Privacy Policy

Steady is operated by Verge Labs B.V., a company registered in the Netherlands (KvK registration available on request). You can contact us at privacy@steady.website.

For users in the European Economic Area (EEA), the United Kingdom, and Switzerland, Verge Labs B.V. is the data controller for the personal data described in this policy.

This policy explains what we collect, why, how we use it, who we share it with, and your rights. It applies to steady.website, the Steady web app, the Steady desktop app, and any related services (together, the “Service”).

• We collect what you give us (account, tasks, notes, regulation scores) and basic technical data (IP, device, usage) to run the Service.
• We use third-party AI providers (Anthropic, DeepSeek via OpenRouter) to power Guardian and other AI features. We never send your name, email, or credentials to them.
• We do not sell your data. We do not use your data to train AI models.
• Analytics (PostHog, Google Analytics) only run after you accept cookies. You can opt out.
• You can export all your data as JSON at any time, and you can delete your account at any time.
• We are GDPR, UK GDPR, and CCPA/CPRA compliant. If you’re in the EEA, your data stays in the EU where possible.

Account data you provide: email, password hash (bcrypt, we never see your plain password), name (optional), profile photo (optional), timezone, language, theme preferences, notification preferences, OAuth identifiers if you sign in with Google or GitHub.

Content you create: tasks, projects, notes, documents, brain-dump captures, calendar events, practices, regulation scores, compass directions, goals, focus sessions, Guardian chat history, and any other content you enter.

Usage and technical data: IP address, user agent, browser type, approximate geographic region (country-level, from your IP via Vercel), pages visited, features used, error logs, session timestamps, device identifiers for push notifications.

Subscription and billing data: managed by Stripe. We store your Stripe customer ID, subscription status, plan tier, trial end date, and AI credit usage. We do not store payment card details — Stripe handles those directly.

Cookies and local storage: essential cookies for authentication and session, plus optional analytics cookies (PostHog, Google Analytics) only if you consent. See our cookie disclosure in the cookie banner.

We do NOT collect: special category data under GDPR Article 9 (health records, biometric data, genetic data). Regulation scores (1–10) are self-reported subjective state assessments — they are not medical data and are not used to infer medical conditions.

Steady uses AI features powered by third-party providers. Here’s exactly what happens:

• When you interact with Guardian (our AI companion), your chat messages and relevant task/project context are sent to OpenRouter, which routes them to Anthropic (Claude) or DeepSeek models.
• We never send your email, name, password, Stripe customer ID, or any identifying account credentials to AI providers.
• We send minimal context: task titles, notes you explicitly reference, the current time, your regulation score as an integer (1–10), and your time zone.
• AI providers do not store your content beyond the duration of the request. They do not use it to train models. These terms are enforced by our agreements with OpenRouter and the underlying model providers.
• You can review our Data Protection Impact Assessment (DPIA) at /dpia for a full risk analysis.
• AI features are optional. You can turn Guardian off at any time in Settings. If you never use Guardian, no task content is sent to AI providers.

Important disclaimer: Guardian is a software tool, not a licensed therapist, doctor, or medical professional. AI-generated responses may be inaccurate or inappropriate. Do not rely on Guardian for medical, legal, or crisis advice. If you are in crisis, contact local emergency services or a crisis hotline.

Under GDPR Article 6, we process personal data on these legal bases:

• Contract (Art. 6(1)(b)): to provide the Service you signed up for — account creation, storing your tasks, running features, processing subscriptions.
• Legitimate interest (Art. 6(1)(f)): security, fraud prevention, service improvement, error logging, rate limiting. We balance these against your rights and keep the scope narrow.
• Consent (Art. 6(1)(a)): analytics cookies, marketing emails (if applicable), AI feature usage. You can withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)): tax records, responding to lawful requests from authorities, keeping records required by Dutch and EU law.

We share personal data only with the following categories of recipients, all bound by contractual and/or legal obligations:

• Hosting & infrastructure: Vercel Inc. (USA, with EU region for data storage where possible), Neon (serverless Postgres, EU region), Supabase (storage, EU region).
• Payments: Stripe Inc. (USA) — processes all billing. Stripe is PCI DSS Level 1 certified.
• Email delivery: Resend Inc. (USA) — for transactional emails (verification, password reset, billing notifications).
• AI providers: OpenRouter Inc. (USA), Anthropic PBC (USA), DeepSeek (China) — only if you use AI features. See Section 4.
• Analytics (optional, consent required): PostHog (EU region endpoint: eu.i.posthog.com), Google Analytics 4 (Google LLC, USA).
• Error monitoring: Sentry (USA) — captures stack traces and error context. We scrub personal data from error reports.
• Voice services (optional): Deepgram, Azure Speech, Groq — only if you use voice features.
• Legal requirements: law enforcement or regulators, but only when legally required and narrowly tailored to the request.

