Privacy Policy

1. Overview

Stone AI ("we", "us", "our") is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights regarding your information. Stone AI is designed with a local-first architecture — on our Free and Starter plans, your conversations are processed entirely on local hardware and never sent to third-party AI providers.

2. Data We Collect

Account Information: Email address, name (optional), and authentication data provided through Clerk (our authentication provider).

Conversation Data: Messages you send and AI responses generated during chat sessions. This includes message content, timestamps, and token usage counts.

Usage Data: Daily message counts, token usage, feature usage statistics, and subscription status.

Payment Data: Subscription and billing information is processed and stored by Stripe. We store only your Stripe customer ID and subscription ID — never your card number or banking details.

Forum Content: Posts, replies, and likes you create in the community forum.

Feedback: Messages you submit through the Help & Support feedback form.

Agent Memory: Key-value pairs that AI agents store to remember your preferences across sessions.

Bestie Companion Data: AI Bestie personality configurations (traits, communication style, expertise areas), Bestie conversation memories (AI-generated summaries of past interactions), and Bestie usage statistics. Bestie memories are stored as key-value data linked to your Bestie profile and may be inaccurate. You can delete Bestie memories at any time through Settings.

3. How Your Data Is Processed

Local Mode (Free, Starter, Plus plans default):

Your messages are sent to our local inference server running on our own hardware. The AI model processes your message and generates a response entirely on our infrastructure. Your conversation data is never sent to OpenAI, Google, Anthropic, or any third-party AI provider. This is true local-first AI.

Smart Mode (Smart and Pro plans):

When you use Smart mode or when auto-routing selects it, your message may be sent to Anthropic's Claude API for processing. Anthropic's data usage policies apply to these requests. Anthropic's API does not use your data for training by default. You can always use Local mode instead if you prefer complete data sovereignty.

4. Data Storage and Security

All data is stored in our PostgreSQL database with the following protections:

• AES-256-GCM encryption for sensitive data at rest
• TLS 1.2+ encryption for all data in transit
• API keys stored as salted hashes (never in plaintext)
• Rate limiting on all endpoints to prevent abuse
• Security audit logging for access and authentication events
• Enterprise security headers (CSP, HSTS, X-Frame-Options)
• Input sanitization on all user-submitted content

4A. NY SHIELD Act Compliance

Stone AI maintains a data security program that includes reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of personal information of New York residents, as required by the New York SHIELD Act (N.Y. Gen. Bus. Law §899-bb).

Administrative safeguards: Designated personnel responsible for security program coordination, risk assessments, and vendor security evaluation.

Technical safeguards: AES-256-GCM encryption at rest, TLS 1.2+ encryption in transit, API key hashing, rate limiting, security audit logging, CSP headers, input sanitization, and regular security reviews.

Physical safeguards: Access controls to physical infrastructure, secure data center hosting (via Vercel/Neon), and disposal procedures for data-bearing equipment.

Breach notification: In the event of a data breach affecting personal information of New York residents, Stone AI will notify affected individuals in the most expedient time possible and without unreasonable delay, consistent with any law enforcement investigation needs. If a breach affects more than 500 New York residents, Stone AI will also notify the New York Attorney General within 10 business days.

5. How We Use Your Data

• To provide the AI chat service and generate responses to your messages
• To enforce usage limits based on your subscription tier
• To process payments and manage your subscription
• To display your forum posts and replies to other users
• To allow AI agents to remember your preferences (agent memory)
• To improve the Service (aggregated, anonymized usage statistics only)
• To respond to your support inquiries and feedback
• To personalize your experience, including the display of contextually relevant content and advertisements on ad-supported tiers
• To generate anonymized, aggregated interest segments based on usage patterns for service optimization and advertising relevance

6. Advertising and Sponsored Content

Stone AI offers both ad-supported and ad-free subscription tiers. On ad-supported tiers (including the Free tier), the Service may display contextual advertisements and sponsored content. These ads are selected based on anonymized interest categories derived from your usage of the Service, such as conversation topics, agent categories used, and general engagement patterns.

We do not sell personally identifiable information (PII) to advertisers. Advertising partners may receive anonymized, aggregated audience segment data to deliver relevant ads. Paid subscription tiers receive an ad-free experience. By using the Service, you consent to the display of advertisements on ad-supported tiers as described in this policy.

We may use third-party advertising services (such as Google AdSense) to serve ads. These services may use cookies and similar technologies as described in their own privacy policies.

