Privacy Policy
Privacy Policy
Effective Date: May 20, 2026
Stiward Holdings Inc. ("Stiward," "we," "us," or "our") operates an agentic operating system for one human being — a personal-management platform that, with your permission, connects to your bank, card, and brokerage accounts, your calendar, and your email inboxes (and, over time, additional sources you opt into) so that the assistant inside it ("Alfred") can help you manage money, time, and inbox in one place. This Privacy Policy explains how we handle your information when you create an account, connect data sources, use Alfred, or otherwise interact with Stiward at stiward.com and our mobile applications (collectively, the "Services").
The data Stiward touches is unusually sensitive — your transactions, your meetings, the people you talk to, what they wrote you, what you have not replied to. We treat it that way. The commitments below are deliberately strict: we do not sell your data, we do not share it with advertisers, we do not use it to train machine-learning models, and we do not allow humans to read your connected-account data except in the narrow circumstances described in Section 4.
By accessing the Services, you confirm that you have read and understood this Privacy Policy. If you do not agree with it, please do not use the Services.
1. Information We Collect
1.1 Information You Provide When You Sign Up
When you create a Stiward account you provide:
- Identity and contact details: name, email address, and (optionally) a profile photo. Authentication is handled by Firebase Authentication; we receive the verified email and a stable Firebase user identifier.
- Preferences: time zone, briefing channel (email, push, or both), preferred briefing time, AI model preference (Claude or OpenAI), and daily token-budget settings.
1.2 Information We Collect via Connected Accounts ("Connector Data")
You explicitly connect each data source on the /connectors page. Once connected, we periodically sync data from that source so the platform can show it back to you and so Alfred can answer questions about it. The current sources are:
- Plaid (bank accounts and credit cards). When you complete Plaid Link, we receive an access token and item identifier, and we sync your accounts (name, type, mask, balances), transactions (date, amount, merchant, category, payment channel), and liabilities (statement balances, due dates) covering up to the maximum history Plaid provides for the institution (typically 24 months). We do not receive online-banking usernames or passwords; Plaid holds those.
- Google Calendar. When you complete the Google consent flow we receive a refresh token and access token. We sync your calendar events (title, time, location, attendees, description, conferencing link) from the calendars you grant access to. We currently use the read-only Calendar scopes.
- Gmail. When you complete the Google consent flow we receive a refresh token and access token. We sync your email threads and messages (headers — sender, recipients, subject, date; the message body in text/plain and text/HTML; attachment counts but not attachment binaries) from up to three Gmail mailboxes per Stiward account that you explicitly grant access to. We use
gmail.readonlyto read andgmail.modifysolely to create drafts in your Gmail Drafts folder for you to review and send. We never send mail on your behalf. The Stiward codebase contains nousers.messages.sendcode path.
Additional Connectors — for example health rings, workouts, journal, goals, news, investments, tax, travel, and memberships — may be added over time. Each new Connector is opt-in: you authorize it through that source's own consent flow before any data is synced, this Privacy Policy and the Subprocessors list are updated before the new Connector becomes available to you, and the Connector can be revoked at any time on the schedule described in Section 5.
1.3 Information We Generate About You
To make the platform useful we derive a second layer of information from your raw connector data:
- Categorization and tagging of transactions, threads, and events (e.g., "needs reply," "VIP," "unusual spend").
- Briefings and insights: the morning briefing, weekly summary, and ad-hoc anomaly alerts Alfred produces. These are stored in your account so you can re-read them.
- Agent events: discrete signals Alfred watches for (e.g.,
large_transaction,calendar_conflict,vip_email_silent_too_long). These are AI memory, not raw audit logs. - Conversation history: messages you exchange with Alfred, the tools Alfred invoked, and the responses returned.
- Intents: proposed write actions (e.g., draft a reply, label a thread) that require your approval before execution.
1.4 Information We Collect Automatically
When you use the Services we automatically collect:
- Device information: IP address, browser type and version, operating system, device identifiers, and language settings.
- Usage information: pages visited, features used, session duration, and aggregated interactions with the Platform.
- Authentication information: Firebase ID tokens (short-lived) and, if you opt in, biometric identifiers used by your device locally for sign-in (these never leave your device).
- Server logs: error reports and performance data used to diagnose issues. Logs never contain decrypted tokens, decrypted email content, or full account numbers.
