Stagent
DocsFAQ
Quickstart

Privacy Policy

Effective 2026-05-02

The English version of this policy is authoritative. Section headings below are translated for navigation; the policy text itself is kept in English to preserve legal precision.

1. Who we are

Stagent is operated by World State Labs. This policy describes how we collect, use, and protect your personal data when you use stagent.worldstatelabs.com(the "Service"). If you have questions, contact us at privacy@worldstatelabs.com.

The Service is not directed at children under 13. We do not knowingly collect data from children under 13 (or the higher digital consent age set by local law in your country). If you believe a child has provided us data, contact privacy@worldstatelabs.com and we will delete it.

2. What data we collect

When you sign in via GitHub, Google, or Apple OAuth, we receive and store:

  • Provider-scoped user identifier (e.g. github:12345)
  • Display name from your provider profile
  • Email address from your provider profile
  • Avatar URL from your provider profile

We do not request access to repositories, contacts, or any scope beyond your basic profile. We do not store your OAuth provider password.

When you use the Service, we also store:

  • Session records created by the stagent plugin (topic, status, stage artifacts)
  • Templates you publish
  • Plugin bearer tokens (stored as SHA-256 hashes — never the plaintext token)
  • Your template favourites
  • Server logs (IP address, request timestamps) for abuse prevention and rate limiting
  • Aggregate page-view analytics (page path, referrer, country derived from IP, hashed daily visitor token) — collected by Vercel Web Analytics in cookieless mode; no persistent identifier is set

Anonymous (not signed-in) plugin sessions are uploaded with publicly viewable URLs — anyone holding the URL can read the session's artifacts (plans, reviews, QA reports, diff text). Sign in before running /stagent:start if you want session contents to be private; signed-in sessions are scoped to your account and not viewable by others.

3. How we use your data

  • Authentication — to identify you across browser and terminal sessions
  • Author attribution — your display name appears on templates you publish
  • Session ownership — to list "/me/sessions" and scope access to your private data
  • Abuse prevention — IP-based rate limiting to protect database resources

We do not sell your data. We do not use your data for advertising. We do not build profiles for third-party marketing.

4. Data processors

We use the following sub-processors who may handle your data:

  • Neon — Postgres database hosting (EU and US regions). Your profile data and session records are stored here.
  • Vercel — Application hosting and serverless compute. Processes requests and temporarily holds request payloads.
  • Vercel Web Analytics — Aggregate page-view analytics in cookieless mode. Processes IP + user-agent into a daily-rotating hashed visitor token; no persistent identifier is stored.

Neon, Vercel, and Vercel Web Analytics are GDPR-compliant and provide Data Processing Agreements.

5. Cookies

We use strictly necessary cookies only. Auth.js sets a next-auth.session-token JWT cookie when you sign in, and a CSRF token cookie for form security. These cookies are required for the Service to function — they do not track you across other websites and do not require opt-in consent under GDPR Art. 5(3) ePrivacy for functional purposes.

For aggregate page-view analytics we use Vercel Web Analytics in its cookieless mode — no analytics, advertising, or third-party tracking cookies are set. See Section 4 for what data Vercel Web Analytics processes.

6. AI-generated content

Session artifacts (planning reports, code reviews, compliance audits, etc.) displayed in the Service are generated by Claude (Anthropic), an AI model, via the stagent Claude Code plugin. This content is AI-generated and may contain errors. It is displayed for informational purposes only and does not constitute professional advice.

7. Data retention

We retain your data for as long as your account is active or as needed to provide the Service. Server logs (IP addresses) are retained for up to 30 days for abuse prevention.

You may request deletion of all your data at any time — see Section 8.

8. Your rights

Under GDPR (if you are in the EU/UK) and CCPA (if you are in California), you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Erasure — delete all your data. Use the account deletion feature under /me or call DELETE /api/me/delete with your session token. This permanently removes your profile, sessions, templates, plugin tokens, and favourites.
  • Rectification — update your display name or email by updating your OAuth provider profile and re-signing in
  • Portability — contact us for an export of your data
  • Objection — object to processing by contacting us

To exercise any right, email privacy@worldstatelabs.com. We will respond within 30 days.

9. Security

We take reasonable technical measures to protect your data: bearer tokens are stored as SHA-256 hashes (not plaintext), sessions are JWT-signed, database connections require TLS, and all HTTP responses include security headers (HSTS, CSP, X-Frame-Options, etc.). No system is perfectly secure; if you discover a vulnerability, please report it to privacy@worldstatelabs.com.

10. Changes to this policy

We may update this policy. Material changes will be noted with an updated effective date at the top of this page. Continued use of the Service after changes constitutes acceptance of the revised policy.

11. Contact

Questions or requests: privacy@worldstatelabs.com