Privacy policy
This policy explains what data Stafff collects, why we collect it, how we use it, who we share it with, and the rights you have over it. Stafff is operated by Stafff Inc. (the 'Company', 'we', 'us').
Draft for the pre-launch period. The published version (signed off by counsel) will replace this before the first paying customer is onboarded. If you need a signed DPA or BAA today, email adminstafffai@gmail.com.
1. Who this policy applies to
This policy applies to anyone interacting with Stafff: visitors to stafff.ai, businesses subscribing to Stafff (the 'Customer'), and people who chat or call with a Customer's Stafff agent (the 'End User').
2. What we collect
We collect three categories of data.
- Account data — the name, email, business details, billing info, and team members of every Customer.
- Conversation data — every chat message, call transcript, optional recording, and metadata (timestamps, channel, status) produced by Customers' Stafff agents.
- Telemetry — IP address, browser, device, and basic page-view analytics for stafff.ai and the Stafff dashboard.
3. How we use it
We use Account data to operate and bill the service. We use Conversation data only to provide the service to the Customer and to improve product reliability — never to train shared models. Telemetry is used for product analytics and abuse prevention.
4. Sub-processors
Stafff uses a short list of vetted sub-processors: Supabase (data storage), Vercel + Railway (hosting), OpenAI and Anthropic (LLM inference), Vapi.ai (voice runtime), Twilio (telephony + SMS), Stripe (billing), Resend (email), Cloudflare (edge + TLS). HIPAA-tier Customers' data is routed only through sub-processors with signed BAAs.
5. Data location
US tenants are stored and processed in US regions. EU tenants are stored and processed in EU regions. We do not transfer EU tenant data outside the EU without an explicit Standard Contractual Clause agreement.
6. Retention
Conversation data is retained for 13 months by default and longer if HIPAA audit retention applies. Customers can set shorter retention windows in their dashboard, or trigger an immediate delete on cancellation.
7. Your rights
If you're a Customer, you have full control of your data via the dashboard — export, delete, transfer. If you're an End User who interacted with a Stafff agent, contact the Customer first; we'll honor any verified deletion request relayed to us at adminstafffai@gmail.com within 30 days.
8. Security
TLS 1.2+ for all data in transit. Encryption at rest via Supabase + cloud KMS. Per-tenant secret encryption via pgsodium. Quarterly dependency CVE review. Annual third-party penetration test post-launch.
9. Cookies
stafff.ai uses a minimal cookie set — strictly necessary cookies for the dashboard session, plus optional analytics. EU visitors see a consent banner.
10. Changes
We post material changes to this policy at least 14 days before they take effect and email all Customer Owners. Continued use after the effective date constitutes acceptance.
Questions? Email adminstafffai@gmail.com.