We do not sell personal data. We do not share personal data for cross-context behavioral advertising under the CCPA/CPRA definition.

Some of our sub-processors are based outside the EEA. When we transfer personal data of EEA, UK, or Swiss users outside these regions, we rely on one of the following safeguards:

• EU–U.S. Data Privacy Framework for certified US providers (including Vercel, Stripe, Sentry where applicable).
• Standard Contractual Clauses (SCCs) approved by the European Commission.
• UK International Data Transfer Addendum for UK data.
• For providers without a DPF certification, we perform Transfer Impact Assessments and apply supplementary measures.

Where technically possible we store data in the EU (Neon and Supabase both run in Frankfurt/Dublin regions).

• Account data: while your account is active, plus 30 days after deletion request (grace period, recoverable).
• Tasks, notes, content: until you delete them or your account.
• Guardian chat history: until you delete it, or 90 days if you haven’t engaged with Guardian.
• Billing records: 7 years after last transaction (Dutch tax law requirement).
• Error logs: 30 days.
• Rate-limit counters: up to 24 hours.
• Cookies: session cookies expire when you close the browser; analytics cookies last up to 24 months (if you consent).

If you are in the EEA, UK, or Switzerland, you have the following rights:

• Access: request a copy of the personal data we hold about you.
• Rectification: correct inaccurate or incomplete data.
• Erasure (“right to be forgotten”): delete your account and all personal data. Available in Settings.
• Data portability: export all your data as a JSON file. Available in Settings.
• Restriction: limit how we process your data in specific circumstances.
• Objection: object to processing based on legitimate interest.
• Withdraw consent: at any time, for any processing based on consent (e.g., analytics).
• Automated decision-making: Steady does not make any legally significant decisions about you using automated processing.
• Lodge a complaint: with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl, or with your local supervisory authority.

To exercise any right, email privacy@steady.website or use the in-app Settings page. We respond within 30 days.

If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the CPRA:

• Right to know: what personal information we collect, the sources, purposes, and third parties we share it with.
• Right to delete: request deletion of your personal information.
• Right to correct: request correction of inaccurate personal information.
• Right to portability: receive a copy of your personal information in a portable format.
• Right to opt out of sale or sharing: we do not sell personal information and do not share it for cross-context behavioral advertising, so there is nothing to opt out of.
• Right to limit use of sensitive personal information: we do not use sensitive personal information for secondary purposes.
• Right to non-discrimination: we will not discriminate against you for exercising these rights.

To exercise these rights, email privacy@steady.website. We may need to verify your identity before responding.

We use a minimal cookie set:

• Essential cookies: spinoza_session (JWT auth), spinoza_refresh (token refresh), spinoza_cookie_consent (remembers your consent choice). These are required and do not need consent under ePrivacy law.
• Analytics cookies: PostHog and Google Analytics — only set after you click “Accept” on the cookie banner. If you are in the EU, these are blocked by default until you consent.

You can withdraw cookie consent at any time from the Settings page or by clearing your cookies.

We use industry-standard measures to protect your data:

• TLS 1.3 encryption in transit (HSTS enforced with a 2-year max-age).
• Bcrypt password hashing with cost factor 13.
• Short-lived access tokens with refresh token rotation.
• Rate limiting on authentication and API endpoints.
• Content Security Policy (CSP), X-Frame-Options, and other security headers.
• Optional two-factor authentication (TOTP).
• Neon point-in-time recovery and encrypted backups.
• Regular dependency audits and security patching.

In case of a data breach that poses a risk to your rights, we will notify the relevant supervisory authority within 72 hours and notify affected users without undue delay, as required by GDPR Article 33 and 34. See our breach procedure at /breach-procedure.

Steady is not intended for children under 16. You must be at least 16 years old to create an account. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@steady.website and we will delete it.

We may update this policy to reflect changes in our Service, legal requirements, or best practices. The “Last updated” date at the top will reflect the most recent change. For material changes, we will notify you via email or an in-app notice at least 30 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

For privacy questions, data subject requests, or complaints, contact us at:

• Email: privacy@steady.website
• Controller: Verge Labs B.V., Netherlands
• DPO: not required under GDPR Art. 37; privacy matters are handled by the founder directly.

EEA supervisory authority: Autoriteit Persoonsgegevens (Netherlands) — autoriteitpersoonsgegevens.nl.

UK supervisory authority: Information Commissioner’s Office (ICO) — ico.org.uk.