Privacy Policy
Last updated: April 20, 2026
1. Information We Collect
Account Information
When you create an account, we collect:
- Email address
- Name (optional)
- Company name (optional)
- Payment information (for paid plans — processed by our payment provider, not stored by us)
Interaction Data
The core function of Provenance is to store interaction data that you send through our API. This data is defined entirely by you and may include resource identifiers, action types, metadata, and custom payloads. We process this data solely to provide the Service.
Usage Data
We collect basic usage analytics including API call volumes, feature usage, and error rates to improve the Service.
2. How We Use Your Information
- Providing the Service — storing and processing your interaction data, sending notifications, evaluating alerts.
- Communications — sending transactional emails (account verification, notifications, alerts) via SendGrid.
- Identity verification — authenticating your account via Firebase Authentication.
- Payment processing — processing subscription payments and issuing invoices.
- Service improvement — analyzing usage patterns to improve features and performance.
3. Third-Party Services
We use the following third-party services to operate the platform:
| Service | Purpose | Data Region |
|---|---|---|
| Render.com | Application hosting & database | Frankfurt, EU |
| Firebase (Google) | Authentication | Global |
| Upstash QStash | Message queue | eu-central-1 |
| SendGrid (Twilio) | Transactional email | US |
Optional integrations (Discord, Slack, GitHub, JIRA, etc.) are configured by you and used at your own discretion. We do not share your data with these services unless you explicitly configure a subscription or integration.
4. Data Residency and Storage
Application data and databases are hosted on Render.com in Frankfurt, Germany (EU). Message queues are processed via Upstash in eu-central-1.
During the Closed Beta, tenant data is stored in a shared database with logical isolation per tenant. During the Open Beta and beyond, tenants will have isolated, encrypted database instances.
5. Secrets and Encryption
Secrets stored through the Provenance Secrets Manager are encrypted at rest using AES-256-GCM. We also support external secrets managers (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager) where secrets are fetched at runtime and never stored by Provenance.
6. Data Retention
- Closed Beta — interaction data is retained for 6 months.
- Open Beta — interaction data is retained for 12 months.
- Post-Beta — retention periods will be defined per plan.
Upon account deletion, your data will be permanently removed within 30 days. You may request data export before deletion.
7. Your Rights (GDPR / CCPA)
If you are in the EU, EEA, UK, or California, you have the right to:
- Access — request a copy of your personal data.
- Rectification — correct inaccurate personal data.
- Erasure — request deletion of your personal data.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing of your personal data.
To exercise these rights, contact us at privacy@stdiolabs.dev.
8. Cookies
We use cookies solely for authentication purposes (session tokens). We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email. Continued use of the Service after changes constitutes acceptance.
10. Contact
For privacy-related inquiries, contact us at privacy@stdiolabs.dev.