Stash Get started →

Privacy Policy

What we collect, why, how we store it, and what you can do about it. No dark patterns — same posture inside the product as on this page.

Last updated: 2026-05-15.

Who collects what

Brennan VanderLaan is the data controller for everything you upload (boxes, items, photos, tags, room layouts) and everything we observe about your account (sign-in email, IP, audit log, usage meters). The sub-processors we hand data to are listed at /about/sub-processors.

Data we hold

How we secure it

Your rights (GDPR + similar)

Cookies

We use a single cookie set by our OAuth identity proxy (currently a Google sign-in session; will become a generic OAuth-provider cookie as we add GitHub, Apple, and passwordless email) plus an optional active_tenant cookie for multi-tenant users. No third-party advertising or analytics cookies. We do not sell or share data with advertisers, period.

On the public marketing pages (this page, the landing, pricing, etc.) we collect aggregate page-view + dwell-time analytics with no cookies so we can see which pages get traffic and how long visitors stay. Instead of storing a persistent visitor id, we derive a short-lived pseudonymous bucket id from a one-way hash of your IP + User-Agent + our own server-side encryption key + a 30-minute time window. Properties of this approach:

GDPR posture: hashed-with-rotating-secret IPs sit in a grey zone of "is this still personal data?" under European law. We disclose the approach in full here so you can decide whether you're comfortable with the trade-off; if you'd rather not be measured at all, browser extensions that block JavaScript will stop the dwell-time beacon (the server-side pageview count still fires, since it's just an HTTP request — but it carries no more information than the request itself).

Retention

Breach notification

If we experience a data breach affecting your personal data, we'll notify you within 72 hours of discovery, including what we know about the scope and our remediation status. This is a GDPR Article 33/34 obligation; we treat it as a hard commitment regardless of jurisdiction.

Contact

Privacy questions: support@stash.swampcats.life. For formal data-subject requests, include the relevant article number in the subject line so we route it correctly.