Privacy Policy

1. Introduction

This Privacy Policy describes how Stashit LLC ("we," "us," or "our") handles information in connection with our self-hosted file organization software ("Software"). Because Stashit Self-Hosted runs entirely on your own infrastructure, our approach to privacy is fundamentally different from cloud-based services.

Our Business Information:
Stashit LLC
7901 4th St N, STE 300
St. Petersburg, Florida 33702
United States
Email: support@stashit.app

2. Key Privacy Principle

Your data stays on your servers. Stashit Self-Hosted is designed with privacy by design - your files, documents, emails, and personal information never leave your infrastructure and are never transmitted to our servers.

3. Information We Do NOT Collect

Unlike cloud-based services, we do not collect, store, or have access to:

• Your files, documents, or any content you store in the Software
• Your email content or metadata when using IMAP integration
• Personal information about your usage patterns
• Analytics or tracking data from your self-hosted instance
• Database contents or user account information
• Search queries or file organization patterns

4. Information We Do Collect

We only collect minimal information necessary for license management and support:

4.1 License Information (via Keygen)

• License key and activation status
• Hardware fingerprint for license binding (anonymized system identifiers)
• Installation timestamp and version information
• License validation requests (frequency determined by Keygen service)

4.2 Website and Marketing Information

• Standard web server logs via Hetzner VPS hosting (IP address, browser type, pages visited)
• Website analytics via self-hosted Plausible (privacy-focused, anonymized)
• Email addresses collected via Waitlist when you join our product waitlist
• Email addresses collected via EmailOctopus when you subscribe to our newsletter
• Payment information processed by Paddle (as Merchant of Record)

4.3 Support Communications

• Support tickets via our self-hosted FreeScout system
• Email correspondence when you contact support@stashit.app
• Technical information you voluntarily provide for troubleshooting

4.4 Content Delivery

• CDN access logs via Bunny CDN for website assets and downloads
• Download information when accessing software updates via GitHub Container Registry

5. How We Use Information

The limited information we collect is used only for:

• License validation and preventing software piracy
• Providing technical support and troubleshooting assistance
• Communicating with waitlist subscribers about product availability (Waitlist)
• Sending newsletters, product updates, and important announcements (EmailOctopus)
• Sending marketing communications where you have given prior consent
• Performing anonymized analytics and ensuring website security
• Improving our website and documentation based on usage patterns

6. Information Sharing and Third-Party Services

We do not sell, trade, or share your information with third parties, except as described below:

6.1 Service Providers We Use

• Keygen - License management and validation
  Place of processing: United States
• Waitlist (getwaitlist.com) - Waitlist management for product launch
  Place of processing: United States
• EmailOctopus - Newsletter and product update emails
  Place of processing: United Kingdom
  Compliance: All marketing emails include unsubscribe links and our physical address. Unsubscribe requests are honored within 10 business days (CAN-SPAM) or 10 days (CASL).
• Paddle - Payment processing (Merchant of Record)
  Place of processing: United Kingdom, United States
  Security: Paddle stores and processes all payment card data in their PCI-DSS Level 1 certified environment. Stashit never receives or stores credit card details.
• Hetzner - Website hosting and server infrastructure
  Place of processing: United States, Germany, Finland
• Bunny CDN (BunnyWay d.o.o.) - Content delivery for website assets
  Place of processing: Slovenia (global CDN network)
• Plausible - Self-hosted, privacy-focused website analytics
  Place of processing: Germany (hosted on our Hetzner infrastructure)
• FreeScout - Self-hosted support ticket system
  Place of processing: United States (hosted on our Hetzner infrastructure)
• Mailgun (Mailgun Technologies, Inc.) - Email relay service for support communications
  Place of processing: United States, Germany

6.2 International Data Transfers

When we transfer personal data from the European Economic Area (EEA) or United Kingdom to the United States or other countries, we ensure appropriate safeguards are in place:

• EU-U.S. Data Privacy Framework - Our U.S.-based processors (Keygen, Paddle) maintain DPF certification where applicable
• Standard Contractual Clauses - We use European Commission-approved SCCs for transfers to processors not covered by DPF
• Data Processing Agreements - Available upon request for enterprise customers at dpa@stashit.app

6.3 Required Disclosures

• When required by law or legal process
• To protect our rights, property, or safety
• In connection with a business merger or acquisition (with prior notice)

7. Data Security

We implement appropriate security measures to protect the limited information we collect:

• Encrypted data transmission (HTTPS/TLS)
• Secure database storage with access controls
• Regular security updates and monitoring
• Limited employee access on a need-to-know basis

Breach Notification: In the event of a data breach, we will notify affected individuals and applicable regulators within the timeframes required by law (e.g., within 30 days under Florida Statute 501.171, without undue delay under GDPR Article 33).

