Privacy Policy

Last updated: 7 March 2026

This Privacy Policy explains how Staffless ("we", "us", "our") collects, uses, and protects your personal data when you use staffless.ai and related services ("the Service"). We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Data Controller

Staffless (the service operator) is the data controller for personal data processed through the Service. For any privacy-related inquiries, contact us at support@staffless.ai.

2. What Data We Collect

Account data (provided by you):

  • Email address
  • Name (if provided)
  • Authentication data (managed by Supabase Auth — we do not store passwords directly)
  • Billing information (processed and stored by Stripe — we do not store card numbers)

Usage data (collected automatically):

  • Token consumption and API usage metrics
  • Workspace configuration metadata (agent names, connected integrations, schedule settings)
  • Conversation messages between you and your AI agents
  • Error logs and service diagnostics

Data we do NOT collect:

  • Advertising cookies or third-party ad identifiers
  • Raw payment card numbers (handled by Stripe)
  • Unencrypted third-party credentials in user-facing data responses
  • Direct access to third-party services you did not explicitly connect

3. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

  • Contract performance (Article 6(1)(b) GDPR): Processing necessary to provide the Service you signed up for, including account management, workspace provisioning, and billing.
  • Legitimate interest (Article 6(1)(f) GDPR): Fraud prevention, abuse prevention, and service security. You can object to this processing at any time.
  • Legal obligation (Article 6(1)(c) GDPR): Retaining billing records as required by tax and financial regulations.
  • Consent (Article 6(1)(a) GDPR): Optional analytics cookies and any optional communications where consent is required. You can withdraw consent at any time.

4. How We Use Your Data

  • Provide, operate, and maintain the Service
  • Process payments and manage subscriptions
  • Track token usage for billing and plan enforcement
  • Send transactional emails (account confirmation, billing receipts, critical service updates)
  • Debug issues and improve service reliability
  • Prevent abuse and enforce our Terms of Service

We do not use your data for advertising, profiling, or automated decision-making that produces legal effects.

5. Data Sharing

We do not sell your personal data. We share data only with the following categories of processors, all bound by data processing agreements:

  • Supabase (database and authentication) — EU-hosted
  • Stripe (payment processing) — PCI DSS compliant
  • AI model providers (e.g. Anthropic, Google, OpenRouter) — your conversation messages are sent to these providers to generate agent responses. These providers have their own privacy policies governing how they handle this data.
  • Infrastructure providers (server hosting) — for running your workspace containers

We may disclose data if required by law, court order, or to protect our legal rights.

6. Agent-Processed Data

When you connect your AI agent to third-party services (Slack, GitHub, Google Drive, etc.), the agent may read, process, and act on data from those services based on your instructions. Depending on workflow and feature usage, related data may flow through your isolated workspace runtime and supporting control-plane services needed to operate the platform. We may store and process limited records such as chat messages, run events, tool metadata, and error diagnostics to provide the Service, support users, secure the platform, and enforce policy. We do not sell this data or use it for advertising profiling. You are responsible for ensuring your configured agent behavior complies with applicable laws and third-party platform terms.

7. Data Retention

  • Account data: Retained while your account is active and deleted or anonymized after account closure, subject to legal obligations.
  • Conversation messages and run logs: Retained while needed to operate and support your workspace. When a workspace is deleted, data is removed from active use and queued for cleanup according to operational retention windows.
  • Billing records: Retained for 7 years as required by financial regulations.
  • Workspace runtime data: Workspace containers are deprovisioned after deletion events. Runtime data may be retained for a short recovery window before permanent cleanup.
  • Credentials: Connection credentials are stored encrypted and retained until removed, rotated, or deleted with the related integration/workspace, unless legal retention applies.

8. Data Security

We implement technical and organizational measures to protect your data, including:

  • Isolated Docker containers per workspace with dropped capabilities and no-new-privileges security
  • Encrypted connections (TLS) for all data in transit
  • Encryption-at-rest for sensitive integration and MCP configuration data
  • Row-level security (RLS) in our database ensuring users can only access their own data
  • Secret redaction in user-facing APIs and interfaces after save
  • Firewall rules restricting container network access

No system is 100% secure. While we take reasonable precautions, we cannot guarantee absolute security.

9. International Data Transfers

Our primary infrastructure is located in the European Union. Some sub-processors (notably AI model providers and Stripe) may process data outside the EU/EEA. Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions.

10. Your Rights (GDPR)

If you are in the EU/EEA, you have the following rights regarding your personal data:

  • Access — Request a copy of the personal data we hold about you.
  • Rectification — Request correction of inaccurate or incomplete data.
  • Erasure — Request deletion of your personal data ("right to be forgotten").
  • Restriction — Request that we limit how we process your data.
  • Portability — Receive your data in a structured, machine-readable format.
  • Objection — Object to processing based on legitimate interest.
  • Withdraw consent — Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email us at support@staffless.ai. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.

11. Cookies

We use the following categories of cookies:

  • Essential cookies — Required for authentication and session management. These are strictly necessary for the Service to function and do not require consent.
  • Analytics cookies — With your consent, we use analytics tools (such as PostHog and Google Analytics) to understand how you use Staffless so we can improve it. These cookies are only set after you explicitly consent via our cookie banner.

We do not use advertising or marketing cookies. You can change your cookie preferences at any time by opening Cookie settings in the interface.

Your cookie consent preference is stored in first-party storage on your device (cookie/local storage) so we can honor your choice on future visits.

12. Children

The Service is not intended for anyone under 18. We do not knowingly collect data from minors. If you believe a minor has provided us with personal data, contact us and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the Service at least 30 days before taking effect. The "Last updated" date at the top reflects the most recent revision.

14. Contact

For any privacy-related questions, data requests, or concerns, contact us at: support@staffless.ai.