1.5 Information from Third Parties
We may receive limited information about you from:
- Plaid — the verified institution identity, account masks, and the connection-status webhook stream tied to your linked items.
- Google — the verified
sub(Google user id) andemailclaims from the OAuthid_token, plus the webhook / Pub/Sub change notifications for Calendar and Gmail. - Firebase Authentication — the verified identity provider, email-verification status, and MFA status reported by Google's Identity Platform.
1.6 Sensitive Information
By its nature, Connector Data may include financial transactions, calendar meetings, and email correspondence that are sensitive to you. You decide which sources to connect and which accounts to grant. You may disconnect any source at any time from /connectors, which immediately stops syncing and triggers the deletion described in Section 5.
2. How We Use Your Information
We use your information for the following purposes:
- Provide the Services. Operate the dashboards (
/money,/calendar,/inbox), run Alfred chat, generate daily and weekly briefings, fire anomaly alerts, and let you triage and draft replies to email. - Connect and sync your accounts. Refresh OAuth and Plaid tokens, run incremental syncs on webhook delivery, and back-fill data where the source supports it.
- Communicate with you. Send the briefings and anomaly alerts you have configured, plus service-related messages (security notices, billing, OAuth-grant expiry warnings).
- Improve the Services. Diagnose errors, monitor performance, and refine features based on aggregated, de-identified usage signals. We do not use Connector Data, Alfred conversations, or any user content to train machine-learning models.
- Security and abuse prevention. Detect and respond to fraud, unauthorized access, and conduct that violates our Terms of Service.
- Legal compliance. Comply with applicable laws, regulations, and lawful requests.
We will never use your information for cross-context behavioral advertising or for targeting by third parties.
3. How We Share Your Information
We share your information only as described below.
- With service providers (subprocessors). We share information with vendors who help us run the Services, under contracts that require them to protect your information and use it only for our purposes. The current roster lives in
Subprocessors.md(Section 11 below summarizes it) and at <https://stiward.com/legal/subprocessors>. - With AI providers, under zero-retention enterprise terms. When you use Alfred or receive a generated briefing, the relevant portion of your data is sent to Anthropic and/or OpenAI for inference under enterprise agreements that contractually require zero retention of inputs/outputs and no training on your data. See Section 4 for the full Limited Use commitment.
- For legal reasons. We may disclose information when required by law, regulation, legal process, or governmental request, and to protect the rights, property, or safety of Stiward, you, or others.
- With your explicit consent, for purposes you have specifically agreed to.
- In a business transfer. If Stiward is involved in a merger, acquisition, financing, or sale of assets, your information may transfer as part of that transaction. We will notify you in advance and your information will continue to be protected by this Privacy Policy or an equivalent successor.
We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We do not provide your personal information to advertisers, data brokers, or third-party targeting platforms.
4. Limited Use Commitments for Google Workspace APIs
Stiward's use of information received from Google APIs (Gmail and Google Calendar) adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- Only to provide user-facing features. Data accessed via Gmail and Calendar APIs is used only to provide and improve the features described in this Privacy Policy: inbox triage, calendar overview, draft replies, briefings, and the AI assistant ("Alfred"). It is not used for any unrelated purpose.
- No transfer for unrelated purposes. We do not transfer Gmail or Calendar data to third parties except (a) as necessary to provide or improve the features above, (b) to comply with applicable law, (c) as part of a merger, acquisition, or sale of assets with appropriate notice to you, or (d) with your affirmative consent.
- No advertising. We do not use Gmail or Calendar data for advertising purposes, including but not limited to serving, retargeting, personalizing, or ranking advertisements.
- No human reading. We do not allow humans to read your Gmail or Calendar data unless (a) we have obtained your affirmative consent, (b) it is necessary for security purposes (such as investigating abuse or a bug you have reported), (c) it is necessary to comply with applicable law, or (d) the data has been aggregated and anonymized so it cannot be linked back to you. Access requests from Stiward personnel are logged in our audit-trail system.
- No model training. We do not use Gmail or Calendar data to develop, improve, or train generalized or non-personalized AI/ML models. Our AI subprocessors (Anthropic and OpenAI) operate under enterprise agreements that contractually require zero retention of inputs and outputs and prohibit training on customer data.
The same Limited Use commitments apply to Plaid financial data and to any other Connector Data we hold on your behalf, by our own choice.