8. Your Data in the Software

For data stored within your self-hosted Stashit instance:

• You are the data controller - you decide how your data is handled
• Local storage only - all files remain on your infrastructure
• Your security responsibility - implement appropriate backups and security measures
• No external transmission - the Software does not send your content to external servers

9. Email Integration (IMAP/SMTP)

Our self-hosted software supports integration with your own email providers:

• Your Email Providers - You configure your own IMAP and SMTP services (Gmail, Outlook, etc.)
• Local Storage Only - Email credentials are encrypted at rest using AES-256 encryption and stored locally on your server only
• Email content is downloaded directly to your infrastructure
• We never have access to your email accounts or content
• All email processing happens locally within the Software
• Your Responsibility - You are responsible for compliance with your email provider's terms

10. Data Retention Periods

We retain different types of information for the following periods:

• License Information - Retained for the life of the license plus 7 years for tax and legal compliance
• Support Communications - Retained for 3 years to provide consistent support and track issues. You may request earlier deletion by contacting support@stashit.app
• Waitlist Information (Waitlist) - Retained until product launch + 1 year or until you request removal
• Newsletter Subscriptions (EmailOctopus) - Retained until you unsubscribe
• Website Logs - Retained for 90 days for security and performance monitoring
• Payment Records - Handled by Paddle according to their retention policies and tax requirements

11. Cookies and Tracking

Our website uses minimal cookies:

• Essential cookies for website functionality
• One anonymized first-party cookie for Plausible analytics (does not track individuals)
• No advertising or third-party tracking cookies
• Session cookies for support portal access

Cookie Notice: We use only essential cookies and one anonymized analytics cookie that respects your privacy. By continuing to use our website, you accept these minimal cookies. No personal data is collected through cookies. Because we set only essential and anonymized first-party cookies, we do not display a cookie-consent banner; none of our cookies require opt-in under ePrivacy/PECR regulations.

12. Legal Basis for Processing

We process personal information only when we have a valid legal basis. The legal basis for our data processing includes:

• Contractual Necessity - Processing required to fulfill our license agreement and provide software support
• Legitimate Business Interests - License validation, fraud prevention, and business operations
• Legal Compliance - Meeting tax, accounting, and regulatory requirements
• Consent - For marketing communications and optional services where you have explicitly agreed

We are always available to clarify which legal basis applies to specific data processing activities.

13. International Users and GDPR Rights

Stashit Self-Hosted is designed to comply with global privacy regulations including the General Data Protection Regulation (GDPR).

13.1 Your Privacy Rights

You have the following rights regarding your personal information:

• Access Right - Request information about what personal data we hold about you
• Correction Right - Request correction of inaccurate or incomplete information
• Deletion Right - Request deletion of your personal information (subject to legal retention requirements)
• Restriction Right - Request limitation of how we process your information
• Data Portability - Receive your data in a structured, machine-readable format
• Objection Right - Object to processing based on legitimate interests or for marketing purposes
• Consent Withdrawal - Withdraw previously given consent at any time
• Complaint Right - Lodge a complaint with your local data protection authority

13.2 Exercising Your Rights

To exercise these rights, contact us at support@stashit.app. We will respond within 30 days and verify your identity before processing requests. These requests are free of charge unless they are excessive or repetitive. EU/UK users may also lodge an internal appeal via appeals@stashit.app before contacting their supervisory authority.

13.3 Data Residency

Because our software is self-hosted, your content data remains in your chosen location and jurisdiction, giving you complete control over data residency requirements.

13.4 EU Representative and DPO Assessment

Given our limited, occasional processing of EU personal data, Articles 27 & 37 GDPR representatives/officers are not currently required. We review this assessment annually as our business grows.

14. U.S. State Privacy Rights

Residents of California, Colorado, Connecticut, Utah, Virginia, Iowa, Minnesota, Tennessee, Maryland, and Oregon have additional privacy rights under state law. We apply these rights to all U.S. residents.

