MYStacy — Privacy & Security

How it works technically

The encryption architecture.

This is not marketing language. This is how the system actually works. If you're a technical person, this section will satisfy you. If you're not, the summary is: we cannot read your data, even if we wanted to.

Encryption flow · Client → Server → AI

💻

Your Browser / Device

Data is encrypted here using AES-256-GCM before it leaves your device. Your encryption key never leaves the client.

Plaintext here only

↓ Encrypted payload travels over TLS ↓

🗄️

Supabase Database

Stores only ciphertext. No plaintext. Even database admins cannot read your notes, tasks, or contact data.

Ciphertext only

↓ Fetched as ciphertext → decrypted in browser ↓

🔓

Browser-side Decryption

Context is decrypted in your browser before being passed to the Claude API. The AI never sees raw ciphertext from the DB.

Decrypted locally

↓ Decrypted context sent to AI over TLS ↓

🤖

Claude API (Anthropic)

Receives context for your session only. Anthropic's data handling applies. We do not send your data to other AI providers.

Session-scoped only

Privacy principles

Six things we will always do.

01

Encrypt before it leaves your device

Every piece of data you create in Mystacy is encrypted client-side using AES-256-GCM before it is transmitted. This is non-negotiable and will never change.

02

Store only what's necessary

We collect the minimum data required to run the service. Your email address, subscription status, and encrypted content. Nothing more.

03

Never sell your data

We will never sell, rent, or trade your data to any third party, advertiser, or data broker. Our business model is subscriptions — not your information.

04

Tell you if anything changes

If we ever change our data practices, we will notify you by email before the changes take effect — not after. You will always have the opportunity to delete your data and leave.

05

Give you full data portability

You can export all your data at any time in standard formats. If you leave Mystacy, your information leaves with you. Nothing is held hostage.

06

Delete completely on request

If you request account deletion, all your data — including encrypted content — is permanently deleted within 30 days. No backups retained beyond that window.

Data collection

Exactly what we collect and why.

No ambiguity. Here is every category of data Mystacy handles, what we do with it, and whether it is encrypted.

Data Type	Purpose	Encrypted	Shared
Email address	Account identification, communication	No (needed for auth)	Never sold
Notes & captures	Your second brain content	AES-256-GCM	Never
Tasks & projects	Productivity layer	AES-256-GCM	Never
Contact intelligence	Relationship layer	AES-256-GCM	Never
SMS content	Stacy agent interactions	AES-256-GCM	Never
Gmail content	Contact intelligence (if enabled)	AES-256-GCM	Never
Subscription & billing	Payment processing via Stripe	Stripe-managed	Stripe only
Usage analytics	Product improvement (anonymized)	Anonymized	Never identified

Our commitments

What we will never do.

🚫

Never serve ads

There are no ads in Mystacy. There never will be. Advertising models require treating users as inventory. We treat you as a customer.

🚫

Never sell data

Your data has no value to us except as something to protect on your behalf. It will never be sold, licensed, or traded to any third party.

🚫

Never train AI on your data

Your captures, notes, and contact intelligence are never used to train AI models — ours or anyone else's. Your thoughts are yours.

🚫

Never share without consent

We do not share your data with any third party without your explicit consent, except where legally required (and we'll tell you if that happens).

🚫

Never obscure our practices

This page is written in plain English. If our practices ever change, you'll hear about it before it happens — not buried in a terms update.

🚫

Never hold your data hostage

Full export available at any time. Deletion is permanent and complete. You are never locked in.

Legal

The policy in plain English.

We've written an actual plain-English summary. The full legal document is below that. Read whichever suits you.

What we collect: Your email address for account creation. Your subscription status for billing. All other content you create (notes, tasks, contact data, SMS interactions) is stored encrypted — we cannot read it.

How we use it: To provide the Mystacy service. Your encrypted content is decrypted in your browser to power Stacy's intelligence. Your email is used only for account-related communications and never for marketing without consent.

Who we share it with: Stripe (payment processing), Supabase (encrypted storage), Twilio (SMS delivery), Anthropic (AI processing — session-scoped, not stored). No one else. Nothing sold.

How long we keep it: For as long as you have an active account. On deletion request, all data is permanently removed within 30 days. Billing records retained as required by law (typically 7 years).

Your rights: You have the right to access, export, correct, and delete all your data at any time. Contact us at [email protected] to exercise any of these rights. We will respond within 5 business days.

Changes to this policy: We will notify you by email at least 14 days before any material change to this policy takes effect. You may delete your account and data at any time if you disagree with any change.

Jurisdiction: Mystacy is operated from Florida, United States. This policy is governed by Florida law and applicable federal regulations. For GDPR inquiries (EU residents), contact [email protected].

Effective date: March 2026. Last updated: March 14, 2026.