The short version, in plain English.
If you read nothing else, read this:
- We do not sell your data. Not to brokers, not to advertisers, not to anyone. There is no version of Stadora where this becomes a revenue line.
- We collect what is needed to run the product. Your contacts, your deals, the calls and notes you record inside the app, the events on your calendar — that's the working set.
- You can export everything and delete everything, on demand, from Settings → Account. Exports come back as a single ZIP with JSON and the original media.
- Your clients' data is yours, not ours. We process it on your behalf as your processor, not as an independent controller.
This notice covers our consumer-facing apps and our web product. If your team is on a Stadora Business agreement, the Data Processing Addendum (DPA) attached to that contract takes precedence where it conflicts with anything below.
What we collect.
Three buckets. The table below is the full list — if it's not here, we're not collecting it.
| Category | What's in it | Source |
|---|---|---|
| Account | Name, email, phone, brokerage, license number, profile photo, password hash. | From you |
| Workspace content | Your contacts, deals, properties, notes, tasks, calendar events, voice memos and transcripts, marketing assets you generate. | From you |
| Usage telemetry | Feature events (e.g. "deal_moved"), crash logs, device model, app version, IP address. No third-party ad SDKs. | From the app |
| Billing | Last four card digits, billing zip, plan tier, invoices. The full card number lives at Stripe — we never see it. | From Stripe |
| MLS feeds | Listings you've granted us access to fetch on your behalf. Cached for performance. | From your MLS |
Why we collect each piece.
One legal basis per category, in plain English:
- To run the product — contract performance. We can't show you your pipeline if we don't have your pipeline.
- To improve the product — legitimate interest. Aggregated, anonymized telemetry tells us which features are working. You can opt out in Settings → Privacy.
- To bill you — contract performance.
- To send service email — contract performance. (Receipts, security alerts, real outages.)
- To send marketing email — your explicit opt-in. One-click unsubscribe, every time.
Who else sees a piece of it.
We use a small set of sub-processors to run the service. Each one signs a DPA, each one is named here, each one's role is narrow.
| Processor | What they do | Region |
|---|---|---|
| AWS (us-east-1, eu-west-1) | Primary infrastructure — compute, storage, databases. | US · EU |
| Stripe | Payments and billing. | US |
| Twilio | SMS and voice routing for the Voice Capture feature. | US |
| Postmark | Transactional email delivery. | US |
| Sentry (self-hosted) | Crash and error reporting. We host this ourselves in eu-west-1. | EU |
| OpenAI | Voice transcription. Zero-retention agreement, no training on your data. | US |
We publish a sub-processor changelog at stadora.ai/privacy. You can subscribe to it. We'll give you 30 days' notice before adding a new one.
Connected accounts, like Google Calendar.
Stadora can connect to a few outside accounts when you ask it to — Google Calendar today, with more on the way. Connecting any of them is opt-in, scoped to the minimum we need, and reversible from Settings.
Google Calendar. When you tap Connect Google Calendar in Settings → Google Calendar, we ask Google for the calendar permission. We use it for exactly three things:
- Reading your primary calendar's metadata on connect — specifically the time zone and account email — so events you create in Stadora are written back to Google with the right local time.
- Pulling events into Stadora — so showings, meetings, and follow-ups you put on your calendar appear next to your tasks.
- Pushing your Stadora tasks onto your calendar — so you get native phone, watch, and laptop reminders without double-entering anything.
That's the entire scope. We do not read calendars you didn't pick, we don't create new calendars, and we don't touch your contacts, drive, or mail. The narrower calendar.events scope can't read calendar metadata, which is why we request the full https://www.googleapis.com/auth/calendar scope — it's the minimum that covers everything Stadora actually does.
Stadora's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data to train AI models, do not transfer it to third parties except as needed to provide and improve the integration, do not use it for advertising, and do not allow humans to read it except where you ask us to or for security and legal reasons.
