Privacy Policy

Last updated: March 3, 2026

1. Introduction

Simple Software LLC ("Stewrd," "we," "us," or "our") operates the Stewrd API platform at stewrd.dev. This Privacy Policy explains how we collect, use, and protect your information when you use our services.

2. Information We Collect

Account Information: When you create an account, we collect your email address and authentication credentials.

API Usage Data: We log API request metadata including timestamps, request IDs, capabilities used, token counts, and response times. We do not store the content of your prompts or agent responses beyond the duration of a request unless you use Sessions.

Session Data: If you use the Sessions feature, message history is stored for the lifetime of the session to enable multi-turn conversations. Session data is deleted when the session expires or is explicitly deleted.

Payment Information: Payment processing is handled by Stripe. We do not store credit card numbers. We retain Stripe customer IDs and subscription metadata.

BYOK Provider Keys: If you provide your own LLM provider API key, it is encrypted at rest using AES-256-GCM. We never log or expose your provider keys.

3. How We Use Your Information

We use your information to:

  • Provide and operate the Stewrd API
  • Track usage and enforce plan limits
  • Process payments and manage subscriptions
  • Send transactional emails (account confirmations, usage alerts)
  • Diagnose technical issues and improve our services

4. Data Sharing

We do not sell your personal information. We share data only with service providers necessary to operate the platform:

  • Stripe — payment processing
  • Supabase — database and authentication
  • Cloudflare — infrastructure, CDN, and file storage (R2)
  • LLM Providers — your prompts are forwarded to the configured LLM provider (e.g., OpenRouter) to generate responses. If you use BYOK, requests are sent using your own key.

5. Data Retention

API usage logs are retained for 90 days. Generated files are retained according to your plan tier (24 hours to 30 days). Account data is retained until you delete your account. You may request deletion of your data by emailing [email protected].

6. Security

We use industry-standard measures to protect your data, including encryption in transit (TLS), encryption at rest for sensitive fields (AES-256-GCM), and role-based access controls. API keys are hashed before storage.

7. Cookies

We use essential cookies for authentication and session management. We do not use third-party tracking cookies or advertising pixels.

8. Your Rights

You may access, update, or delete your account data at any time through the dashboard or by contacting us. If you are located in the EU, you have additional rights under GDPR including data portability and the right to object to processing.

9. Changes

We may update this policy from time to time. Material changes will be communicated via email or a notice on the dashboard. Continued use of the service after changes constitutes acceptance.

10. Contact

Questions about this policy? Email us at [email protected].