14.1 Your State Privacy Rights

• Right to Know/Access - Request information about personal data we collect, use, disclose, or sell
• Right to Delete - Request deletion of your personal information (subject to exceptions)
• Right to Correct - Request correction of inaccurate personal information
• Right to Data Portability - Receive your data in a portable format
• Right to Opt-Out of Sale or Sharing - We do not sell or share personal information for cross-context behavioral advertising
• Right to Opt-Out of Targeted Advertising - We do not engage in targeted advertising
• Right to Limit Use of Sensitive Personal Information - We do not collect sensitive personal information as defined by CPRA
• Right to Non-Discrimination - We will not discriminate against you for exercising your rights

14.2 How to Exercise Your Rights

To exercise these rights, contact us through any of these methods:

• Email: support@stashit.app
• Mail: Stashit LLC, 7901 4th St N, STE 300, St. Petersburg, FL 33702

We will respond within 45 days (or 15 business days for opt-out requests). If you are dissatisfied with our response, you may appeal by emailing appeals@stashit.app within 60 days.

14.3 Authorized Agents

You may designate an authorized agent to make requests on your behalf. The agent must provide written authorization and verify their identity.

14.4 Global Privacy Control

We honor Global Privacy Control (GPC) and similar privacy preference signals as valid requests to opt-out of sale/sharing where required by law.

14.5 Florida Digital Bill of Rights

As a Florida-based company, we note that Stashit's revenue and business model are below FDBR thresholds. Nevertheless, we honor comparable consumer rights for all U.S. residents.

15. System Logs and Technical Data

For operational and maintenance purposes, we may collect technical information including:

• Website Access Logs - Standard web server logs including IP addresses, browser information, and page requests
• Error Logs - Technical error information to diagnose and resolve software issues
• License Validation Logs - Records of license check requests for anti-piracy purposes

This technical data is used solely for system operation, security monitoring, and troubleshooting. It is retained for the minimum time necessary and automatically purged according to our retention schedule.

16. Legal Proceedings

We may use or disclose personal information when required by law or when we believe in good faith that such action is necessary to:

• Comply with legal obligations or court orders
• Protect and defend our rights and property
• Prevent fraud or investigate suspected illegal activities
• Protect the safety of our users or the public
• Respond to government or regulatory requests

We will make reasonable efforts to notify affected users of such requests unless prohibited by law or court order.

17. Children's Privacy

Our Software and services are not intended for children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

18. Updates to This Policy

We may update this Privacy Policy from time to time. We will:

• Post updated policies on our website
• Notify users of material changes via email
• Maintain previous versions for reference

19. Governing Law

This Privacy Policy is governed by the laws of the State of Florida and the United States of America. Any disputes related to privacy or data protection will be resolved in the state or federal courts located in Florida.

20. Contact Information

For questions about this Privacy Policy or to exercise your rights, contact us at:

Stashit LLC
7901 4th St N, STE 300
St. Petersburg, Florida 33702
United States

Email: support@stashit.app
Website: https://www.stashit.app

For GDPR-related requests: support@stashit.app

For general support: support@stashit.app

21. Definitions

21.1 Key Terms

• Personal Data - Any information relating to an identified or identifiable individual
• Processing - Any operation performed on personal data, including collection, storage, use, or deletion
• Data Controller - Stashit LLC, the entity that determines the purposes and means of processing personal data
• Data Subject - The individual to whom personal data relates
• Software - Stashit Self-Hosted file organization system
• User - Any individual using our Software or services
• Sensitive Personal Information - As defined by CPRA, includes government identifiers, financial account information, precise geolocation, racial/ethnic origin, health information, and other categories. We do not collect sensitive personal information.

21.2 Technical Terms

• Cookies - Small data files stored on your device by websites you visit
• Usage Data - Information automatically collected about how our Software or website is used
• Self-Hosted - Software that runs on your own infrastructure rather than our servers
• License Key - Unique identifier that validates your right to use the Software

22. Accessibility

This privacy policy is available in alternative formats to ensure accessibility for all users. Please contact us at accessibility@stashit.app to request this policy in large-print PDF, screen-reader optimized HTML, or other accessible formats.

23. Conclusion

Stashit Self-Hosted is built with privacy as a core principle. By keeping your data on your own infrastructure, we ensure that you maintain complete control over your information while still providing powerful file organization capabilities.