What gets stored on our side. Two things, and only these:
- A long-lived refresh token issued by Google, plus short-lived access tokens. Stored encrypted at rest in our Supabase Postgres, readable only by our backend. Never returned to the app.
- The events you sync — title, time, location, description, the calendar id they came from. Stored as ordinary task rows in your workspace. We don't keep a parallel copy somewhere else.
What does not get stored. We don't keep attendee lists from your Google events, we don't keep a separate audit log of every change Google pushes us, and we don't share any of it with our other sub-processors. The OpenAI / Anthropic models that power Stadora's AI features are never given calendar data.
Inviting your clients. When you create a task in Stadora that's linked to a client, we do not automatically email that client a calendar invite. You have to explicitly tick "Send calendar invite to client" on the task — and that option only appears when the client has an email address on file. The default is silent.
Disconnecting. Settings → Integrations → Google Calendar → Disconnect. We immediately revoke the refresh token at Google, stop the sync, and ask you whether to keep the events that were already pulled into Stadora or delete them too. You can also revoke us at any time from myaccount.google.com/connections.
If you delete your Stadora account, the connection and refresh token go with it, automatically.
Voice memos & call recordings.
Stadora's Voice Capture feature records and transcribes voice. Three rules govern it:
- Recording is opt-in, every session. The mic indicator is always visible. Long-press to stop.
- Audio is yours. We store it encrypted at rest, transcribe it once, and never train models on it.
- Two-party consent jurisdictions. If you record a call in a state or country that requires both parties to consent (e.g. California, Florida, most of the EU), you are responsible for getting that consent. We give you a configurable preamble; turn it on.
We will never train a foundation model on customer audio. If we ever fine-tune anything narrowly on Stadora data, it is opt-in, narrowly scoped, and you can revoke. This is non-negotiable for the founders.
How long we keep it.
- While your account is active — for as long as you keep it. Workspace content stays where you put it.
- 30 days after deletion — soft-delete window. Restore from Settings → Account → Restore.
- 90 days for backups — encrypted backups roll off after 90 days. After that point, your data is genuinely gone.
- 7 years for billing records — required by tax authorities. We keep invoices, not card numbers.
Your rights, and how to use them.
Depending on where you live, you have some or all of the following rights. We honour all of them globally — we're not going to make EU customers fill out a form that US customers don't.
- Access — Settings → Account → Export. Returns within 24 hours.
- Correction — edit any field directly in the app, or write to privacy@stadora.ai.
- Deletion — Settings → Account → Delete account. Soft-deletes immediately, hard-deletes after 30 days.
- Portability — exports come as JSON + original media in a single ZIP. Importable into any tool that takes JSON.
- Objection / restriction — write to privacy@stadora.ai with what you'd like restricted; we respond within 7 days.
- Complaint — you can complain to your local supervisory authority. We'd rather you talked to us first.
Children.
Stadora is a tool for licensed real-estate professionals. We don't knowingly collect personal data from anyone under 16. If you believe a child has signed up, write to us and we'll delete the account.
International transfers.
EU customer data is stored in eu-west-1 (Ireland) by default. US customer data is stored in us-east-1 (Virginia). Cross-border processing happens only for support and engineering work, under Standard Contractual Clauses with our US team.
You can pin your workspace to a single region in Settings → Workspace → Region. Once pinned, it doesn't leave — full stop.
Security, briefly.
Long version lives at stadora.ai/security. The short list:
- TLS 1.3 in transit. AES-256 at rest. Per-tenant encryption keys.
- SOC 2 Type II report — annual, available under NDA.
- 2FA available for all accounts; required for Business plans.
- Quarterly third-party penetration testing.
- Bug bounty at stadora.ai/security#bounty.
Changes to this notice.
If we materially change this notice, we'll email every active account at least 30 days before the change takes effect. Minor wording changes get a version bump and a diff at stadora.ai/privacy/diff.
Earlier versions are archived. You can request any prior version from privacy@stadora.ai.