Skip to main content

Privacy Policy

Last updated: [PENDING LEGAL REVIEW]. Effective: [PENDING LEGAL REVIEW].

DRAFT — NOT YET IN EFFECT. This document is a working draft pending legal review. Do not rely on it. Questions: support@the-stringer.lol.

TL;DR

  • We only read emails you flag as spam, plus account metadata we need to operate.
  • Today we send flagged emails to a third-party AI provider (OpenAI or Anthropic) to generate replies. This is temporary — we're working toward our own in-house models so your data never leaves our infrastructure.
  • We store encrypted email credentials using AES-256-GCM; only our app has the key.
  • We do not sell your personal data.
  • You can export or delete your data any time.

1. Who We Are

The Stringer is operated by [LEGAL ENTITY NAME], a [JURISDICTION] [ENTITY TYPE] ("we," "us," or "our"). For privacy questions or data requests, contact support@the-stringer.lol.

2. Data We Collect

Account data

  • Email address, hashed password, timezone preferences, subscription tier
  • Stripe customer ID (for billing; card details are held by Stripe, not us)
  • IP address and user-agent at signup and login (for security / audit logging)

Email integration data

  • IMAP/SMTP credentials OR Gmail/Office 365 OAuth tokens — encrypted at rest with AES-256-GCM
  • Metadata of emails we process (folder, timestamp, message-id, sender, subject)
  • Full body + headers of messages you flag as spam (required to generate replies)

Usage data

  • Counts of conversations, emails sent, stings delivered
  • Aggregate page-view analytics on our marketing site (no cookies, no tracking pixels)

3. How We Use Your Data

  • Operate the Service: read flagged emails, generate replies, send replies from your account, track conversations, apply usage limits.
  • Billing: charge your Stripe subscription, prevent fraud, send receipts.
  • Security & audit: detect abuse, rate-limit login attempts, log admin actions.
  • Improve the Service: aggregate, anonymized metrics; debugging logs (with PII masked).
  • Communicate: transactional email (verification, password reset, billing, trial reminders). We do not send marketing email without opt-in.

4. Third Parties We Share With

We only share data with service providers needed to run Stringer:

  • AWS — hosting, databases, email delivery (SES), secure storage (S3)
  • Stripe — payment processing
  • OpenAI and/or Anthropic — LLM inference to generate replies (your flagged email content is sent to the provider you've configured; we do not send it to both). This is a transitional arrangement — we're building our own in-house models so future versions keep your data on our infrastructure.

We do not sell personal data. We do not share with advertisers.

5. Data About Spammers

When we receive a reply from a spammer, we store it. Spammer email content may be aggregated with other users' spam into anonymized threat-intelligence datasets (see Phase 6 plans). We strip personal-data identifiers from any aggregated dataset before sharing.

6. Security

  • Email credentials and OAuth tokens are encrypted with AES-256-GCM using per-account keys.
  • All traffic is TLS 1.2+ with HSTS.
  • The database is in a private VPC subnet with SSL enforced and encrypted at rest.
  • Passwords are hashed with BCrypt.
  • We maintain audit logs for sensitive actions (admin changes, credential access).

7. Retention

  • Account data: kept until you delete your account, plus up to 30 days for backup rotation.
  • Flagged-email bodies: retained for active conversations; archived per tier retention, then deleted.
  • LLM request logs (used to debug replies): [PENDING — target 30 days].
  • Audit logs: retained indefinitely for legal and forensic purposes.
  • Analytics: aggregated only; no personally identifying raw records stored beyond 90 days.

8. Your Rights

Depending on your jurisdiction (GDPR, CCPA, PIPEDA, etc.), you may have the right to:

  • Access the data we hold about you
  • Request correction of inaccurate data
  • Export your data in a portable format
  • Delete your account and associated data
  • Object to certain processing

Email support@the-stringer.lol to exercise any of these rights. We'll respond within 30 days.

9. Cookies

The marketing site (the-stringer.lol) sets no cookies at all.

The app (app.the-stringer.lol) sets a single strictly-necessary session cookie (JSESSIONID) to keep you logged in. CSRF protection is carried inside that same session — no separate CSRF cookie. We do not set tracking, advertising, or analytics cookies anywhere.

10. International Transfers

Our infrastructure is hosted on AWS in the United States (us-east-1 and us-west-2). If you use the Service from outside the US, you consent to transfer of your data to the US under applicable safeguards.

11. Children

The Service is not directed to anyone under 18. We do not knowingly collect data from children.

12. Changes

We will post updates to this policy with a new "Last updated" date. Material changes will trigger email notification to active accounts.

13. Contact

Privacy questions or data requests: support@the-stringer.lol.