5. Data Retention and Deletion
We retain your information for as long as your account is active and as needed to provide the Services. The retention windows below apply per data class.
| Data class | Retention while account is active | After account closure or disconnection |
|---|---|---|
| --- | --- | --- |
| Account profile, preferences | For account lifetime | Deleted within thirty (30) days |
| Encrypted OAuth tokens (Plaid, Google) | Until you revoke the connector | Wiped at revocation; the installation is marked `revoked` and a credentials-audit row is appended |
| Plaid accounts + transactions | Lifetime of connector | Soft-deleted at revocation; hard-deleted within thirty (30) days |
| Calendar events | Lifetime of connector | Soft-deleted at revocation; hard-deleted within thirty (30) days |
| Email threads, messages, drafts metadata | Lifetime of connector | Soft-deleted at revocation; hard-deleted within thirty (30) days |
| Alfred conversation history, briefings, insights | For account lifetime | Deleted within thirty (30) days |
| Agent events, intents | For account lifetime | Deleted within thirty (30) days |
| Backups | Rolling 30-day window | Backup copies age out within ninety (90) days of original deletion |
| Aggregated, de-identified analytics | Indefinitely (cannot be linked back to you) | — |
| Audit logs (security and compliance) | Up to seven (7) years where required by law | Retained per law; never used for other purposes |
You may request earlier deletion at any time by emailing privacy@stiward.com or by deleting your account in /settings → Account.
6. Data Security
We protect your information using technical and organizational measures appropriate to its sensitivity, including:
- Encryption in transit using TLS 1.3 (or, where 1.3 is not supported by the requesting client, TLS 1.2).
- Encryption at rest using AES-256-GCM for all sensitive data, including every OAuth token, Plaid item, and webhook payload. Master keys are managed by Google Cloud Secret Manager and are rotated; ciphertext is versioned so rotation does not require a full re-encryption pass.
- Token isolation. OAuth tokens are decrypted only at point of use and never written to logs or analytics pipelines. The credential-storage helper (
services/connectors/shared/credentials.tsin our source tree) is the single audited code path that reads or writes tokens. - Multi-tenant discipline from day one. Every domain table has a
user_idcolumn with composite indexing, and every database query in router code goes through a scoped database helper that auto-applies aWHERE user_id = ...filter. A CI lint test fails any pull request that imports the raw database client in a router file. - Access controls including role-based access, the principle of least privilege, multi-factor authentication for administrative access (provided by Firebase Identity Platform), and automated session timeout.
- Audit logging of access to user data. Every authenticated request and every administrative action writes an immutable row to
audit_logs, also exportable to Google Cloud Logging. - Webhook idempotency. Inbound webhook deliveries from Plaid and Google are deduplicated against a
webhook_deliveriestable so retries never produce duplicate data or duplicate actions. - Regular vulnerability scanning and penetration testing of the Platform.
- Secure software development practices and protections against the OWASP Top 10.
- Vendor risk management. Every subprocessor in Section 11 is contractually bound to protect your information.
- Independent security review. We plan to commission a Cloud Application Security Assessment (CASA) Tier 2 prior to opening Stiward to external users beyond initial testing, and to pursue SOC 2 Type II attestation thereafter.
No system is perfectly secure. While we work hard to protect your information, we cannot guarantee absolute security. If we become aware of a security incident affecting your information, we will notify you and applicable regulators consistent with applicable law.
7. International Users and Data Transfers
Stiward Holdings Inc. is incorporated in Delaware, and our primary infrastructure is hosted on Google Cloud Platform in the United States. If you access the Services from outside the United States, your information will be transferred to, stored in, and processed in the United States and may also be processed by our AI subprocessors in the United States.
For transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (and the UK Addendum, where applicable) or another lawful transfer mechanism. We perform transfer impact assessments where required.
8. Your Rights and Choices
Depending on your location, you may have the rights described below. We will respond to verified requests within the timeframes required by applicable law.
8.1 Rights Available to All Users
- Access: request a copy of the personal information we hold about you, including a structured export of your Connector Data.
- Correction: ask us to correct information that is inaccurate or incomplete (you can also edit your own profile and preferences in
/settings). - Deletion: ask us to delete your information, subject to the limited exceptions described in Section 5.
- Portability: request a copy of your information in a structured, machine-readable format (JSON).
