Privacy Policy

1) Who We Are & Scope

Controller for Individual Users: StayTeam, MVP test-phase startup located in SK, RF, c/o Center for Digital Engineering (CDE) of SK.

Team Customers: For team/organization workspaces, StayTeam generally acts as a processor/service provider; the Team Customer acts as the controller/business. See your agreement and our Data Processing Addendum (DPA) for details.

Contact: SabahFarshad [at] gmail.com

EU/UK representatives: Not appointed.

1.1) Confidentiality During Invitation-Only Testing (NDA)

During invitation-only MVP testing, your use of the Service is subject to a confidentiality obligation (NDA) described in our Terms of Use, Section 6. The NDA governs non-public product information you may access and restricts sharing such information outside permitted recipients. The NDA does not reduce your rights under this Privacy Policy.

2) Data We Collect

• Account & Profile Data: name, university affiliation/role, email, password hashes, photo/avatar, preferences, language, consent records.
• Content You Submit: prompts, messages, transcripts (including audio you upload), decision logs, conflict-resolution notes, uploaded files, labels/annotations, and AI outputs generated in your workspace.
• LLM Interaction Data: model prompts/outputs, safety/moderation signals, ratings/feedback, and feature flags necessary to operate AI functionality.
• Usage & Device Data: app interactions, telemetry, crash logs, diagnostics, referrer, timestamps, IP address, approximate location, device/OS/browser, cookie IDs, session IDs.
• Admin Data: role assignments, invitation codes, audit trails.
• Payment: Not applicable during MVP; we do not charge or collect payment data.
• Public/Third-Party Data: information from partners or vendors to support security, compliance, or fraud prevention.

3) Sources of Data

We obtain data directly from you, automatically through the Service, from Team Customers (for Team Members), from third-party services you connect, from vendors (e.g., analytics, email), and from publicly available sources where lawful.

4) How We Use Data & Legal Bases

We use personal data for the purposes below. Where the GDPR/UK GDPR applies, we indicate our legal bases in parentheses.

• Provide & Secure the Service — create/manage accounts, deliver features (including LLM processing), provide support, ensure integrity and safety, prevent abuse and fraud (contract; legitimate interests; legal obligations).
• Invitation-Only Access — verify eligibility (students, employees, or faculty of SK), manage invitation codes, and enforce access restrictions (legitimate interests).
• Team Collaboration — enable shared workspaces, role-based access, decision records, conflict-management workflows (contract; legitimate interests).
• Communications — service messages and product notices (contract; legitimate interests; consent where required).
• Analytics & Improvement — aggregated/de-identified analytics, quality, reliability, and safety improvements (legitimate interests).
• Research (Opt-In) — with your explicit consent, de-identified or pseudonymized data may be used for research to improve decision quality, fairness, safety, and AI performance (consent; explicit consent for special categories).
• Compliance — meet legal obligations and enforce terms (legal obligations; legitimate interests).

4.1 Research & Consent

Optional Participation. Research use is not required to use the Service. If you opt in, we may process de-identified or pseudonymized copies of prompts, transcripts, decision logs, and related metadata for research. You may withdraw consent at any time in-app or by contacting us; we will cease new research use going forward. Already-used de-identified data may be retained to preserve research integrity where permitted by law.

Consent UI. Checkboxes (unchecked by default): “I consent to the research use of my data as described in the Privacy Policy and Terms,” and (if applicable) “I consent to the research use of special category/sensitive data I choose to provide.”

4.2 Automated Decision-Making

Our LLM features assist with summaries, options, and rationales. We do not make decisions that produce legal or similarly significant effects without meaningful human involvement.

4.3 Model Training & Provider Use of Data

Third-party model providers. To operate AI features, we send prompts/inputs and receive outputs from providers (currently OpenAI and Google Gemini). Where supported, we configure providers so they do not use your data to train their foundation models. Where a provider does not offer such configuration, we apply contractual and technical measures to limit use to providing the Service and safety/compliance.

Our product improvement. We may use de-identified or aggregated data to improve quality, reliability, and safety. We do not use your personal data to train third-party foundation models.

