StuardStuard

Privacy Policy

Last updated: May 15, 2026

1. Introduction

At Stuard AI (“we,” “our,” or “us”), we respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, and share information about you when you use our desktop application, website, and related services (collectively, the “Service”), including when you connect third-party integrations such as Google, Microsoft, Meta (Facebook, Instagram, Threads, WhatsApp), GitHub, Discord, Reddit, X, and Telnyx.

Our core philosophy is “Local-First.” We design our software to keep as much of your personal data on your local device as possible, minimizing what is sent to our servers.

2. Information We Collect

A. Information You Provide to Us

  • Account Information: When you sign up, we collect your email address and authentication credentials.
  • Profile Information: You may choose to provide a name, nickname, or other profile details.
  • Marketplace Content: If you publish workflows to our Marketplace, we collect and store that content publicly.
  • Support Communications: Information you provide when contacting support.

B. Information Collected Automatically

  • Usage Data: We collect technical logs about how you use the Service, such as API calls, token usage, and error reports, to improve system stability.
  • Device Information: We may collect information about your device type, operating system, and unique device identifiers for licensing and security.

C. Data Processed via AI Providers

To provide AI assistant functionality, text inputs and necessary context are sent to third-party AI model providers (such as OpenAI, Google Gemini, Anthropic, and routing infrastructure such as OpenRouter). These providers are used solely for generating responses and are not permitted to use your data to train their models, subject to their respective enterprise terms.

3. Local Data Storage

Stuard AI stores the following data locally on your device:

  • Conversation History: Your chat logs and interaction history.
  • Knowledge Graph: Structured facts and memories the AI learns about you.
  • Task Data: Todos, plans, and local automation states.
  • Files: Documents and files you ask Stuard to manage.

This local data is under your control. If you enable “Cloud Sync” (optional), an encrypted copy of this data may be stored on our servers to synchronize across your devices.

4. How We Use Your Information

We use your information to:

  • Provide, maintain, and improve the Service.
  • Process transactions and manage your account.
  • Sync your data across devices (if enabled).
  • Facilitate the Marketplace for sharing workflows.
  • Detect, prevent, and address technical issues or fraud.
  • Communicate with you about updates, security alerts, and support.

5. Data Sharing and Disclosure

We do not sell your personal data. We may share your data in the following circumstances:

  • Service Providers: With third-party vendors who help us operate the Service (e.g., cloud hosting, payment processing, AI inference, messaging gateways).
  • Legal Compliance: If required by law, regulation, or legal process.
  • Business Transfers: In connection with a merger, sale, or asset transfer.
  • With Your Consent: If you explicitly authorize us to share data (e.g., when you connect a third-party integration described in Section 6).

6. Third-Party Integrations

Stuard AI lets you connect optional third-party services so the assistant can act on your behalf. Each integration is opt-in — we only access the data needed for the specific tasks you ask Stuard to perform. When you connect an integration, you authorize Stuard to access that service under the scopes you grant during the OAuth flow (or, for messaging integrations, the phone number you verify).

A. How Integration Credentials Are Stored

  • Access tokens and refresh tokens are stored in our backend database (Supabase) using per-user envelope encryption (AES-256-GCM with keys derived via HKDF from a server-side pepper).
  • Tokens are decrypted only in-memory when needed to execute a tool call you triggered.
  • You can disconnect any integration at any time from the Integrations panel in the desktop app. Disconnecting deletes our copy of your tokens and revokes our ability to access that account.
  • You can also revoke access directly from each provider’s account dashboard (e.g., Google Account permissions, Microsoft account apps, Meta Business Settings, GitHub Settings → Applications).

B. Per-Integration Disclosures

Google (Gmail, Drive, Calendar, Sheets, Docs, Tasks)

When you connect a Google service, Stuard AI requests only the minimum OAuth scopes required for the features you enable (for example, gmail.send to send mail you draft, drive.file to read or write files you select, or read scopes for Calendar, Sheets, Docs, and Tasks). Stuard’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data to train generalized AI models, do not sell Google user data, and do not transfer it to third parties except as needed to provide the feature you requested, comply with law, or protect the security of our service.

Microsoft Outlook

When you connect Outlook, Stuard requests Microsoft Graph scopes (such as Mail.Read) so it can read mail you ask it to summarize or act on. Tokens are obtained via PKCE-protected OAuth and stored encrypted as described above. You can revoke Stuard’s access at any time from your Microsoft account’s “Apps and services” page.

Meta — WhatsApp

When you connect WhatsApp, you provide a phone number and confirm ownership by sending a one-time code from your WhatsApp account to Stuard’s WhatsApp Business number. Once linked, Stuard can send and receive messages, voice notes, images, and files between you and the assistant via the official WhatsApp Business Platform (Cloud API).

