What we collect, and what we don't.

Stonewrit operates a tamper-evident audit-evidence API for sensitive system actions and AI agent activity. This policy describes what information we collect when you use Stonewrit, how we use it, and the choices you have.

Stonewrit is a B2B service. We do not collect data from end consumers directly — only from the engineering and compliance teams that integrate our API.

We do not use tracking cookies. We do not run third-party analytics, ad networks, or behavioural trackers on our marketing site. Authentication uses first-party session cookies only, set on the dashboard domain when you sign in.

We collect four narrow categories of data:

• Account data. Name, work email, organization name, role, and authentication identifiers (e.g. Google SSO subject ID). Provided by you at sign-up.
• Evidence event data. The normalized event payloads you submit to POST /api/v1/events, including actor metadata, action details, resource references, and any fields you choose to include. You control the shape of this payload.
• Operational telemetry. API request metadata (timestamps, IP, request ID, response code, latency) needed to operate the service, detect abuse, and meet your rate-limit and uptime guarantees. No request body content is logged beyond what is stored as evidence.
• Billing data. If you pay for Stonewrit, billing identifiers and metadata are handled by our billing processor (Stripe). We do not store full card numbers.

We do not collect biometrics, precise location, advertising identifiers, or social-graph data. We do not buy or rent personal data from third parties.

Every piece of data we collect maps to a specific operational purpose:

• Operate the API. Ingest, hash-chain, store, and return your evidence events as documented.
• Authenticate and authorise. Verify sign-in sessions, API keys, and role-based access to your organization.
• Bill. Compute usage against your tier, generate invoices, and reconcile payments.
• Operate, debug, and secure. Investigate incidents, detect abuse, enforce rate limits, and maintain integrity of the hash chain.
• Communicate. Send transactional emails (account confirmations, billing receipts, incident notices). We do not send marketing email without your explicit opt-in.

We do not use your evidence event data to train any machine learning model, ours or anyone else's.

We do not sell your data. We share information only with a small set of named sub-processors required to run the service:

• Cloud infrastructure — primary database and compute (Neon Postgres, Vercel, Railway).
• Billing — Stripe, for subscription and invoice management.
• Transactional email — for account, billing, and incident communications.

A current list of sub-processors is available on request and will be published at launch. We also share information when required by law, when necessary to enforce our Terms, or with your explicit consent — for example, when you grant a named auditor read-only access to a subset of your evidence.

A core feature of Stonewrit is the ability to grant external auditors read-only access to a scoped subset of your evidence. You control:

• which framework(s) the auditor can query;
• the date range they can access;
• which events are included;
• when the access expires and how to revoke it.

Auditor access keys are issued through Stonewrit but never grant full-account access. You can revoke any auditor key from the dashboard at any time. Stonewrit logs auditor activity for your review.

Evidence event data is retained per your tier:

• Starter tier — 30 days.
• Pro tier — 90 days.
• Enterprise tier — configurable retention, up to 7 years to meet regulatory requirements.

Account data is retained for the life of your organization plus a short grace period after account closure. Billing records are retained for the period required by tax and accounting law (typically seven years).

Operational telemetry is retained for 90 days for incident investigation, then aggregated or deleted.

Stonewrit is built around cryptographic integrity. In addition to the standard controls you would expect — TLS 1.3 in transit, AES-256 at rest, role-based access, hardware-backed MFA for operators — Stonewrit's data model is itself tamper-evident:

• Every event is canonicalized (RFC 8785) and SHA-256 hashed at ingest.
• Each event hash links to the previous event hash, forming a cryptographic chain.
• Any modification — including by us, including in the database — invalidates every hash from that point forward.

We publish a verify endpoint that lets you and your auditors confirm the chain's integrity end-to-end, without trusting Stonewrit.

You have the right to access, correct, export, and delete personal data we hold about you. For most data, the dashboard provides self-service controls. For requests we cannot fulfil through the product (for example, a full export of an old account), email privacy@stonewrit.com.

If you are in the EU/EEA or UK, you have rights under the GDPR / UK-GDPR. If you are in California, you have rights under the CCPA. We process all rights requests within 30 days. We do not discriminate against users who exercise their privacy rights.

Stonewrit operates primarily in the United States. Starter and Pro tier data is stored in US-East. EU residency is available on the Enterprise tier; on-prem and VPC deployment options are also available.

Where data crosses jurisdictions, we rely on standard contractual clauses or equivalent legal mechanisms.

Stonewrit is a B2B service intended for use by businesses. It is not directed at, and we do not knowingly collect data from, children under 16.

We update this policy as the product and our practices evolve. Material changes are announced in the dashboard and via email to organization owners at least 30 days before they take effect. The “Last updated” date at the top of this document is the current version.

Privacy questions, requests, or complaints — privacy@stonewrit.com. Legal notices — legal@stonewrit.com. General inquiries — hello@stonewrit.com.