Privacy Policy
Last updated: March 29, 2026
TL;DR: Staick is GDPR-native, EU-based, and privacy-first. We store your AI conversations in the EU, give you full control over your data, and never sell your information. Your conversations = yours.
1. Controller Identity
Staick is a privacy-first, EU-based knowledge hub for AI conversations. We're committed to GDPR not just as compliance, but by design.
- Service: Staick (staick.app)
- Email: privacy@staick.app
- Hosting: European Union (France/Germany)
- Data Protection: GDPR-native
2. What Data We Collect
2.1. Account Data
To create your Staick account, we collect:
- Name: Your display name
- Email: Your email address (unique identifier)
- Password: Hashed with bcrypt (never stored in plain text)
- 2FA: Two-factor authentication secret and recovery codes (if enabled)
- Email verification: Timestamp when you verified your email
Legal basis: Contract execution (account creation)
2.2. AI Conversations
When you import conversations from AI providers, we store:
- Title: The conversation title
- Provider: Which AI provider (ChatGPT, Claude, Gemini, etc.)
- Messages: Full conversation history (user + assistant messages)
- Metadata: Original URL, import status, timestamps
- Attachments: Files you uploaded (up to 25MB, 50 files per import)
Legal basis: Your consent (voluntary import)
2.3. Organization Data
To organize your conversations, we create:
- Workspaces: Spaces to group conversations (default + custom)
- Projects: Projects within workspaces
- Tags: Tags you add to conversations
- Notes: Your personal notes on conversations
- Summaries: AI-generated summaries (if enabled)
Legal basis: Contract execution (core functionality)
2.4. Technical Data
To run and improve the service, we collect:
- API tokens: For authentication (Laravel Sanctum)
- API logs: API calls and responses
- Error logs: Errors and crashes (via Sentry)
- Analytics: Page views, events (via OpenPanel, privacy-friendly)
- Job logs: Background job monitoring (via Laravel Horizon)
Legal basis: Legitimate interest (security, service improvement)
3. How We Use Your Data
- Provide the service: Store, organize, and display your AI conversations
- Import conversations: Connect to your AI providers and sync conversations
- Search & filter: Let you search across all conversations
- Generate summaries: Create AI summaries (if you enable it)
- Secure the service: Prevent abuse, detect suspicious activity
- Improve the service: Analytics to understand usage patterns
- Communicate with you: Service updates, security alerts
4. Third Parties & Data Transfers
4.1. AI Providers
Your conversations are imported from these AI providers:
- • ChatGPT (OpenAI)
- • Claude (Anthropic)
- • Gemini (Google)
- • Grok (xAI)
- • Mistral AI
- • Perplexity
- • DeepSeek
- • Groq
- • And 7+ others...
Important: Your conversations are stored BOTH at the AI provider AND in Staick. When you import from ChatGPT, for example, the conversation remains on OpenAI's servers AND is copied to Staick's EU-based servers.
4.2. Infrastructure Providers
We use these EU-based services to host Staick:
- PostgreSQL: Database (EU)
- Redis: Cache and queue (EU)
- MinIO/S3: File storage (EU)
4.3. Third-Party Services
- Sentry: Error tracking (stores errors, stack traces, partial IP)
- OpenPanel: Analytics (privacy-friendly, no personal tracking)
5. Where Your Data Lives
✅ Staick Hosting: 100% EU-based
Your database, files, and cache are hosted in the European Union (France/Germany). No Staick data leaves the EU.
⚠️ AI Providers: Mostly US-based
When you import from ChatGPT, Claude, or Gemini, your conversations remain on those providers' servers (mostly US-based). Staick creates a copy in the EU, but the original stays with the AI provider.
Legal basis for transfers: Your consent (you choose which AI providers to connect)
6. Your GDPR Rights
Under GDPR, you have the following rights:
6.1. Right to Access (Article 15)
You can request a copy of all your data. We'll provide it within 30 days.
6.2. Right to Rectification (Article 16)
You can correct inaccurate or incomplete data.
6.3. Right to Erasure (Article 17)
You can delete your account and all associated data. We'll soft-delete within 7 days and permanently delete within 30 days.
6.4. Right to Portability (Article 20)
You can export all your conversations in JSON or CSV format.
6.5. Right to Object (Article 21)
You can object to analytics tracking. Contact us to disable it.
6.6. Right to Restrict Processing (Article 18)
You can request to limit how we process your data.
To exercise these rights: Email us at privacy@staick.app
7. Data Retention
- Active account: Data retained as long as your account is active
- Deleted account: Soft-deleted within 7 days, permanently deleted within 30 days
- Conversations: Kept as long as your account is active
- Logs: Retained for 90 days maximum
8. Security
We protect your data with:
- Encryption at rest: Database encryption
- Encryption in transit: HTTPS/TLS for all connections
- Password hashing: Bcrypt (one-way hash)
- 2FA: Optional two-factor authentication
- API security: Token-based authentication (Laravel Sanctum)
- EU hosting: Data stored in European data centers
10. Children's Privacy
Staick is not intended for children under 16. We don't knowingly collect data from children under 16. If we discover we've collected data from a child under 16, we'll delete it immediately.
11. Changes to This Policy
We may update this Privacy Policy. For significant changes, we'll:
- Notify you by email at least 30 days in advance
- Highlight what changed
- Assume continued use = acceptance of changes
12. Contact Us
For privacy questions, GDPR requests, or concerns:
- Email: privacy@staick.app
- General contact: hello@staick.app
- Location: European Union
We'll respond to GDPR requests within 30 days.
Remember:
Your AI conversations are yours. Staick just helps you organize them. We're in this business because we believe privacy is a right, not a privilege.