  • What we receive: the messages you send to Stuard’s WhatsApp number, including text, attached media, and voice notes (which may be transcribed by a speech-to-text provider so the assistant can understand them).
  • What we send back: only replies generated in response to your messages or proactive notifications you have explicitly enabled.
  • What we store: your verified phone number, message metadata needed for delivery, and message content insofar as it is part of your conversation history (subject to the local-first principles in Section 3 and your sync settings).
  • What we do not do: we do not use WhatsApp messages for advertising, do not sell them, and do not share them with third parties except subprocessors needed to deliver, transcribe, or store the message at your request.

Your use of WhatsApp through Stuard is also governed by Meta’s WhatsApp Business Messaging Policy and WhatsApp Privacy Policy. You can disconnect at any time from the Integrations panel; disconnection deletes our copy of your WhatsApp identifiers and stops further messaging.

Meta — Facebook, Instagram, Threads

When you connect Facebook, Instagram, or Threads, Stuard receives an OAuth access token scoped to the permissions you approve during Meta’s consent flow. We use this token only to perform the actions you request (e.g., read your profile, publish content, or fetch posts). Use of these integrations is also subject to Meta’s Platform Terms and Meta Privacy Policy. We do not aggregate Meta data with data from other sources for advertising, do not sell Meta data, and do not retain it longer than needed to fulfill the requested action and your conversation history.

GitHub

Connecting GitHub allows Stuard to read repositories and issues you have access to so it can answer questions and assist with code. We request only the OAuth scopes needed for the features you enable. Use is governed by GitHub’s Privacy Statement.

Discord

Connecting Discord allows Stuard to list servers and DMs you belong to and to read or send messages on your behalf when you ask. Use is governed by Discord’s Privacy Policy.

Reddit

Connecting Reddit allows Stuard to browse, search, post, and comment on your behalf when you request. Use is governed by Reddit’s Privacy Policy.

X (Twitter)

Connecting X allows Stuard to read your timeline, post tweets, send DMs, and look up users on your behalf. X API usage may be billed against your Stuard credits as disclosed in the Integrations panel. Use is governed by X’s Privacy Policy.

Telnyx (SMS / Voice Calls)

When you connect a phone number for SMS or voice notifications, Stuard sends a verification code via Telnyx and stores the verified phone number. We use Telnyx to deliver messages and voice calls you trigger or have explicitly enabled. We do not use your phone number for marketing and do not share it with third parties other than Telnyx as our messaging carrier. Telnyx’s handling of this data is governed by the Telnyx Privacy Policy. Standard message and data rates from your carrier may apply. Reply STOP to any SMS to opt out.

Local-Only Integrations

Some integrations — Python, FFmpeg, MediaPipe, Ollama, and Stuard Browser — run entirely on your own device. They do not transmit data to Stuard’s servers as part of their normal operation. Their respective installers may, however, fetch software from official sources under their own privacy practices.

Webhooks & User-Configured Endpoints

If you configure webhooks or other custom HTTP endpoints, Stuard will deliver data to the URLs you specify. You are responsible for the privacy and security practices of any endpoint you connect.

C. Data Retention for Integrations

We retain integration access tokens for as long as the integration remains connected to your account. When you disconnect an integration, we delete the associated tokens and any account-identifying metadata that is no longer needed. Content fetched from a third-party service in the course of executing a task (e.g., the contents of an email you asked Stuard to summarize) is treated as part of your conversation history and is governed by Sections 3 and 8.

7. Data Security

We implement appropriate technical and organizational measures to protect your data. Cloud-stored data is encrypted at rest and in transit, and integration tokens are additionally protected with per-user envelope encryption as described in Section 6. However, no method of transmission over the Internet or electronic storage is 100% secure, so we cannot guarantee absolute security.

8. Your Rights

Depending on your location, you may have rights to access, correct, delete, or export your personal data. You can manage most of your data directly within the Stuard AI application — including disconnecting any integration, clearing local data, and deleting your account. For other requests, please contact us at the address in Section 12.

9. International Data Transfers

Stuard AI is operated from the United States. If you access the Service from outside the U.S., your information may be transferred to, stored, and processed in the U.S. and other countries where our service providers operate. We rely on appropriate safeguards (such as standard contractual clauses) where required by law.

10. Children's Privacy

The Service is not intended for individuals under the age of 13 (or the higher age of digital consent in your jurisdiction). We do not knowingly collect personal data from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the “Last updated” date. Material changes affecting integrations will be highlighted in-product where reasonable.

12. Contact Us

If you have any questions about this Privacy Policy or the way an integration handles your data, please contact us at [email protected].

Privacy Policy | Stuard