-powered recommendations by including your business context in AI conversations
Track AI feature usage (model used, token counts, response times) to manage costs and improve quality
Enforce usage limits based on your subscription plan
Send you the weekly digest newsletter (only if you opted in)
Process subscription payments
Respond to your questions and support requests
Generate Tech Stack Assessment reports and Team Training guides
Enable consultants to manage client software assessments (Consultant plan only)
Prevent fraud and protect the security of our platform
Understand usage patterns so we can build better features

We do not sell your personal information to anyone. Period.

Data Retention

We keep different types of data for different periods:

Account and profile data: Retained while your account is active. If you delete your account, we will remove your personal data within 30 days, except where we are legally required to retain it.
AI conversations: Retained while your account is active. You can delete individual conversations from your dashboard at any time.
AI usage logs: Retained for 12 months for billing and quality improvement purposes, then aggregated and anonymized.
Cached data: Automatically expires within 24 hours.
Payment records: Retained as required by tax law, typically 7 years.
Newsletter subscriber data: Retained until you unsubscribe. After unsubscribing, we keep your email address in a suppression list to make sure we do not accidentally email you again.
Anonymous analytics data: May be retained indefinitely in aggregate form.

Anonymized Knowledge & Aggregated Insights

We extract anonymized, aggregated insights from user interactions to improve our recommendation engine and produce market intelligence. This process is designed to protect your privacy:

No personal information is retained: All identifying information (names, email addresses, company names, specific financial details) is stripped before any insight is created.
Minimum group sizes enforced: No insight can represent fewer than 10 distinct users. This ensures that individual behavior cannot be inferred from aggregate data.
Only structured insights, never raw conversations: We extract patterns like tool preferences, common pain points, and workflow trends — never verbatim conversation text.
Insights may be shared in aggregate form: Anonymized, aggregated insights may be used to improve our services and may be shared with or sold to third parties (such as software vendors or market researchers) in aggregate form only. No individual-level data is ever shared.
You can opt out: You can disable this in your dashboard settings at any time. Opting out means your future conversations will not be included in knowledge extraction. Already-extracted insights cannot be traced back to you and are retained in their anonymized form.

Legal basis: We process this data under legitimate interest (GDPR Article 6(1)(f)), as the fully anonymized and aggregated nature of the insights means no personal data is retained in the knowledge pool.

Your Rights

You have the right to:

Access your data: You can view your profile, assessment history, and conversation logs in your dashboard at any time.
Update your data: You can edit your profile and preferences from your account settings.
Delete your data: You can request account deletion through your account settings or by contacting us. We will process your request within 30 days.
Export your data: You can request a copy of your personal data by contacting us.
Opt out of marketing: You can unsubscribe from our newsletter at any time using the link in every email.
Opt out of analytics: You can enable your browser's Do Not Track setting to opt out of analytics tracking.

California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Right to know: You can request details about the categories of personal information we collect, the purposes for collecting it, and the third parties we share it with.
Right to delete: You can request that we delete the personal information we have collected about you, subject to certain exceptions.
Right to opt out of sale: We do not sell your personal information. We never have and we never will.
Right to non-discrimination: We will not treat you differently for exercising your privacy rights.
Right to limit use of sensitive data: We collect business financial information (such as revenue range and software budget) that may be considered sensitive under California law. This data is used solely to personalize your software recommendations and is never shared for unrelated purposes.

To exercise any of these rights, email us at hello@stoa.agency. We will respond within 45 days as required by law.

Data Security

We take reasonable measures to protect your personal information, including:

Encrypted data transmission (HTTPS) for all connections
Row-level security policies on our database to prevent unauthorized access
Secure password hashing (handled by Supabase Auth)
PCI-compliant payment processing through Stripe
Regular security reviews of our codebase and dependencies

No system is 100% secure. If we ever discover a data breach that affects your personal information, we will notify you as required by applicable law.

Children's Privacy

STOA Tools is designed for business owners and professionals. We do not knowingly collect personal information from anyone under 16 years of age. If you believe we have collected data from a minor, please contact us and we will delete it promptly.

Changes to This Policy

We may update this privacy policy from time to time. When we make significant changes, we will notify you by email (if you have an account) or by posting a notice on our website. The date at the top of this page always shows when the policy was last updated.

Contact Us

If you have any questions about this privacy policy or how we handle your data, please reach out:

Email: hello@stoa.agency
STOA Agency, United States