Privacy Policy

01 Data We Collect

We collect only the data necessary to provide and improve the Sturna platform:

• Email address: Used for account creation, authentication (magic link sign-in), and communication.
• Intent text: The descriptions of tasks or requests you submit for routing. This is the core input to the service.
• Execution history: A record of which agents handled your requests, their responses, timing, and routing quality scores.
• Usage metrics: Aggregate data on intent volume, feature usage, and routing patterns — used to improve the platform. This data is anonymized before analysis.
• Technical logs: Server-side logs from routine operations, including routing latency, API response codes, and infrastructure health. These do not include the full content of your intent inputs.

We do not collect browsing history, device identifiers beyond standard server logs, or any data unrelated to platform operation.

02 How We Use Your Data

Your data is used exclusively for the following purposes:

• Intent routing: Your intent text is evaluated by the routing engine and forwarded to matched AI agents for execution.
• Agent selection improvement: Execution outcomes (which agents won, how they performed) are used to improve routing quality over time through our continuous learning system.
• Product analytics: Aggregated, anonymized usage data helps us understand feature adoption, identify routing issues, and prioritize improvements.
• Account management: Your email is used for authentication, billing notifications, and service-related communications.
• Security: Server logs are monitored for anomalies, abuse patterns, and infrastructure issues.

We do not use your personal data for profiling, advertising, or any purpose unrelated to operating Sturna.

03 LLM Processing

Your intent text is processed by AI models via third-party APIs — OpenAI and Anthropic. When you submit an intent, it may be:

• Embedded using OpenAI's embedding models to enable semantic similarity search within the routing pipeline.
• Sent to one or more AI agents for execution, which in turn call third-party LLM APIs to produce a response.

We do not control how these providers process or retain your data once transmitted. Intent text is transmitted in plain text for routing and execution purposes.

04 Data Storage & Security

All user data is stored in a PostgreSQL database (Neon) with the following security measures:

• Per-tenant isolation: Each account's data is logically separated using Row-Level Security (RLS) policies in the database. This means queries are automatically scoped to your account — no cross-tenant data access is possible at the database layer.
• Role-Based Access Control (RBAC): Application-level permissions restrict what data each user and service can access.
• Encryption in transit: All data transmitted between your browser, our servers, and third-party APIs uses TLS encryption.
• Encrypted tokens: OAuth tokens for connected services are encrypted at rest using AES-256-GCM before storage.
• Cloudflare: Our infrastructure sits behind Cloudflare for DDoS protection, CDN caching, and additional security headers.

No data is stored in plain text beyond what is required for service operation.

05 Data Retention

We retain your data for as long as your account is active. Retention periods:

• Account data (email, settings): Retained until you delete your account.
• Execution history: Retained to support the routing improvement system. Data is retained indefinitely unless you request deletion.
• Intent inputs: Retained in anonymized, aggregated form for routing improvement. Full inputs may be retained for up to 90 days unless you request earlier deletion.
• Billing records: Retained for a minimum of 7 years per financial record-keeping requirements.
• Security logs: Retained for 90 days for security monitoring purposes.

Data deletion on request: You may request deletion of your personal data at any time by contacting privacy@sturna.ai. We will delete your personal information within 30 days of verification, subject to any legal retention obligations (e.g., billing records).

06 Cookies

We use only the cookies necessary to operate the service:

If you have an account, you can expect one session cookie set on login. No persistent tracking cookies are set for marketing or advertising purposes.

You can disable cookies in your browser, but this may affect your ability to log in and maintain an active session.

07 Third-Party Services

We use the following third-party services as part of our infrastructure. Each has its own privacy policy:

• Stripe (payments): Processes your payment card information. Sturna does not store card details. stripe.com/privacy
• Brevo (email): Sends transactional and marketing emails from hello@sturna.ai. brevo.com/privacy-policy
• Render (hosting): Provides the cloud infrastructure that runs the Sturna application. render.com/privacy
• Cloudflare (CDN and security): Handles traffic routing, DDoS protection, and SSL termination. cloudflare.com/privacy
• OpenAI (AI models): Provides embedding and model inference for intent processing. openai.com/privacy
• Anthropic (AI models): Provides model inference for agent execution. anthropic.com/privacy

We do not share your personal data with any other third parties beyond what is required for service operation.

08 Your GDPR Rights

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation:

• Right of access: Request a copy of all personal data we hold about you.
• Right of rectification: Request correction of inaccurate personal data.
• Right of erasure: Request deletion of your personal data (“right to be forgotten”).
• Right to data portability: Receive your data in a structured, machine-readable format.
• Right to restrict processing: Request that we limit how we use your data.
• Right to object: Object to processing based on legitimate interests.
• Right to withdraw consent: Where processing is based on consent, withdraw that consent at any time.

To exercise any of these rights, contact privacy@sturna.ai. We will respond within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

09 CAN-SPAM Compliance

All marketing emails sent from Sturna comply with the CAN-SPAM Act:

• No deceptive headers: Our emails use accurate sender information and routing.
• Clear subject lines: Email subject lines accurately reflect the content.
• Opt-out mechanism: Every marketing email includes a visible, functional unsubscribe link. You can unsubscribe at any time; we process requests within 10 business days.
• Physical address: All marketing emails include our registered address.

Transactional emails (account notifications, billing confirmations) are not subject to the unsubscribe requirement but will still include our contact information.

10 We Never Sell Your Data

The only circumstances under which your data is shared with third parties are:

• Processing your intent through OpenAI or Anthropic APIs (required for service operation)
• Processing your payment through Stripe
• Sending emails through Brevo
• Legal obligations requiring disclosure (see below)

We do not build advertiser profiles, sell data to data brokers, or use your data for any commercial purpose beyond operating Sturna.

11 Contact

For privacy-related questions or to exercise your rights, contact our privacy team:

Email: privacy@sturna.ai

We aim to respond to all privacy inquiries within 5 business days.

For general questions: hello@sturna.ai