5) How We Share Data

• Processors/Sub-processors: vendors who process data under our instructions and DPA/SCCs. See our subprocessor list: /legal/subprocessors.
• Model Providers: to operate AI features, prompts/inputs and outputs may be processed by OpenAI and Google Gemini safety and inference services.
• Cloud Hosting: Google Cloud Platform (GCP), primary region us-central1-a (United States).
• Integrations: none during MVP.
• Legal & Safety: to comply with law, protect rights/safety, or respond to lawful requests.
• Business Transfers: in connection with a merger, acquisition, or sale of assets, subject to confidentiality.
• Aggregated/De-identified: non-identifiable insights and statistics.

We do not sell personal data or share it for cross-context behavioral advertising as defined by the CPRA.

Sensitive personal information: We do not use or disclose sensitive personal information for purposes other than those permitted by law (e.g., to provide the Service, ensure security/integrity, prevent fraud, or as otherwise authorized by you).

6) International Data Transfers

We and our vendors may process data globally. Personal data may be transferred to and processed in the United States (e.g., GCP us-central1-a; OpenAI/Google). Where required, we use appropriate safeguards such as EU Standard Contractual Clauses (SCCs) and the UK IDTA/UK Addendum, plus supplementary measures where appropriate.

7) Data Retention

MVP/Pilot Phase: Content storage is not guaranteed; we may purge content at any time without notice. Backups are taken daily; backup retention and restore availability may vary during MVP.

• Account data: retained for your account lifetime and a short period after closure to complete administrative tasks, unless earlier deletion is required.
• Workspace content: not guaranteed to persist; admins may delete; we may purge at any time during MVP.
• Telemetry and logs: typically retained up to 12 months for security and reliability.
• Billing records: not applicable during MVP.

8) Security

We implement administrative, technical, and physical safeguards appropriate to the nature and risk of the data we process (e.g., encryption in transit, access controls). However, during MVP we may have bugs and vulnerabilities. No method is 100% secure. If we become aware of a personal data breach, we will notify affected parties and/or authorities as required by law.

Encryption at rest: We encrypt production databases and storage at rest using industry-standard encryption provided by our cloud vendor(s).

9) Your Rights & Choices

Depending on your location, you may have rights to access, rectify, delete, restrict, object, and port your personal data, and to withdraw consent. We honor these rights where required by law. Note that some requests may be limited during the MVP due to technical constraints; we will still comply with applicable law.

How to submit a request: You can submit requests by email at SabahFarshad [at] gmail.com. We may need to verify your identity (and, if applicable, your authority to act on behalf of someone else) before fulfilling a request.

Appeals: If we decline your request, you may appeal by replying to our decision email with “Appeal” in the subject line. If you remain dissatisfied, you may have the right to lodge a complaint with your local data protection authority.

EU/UK users: You have the right to lodge a complaint with a supervisory authority, particularly in the Member State/UK nation of your habitual residence, place of work, or place of the alleged infringement.

10) Cookies & Similar Technologies

We use cookies for essential operations, security, analytics, and remembering preferences. Where required, we will present a consent banner and honor your choices. You can manage preferences via our banner or Settings > Privacy, and through your browser.

11) Team Workspaces & Admin Controls

Team Customers control their workspaces, including membership, roles, retention, exports, and integrations. Project admins may delete data and revoke access for members they invited.

12) Children’s Privacy

The Service is not directed to children under 16. We do not knowingly collect personal data from children under 16.

13) Changes to This Policy

We may update this Policy to reflect changes to our practices or for legal, technical, or business reasons. If changes are material, we will provide notice as required (e.g., via the Service or email). Your continued use after the effective date indicates acceptance.

14) Contact Us

Appendix — Key Definitions

• Personal Data/Personal Information: any information that identifies or relates to an identifiable individual.
• Controller/Processor; Business/Service Provider: roles defined under GDPR/CCPA for determining purposes and means of processing.
• Model Providers: third-party AI services that process prompts/inputs and generate outputs under our instructions.
• De-identified Data: information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular individual.