- Disconnect a source: revoke any connector at any time from
/connectors; we stop syncing immediately and proceed with deletion per Section 5. - Opt out of non-essential communications: turn off briefings, push notifications, or marketing emails in
/settings → Notifications. Service-related communications (e.g., security notices, billing) cannot be opted out of while your account is active.
8.2 Additional Rights for EEA, UK, and Swiss Residents
If you are located in the EEA, the United Kingdom, or Switzerland, you also have the right to:
- object to or restrict our processing of your personal data;
- withdraw consent at any time where we rely on your consent;
- lodge a complaint with your local supervisory authority.
We process your personal data on the following legal bases under the GDPR / UK GDPR:
- Contract — to provide the Services that you have requested.
- Legitimate interests — to operate, secure, and improve the platform and to prevent abuse. We have balanced these interests against your rights.
- Legal obligation — to comply with applicable law.
- Consent — where we ask for it (e.g., optional marketing communications, optional AI features that send your Connector Data to AI subprocessors).
8.3 Additional Rights for California Residents
If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act, including the right to know, delete, and correct your personal information; to opt out of "sale" or "sharing" of personal information; and to non-discrimination for exercising these rights.
We confirm: we do not sell or share personal information in the senses defined by the CCPA/CPRA. We do not engage in cross-context behavioral advertising.
8.4 Exercising Your Rights
To exercise any of these rights, contact privacy@stiward.com. We may need to verify your identity before responding. You may also designate an authorized agent to act on your behalf, subject to verification.
9. Children's Privacy
The Services are not intended for, or directed to, individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. If we learn that we have, we will delete it. If you believe a child has provided information to us, please contact privacy@stiward.com.
10. Third-Party Links and Services
The Platform may link to or integrate with third-party sites or services (for example, the institution-selection screens that Plaid renders, or a "View in Gmail" link). This Privacy Policy does not apply to those services, and we are not responsible for their practices. Review their privacy policies before using them.
11. Subprocessors
We rely on the subprocessors below to provide the Services. Each is contractually bound to protect your information. The authoritative list, including the data classes shared with each subprocessor and the legal mechanism for any international transfer, lives in Subprocessors.md in our public legal repository and at <https://stiward.com/legal/subprocessors>.
| Subprocessor | Location | Purpose |
|---|---|---|
| --- | --- | --- |
| Google Cloud Platform | United States | Cloud infrastructure (Cloud Run, Cloud SQL/Postgres, Cloud Tasks, Cloud Scheduler), Secret Manager, Cloud Logging |
| Firebase (Google) | United States | User authentication and identity, including MFA via Identity Platform |
| Anthropic | United States | AI inference (Claude) under zero-retention enterprise terms |
| OpenAI | United States | AI inference (GPT) under zero-retention enterprise terms; only when explicitly enabled |
| Plaid | United States | Financial-account connectivity, transactions, balances, liabilities |
| Google APIs (Calendar, Gmail) | United States | Calendar event sync and Gmail message + draft sync (Limited Use — Section 4) |
| Stripe | United States | Subscription billing for paid Stiward tiers (PAN never held by Stiward) |
| Resend | United States | Transactional email delivery (briefings, alerts, service notices) |
| Vercel | United States | Hosting for `stiward.com` (marketing + waitlist) and the Stiward admin web app |
| Sanity | United States | Headless CMS that serves blog and legal content rendered on `stiward.com` |
| Expo (Application Services) | United States | Push-notification delivery to the mobile app |
| Cloudflare | United States | DNS, CDN, and DDoS protection for `stiward.com` |
| Sentry | United States | Application error tracking (Connector Data excluded from event payloads) |
We may update this list. Material changes are published at <https://stiward.com/legal/subprocessors> and, for institutional partners under a Data Processing Agreement, notified with the lead time required under that agreement.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the Effective Date above and provide notice through the Platform or by email. Your continued use of the Services after the change becomes effective constitutes your acceptance of the updated Privacy Policy.
13. Contact Us
For privacy questions or requests:
Stiward Holdings Inc. Privacy: privacy@stiward.com Legal: legal@stiward.com Security: security@stiward.com Website: stiward.com
EEA, UK, and Swiss residents may also contact their local supervisory authority. The lead supervisory authority for our processing of EEA personal data is the Irish Data Protection Commission.