7. What We Do NOT Do

• We do NOT sell your personally identifiable information to third parties
• We do NOT use your conversations to train AI models
• We do NOT share your conversation content with advertisers
• We do NOT track you across other websites
• We do NOT store your payment card details (Stripe handles this)

8. AI Companion (Bestie) Data

AI Bestie companions store personalization data to improve your experience. This includes:

• Personality configuration (traits, communication style, expertise areas) — stored as structured JSON
• Conversation memories — AI-generated summaries extracted from your conversations to enable continuity across sessions
• Conversation history — full message logs stored the same way as standard chat conversations

HIPAA Exclusion: Stone AI is NOT a "covered entity" or "business associate" as defined under the Health Insurance Portability and Accountability Act (HIPAA). AI Bestie conversations are NOT protected health information (PHI). We do NOT provide healthcare services, medical treatment, therapy, counseling, or any form of clinical care. Do NOT share sensitive health information, medical records, diagnoses, treatment plans, or prescription details in Bestie conversations. Stone AI assumes no responsibility for the confidentiality of health-related information voluntarily shared in conversations beyond the protections described in this Privacy Policy.

Bestie Memory Accuracy: Bestie memories are AI-generated and may contain inaccuracies or misinterpretations. They do not constitute a factual record of your conversations. You may delete Bestie memory data at any time through your account Settings or by deleting the Bestie profile.

9. Third-Party Services

We use the following third-party services:

• Clerk — authentication and user management
• Stripe — payment processing and subscription billing
• Anthropic — cloud AI inference (Smart mode only, Smart and Pro tiers)
• Google AdSense — contextual advertising on ad-supported tiers
• Vercel — web application hosting and serverless functions (processes all HTTP traffic)
• Neon — managed PostgreSQL database hosting (stores all user data)
• Cloudflare — DNS, CDN, DDoS protection, and SSL/TLS termination (processes all network traffic)

Each service has its own privacy policy. We recommend reviewing them.

10. Data Retention

Conversation data is retained as long as your account is active. You can delete individual conversations at any time. Forum posts remain visible unless deleted by you or a moderator. Upon account deletion, all your data (conversations, agent memories, forum posts, usage records) is permanently deleted within 30 days.

11. Your Rights

You have the right to:

• Access your data (available in Settings and through conversation export)
• Delete your conversations at any time
• Delete your account and all associated data
• Export your conversation data (Plus plan and above)
• Opt out of Smart mode to keep all data local
• Request a copy of all data we hold about you

12. Cookies and Tracking Technologies

We use essential cookies required for authentication and session management (provided by Clerk). On ad-supported tiers, third-party advertising services may set additional cookies to deliver relevant advertisements and measure ad performance. These cookies help ensure you see content that is relevant to your interests. For details on third-party cookies, please refer to the respective privacy policies of our advertising partners.

13. Children's Privacy

Stone AI is not intended for users under 18 years of age. We do not knowingly collect data from minors. If we learn that we have collected data from a minor, we will delete it promptly.

14. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the right to request disclosure of the categories of personal information we collect, the purposes for which it is used, and the categories of third parties with whom it is shared. You may also request deletion of your personal information and opt out of the sale or sharing of personal information. We will respond to verified requests within 45 days.

Do Not Sell or Share My Personal Information: Stone AI uses contextual advertising on ad-supported tiers via Google AdSense, which may constitute "sharing" of personal information under the CCPA/CPRA. You have the right to opt out. To exercise this right, visit the Privacy Choices section in your account Settings, use the "Do Not Sell or Share My Personal Information" link in our site footer, or contact us at [email protected].

Categories of Personal Information Collected:

• Identifiers: Email address, name, Clerk user ID, Stripe customer ID
• Commercial information: Subscription tier, payment history, purchase records
• Internet or electronic network activity: Usage data, message counts, token usage, feature usage statistics, conversation metadata
• Inferences: Anonymized interest segments derived from usage patterns for advertising relevance

Purposes of Collection: To provide and improve the Service, process payments, enforce usage limits, personalize your experience, display contextual advertisements on ad-supported tiers, respond to support inquiries, and comply with legal obligations.

15. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional provisions apply:

Legal Basis for Processing: We process your personal data on the following legal bases: (a) Contract performance — to provide the Service you subscribed to; (b) Legitimate interests — to improve our Service, prevent fraud, and ensure security; (c) Consent — for optional features such as marketing communications and non-essential cookies; (d) Legal obligation — to comply with applicable laws.

Your Rights Under GDPR: In addition to the rights listed in Section 11, you have the right to: lodge a complaint with your local data protection authority (supervisory authority); request data portability (receive your data in a structured, commonly used, machine-readable format); restrict processing of your personal data; and object to processing based on legitimate interests.

International Data Transfers: Your data may be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission as our data transfer mechanism to ensure adequate protection of your data in accordance with GDPR Article 46.

Data Controller: Stone AI, 4879 State Hwy 30, #183, Amsterdam, NY 12010, USA. For GDPR inquiries, contact [email protected].

16. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email at least 14 days before taking effect. The "last updated" date at the top of this page indicates when the policy was last revised.

17. Contact

For privacy-related questions or data requests, contact us at [email protected] or [email protected].

Stone AI, 4879 State Hwy 30, #183, Amsterdam, NY 12010.