Stetos Logo
stetos.co

Legal

Privacy Policy

This Privacy Policy explains how Stetos.co handles personal data across the marketing site, account and billing flows, AI agent creation tools, shared and embedded session experiences, analytics features, and related support operations.

Last updated: 2026-04-09Version: PRIV-2026-04-09

1. Overview

Stetos.co provides software for creating and operating AI agents. Depending on how the product is configured, we may process account information, billing records, knowledge uploads, session data, analytics outputs, and technical telemetry.

2. Our role

For account creation, billing, workspace administration, abuse prevention, and support operations, Stetos.co generally acts as a controller. For respondent or participant data collected through customer-configured agents, widgets, share pages, or session flows, Stetos.co generally acts as a processor or service provider on behalf of the customer.

3. Categories of data we process

  • Account data: name, email address, login records, workspace profile information, and onboarding inputs.
  • Billing data: subscription status, invoices, plan metadata, and billing contact details. Payment card data is handled by Stripe.
  • Configuration data: agent settings, templates used, prompts, behavioral notes, metrics configuration, rewards/actions, and widget settings.
  • Knowledge data: uploaded or pasted source material, source summaries, and assignment metadata used to compile agent context.
  • Session data: chat messages, voice recordings where enabled, transcripts, derived metrics, summaries, insights, snapshots, and workflow outcomes.
  • Metadata supplied by customers: identifiers or context passed through widgets, URLs, or other integrations.
  • Technical and security data: IP address, browser/device information, logs, diagnostics, and abuse prevention signals.

4. How we use data

  • provide, host, and secure the Service
  • authenticate users and manage workspaces
  • generate transcripts, summaries, metrics, and analytics outputs
  • support quick create, template matching, knowledge compilation, and post-session automation features
  • process subscriptions, invoices, and plan enforcement
  • monitor performance, investigate incidents, and prevent abuse
  • communicate product, support, legal, and account updates

5. Sharing and subprocessors

We do not sell personal data. We share data with service providers only as needed to operate, secure, and improve the Service or to comply with legal obligations. Core providers may include infrastructure, authentication, analytics, model, communications, and payments vendors such as:

  • Supabase for database, authentication, storage, and access control
  • OpenAI and other model providers we enable in product workflows for language and AI processing
  • voice orchestration or telephony providers for voice session delivery where enabled
  • Stripe for billing and payments
  • PostHog or comparable telemetry tools for product analytics and operational insight
  • Cloudflare Turnstile or similar abuse-prevention services for bot and risk controls

6. Public links, embeds, and customer-controlled collection

Customers may publish public share pages, install embedded widgets, and pass custom metadata into session flows. Customers remain responsible for configuring those surfaces lawfully, including respondent notices, consent language, and lawful basis where required.

7. International processing

Data may be processed in countries other than your own, including the United States and other regions where our providers operate. We use contractual, technical, and operational safeguards appropriate to the applicable legal framework.

8. Retention

We retain data only for as long as reasonably necessary to provide the Service, meet contractual commitments, comply with legal obligations, resolve disputes, and protect platform integrity. Retention may vary by data type, plan configuration, and whether a workspace remains active.

  • account and billing records may be retained for audit, legal, and tax purposes
  • session data and analytics outputs may be retained according to configured product retention behavior
  • security, operational, and abuse-prevention logs may be retained for platform protection and incident response

9. Security

We use administrative, technical, and organizational measures designed to protect personal data, including encryption in transit, managed infrastructure controls, authentication safeguards, and application-level access controls. No system is perfectly secure, so we continuously review and improve our protections.

10. Your rights and choices

Depending on your jurisdiction, you may have rights to access, correction, deletion, restriction, portability, or objection. Users in Mexico may also have ARCO rights. Customers who need to make a privacy request can contact us and we will evaluate it in light of our legal role and applicable requirements.

11. Children

The Service is not intended for children under the age required by applicable law. If you believe personal data from a child has been processed without appropriate authorization, contact us so we can review and respond.

12. Changes to this Policy

We may update this Privacy Policy from time to time. The version and date above identify the current effective text. Material changes may be communicated through product notices, website updates, or account messaging as appropriate.

13. Contact

Questions or privacy requests can be sent to privacy@stetos.co.