Privacy Policy

When you use a Strata account that belongs to a company or team (an "Enterprise Account"), that organization is the "data controller" (or "business," in U.S. terms) for content and administrative data in the account. Strata acts as a "data processor" ("service provider") on the organization's behalf, and the organization's own policies govern how administrators use your data. If you are a member of an Enterprise Account, please direct data-subject requests to your organization first.

For personal accounts, marketing, and site visitors, Strata is the data controller and this Policy governs directly.

Information you provide. When you create an account, we collect your name, email, password or federated identity (e.g., Google, SAML/OIDC SSO), and any profile fields you add (avatar, display name, handle). If you subscribe to a paid plan, we or our payment processor collect billing information (name, address, payment method identifiers — we do not store full card numbers). When you contact support, we collect whatever you send us.

Customer Content. Documents, comments, folders, Spaces, uploads, collaborative edits (stored as Yjs CRDT state), AI-assistant prompts, and anything else you submit to the Service.

Usage and telemetry. Request logs, IP address, browser and device information, language, referring URL, pages viewed, actions taken, feature-flag exposure, performance metrics, and error reports. We use this to operate, secure, and improve the Service.

Cookies and similar technologies. We use strictly-necessary cookies for authentication and session continuity, and a small number of first-party cookies for preferences (language, theme). With your consent, we also use a first-party analytics cookie to measure page performance and capture errors — see the cookies section below for details. We do not use advertising cookies or cross-site trackers.

From third parties. If you sign in with an identity provider, we receive the profile attributes they release (such as name, email, groups). If your administrator provisions you via SCIM, we receive the attributes they send. If you authorize a connector, we receive data from the connected source subject to the scopes you grant.

We use information to:

• provide, maintain, and secure the Service, including authentication, collaboration, search, and AI features you invoke;
• host and back up Customer Content, and build derived indexes (keyword and vector embeddings) to power search you initiate;
• communicate with you about your account, changes to the Service, security, and support;
• measure performance, debug errors, and improve reliability and UX;
• prevent fraud, abuse, and security incidents, and enforce our Terms;
• comply with legal obligations and respond to lawful requests;
• with your consent, send you product updates and marketing you can opt out of at any time.

We do not train machine-learning models on Customer Content, and we require our AI subprocessors not to train on Customer Content. When you invoke AI features (for example, semantic search, embeddings generation, or an AI assistant), the content needed to serve your request is sent to the relevant subprocessor under contractual terms that prohibit retention for model training.

MCP and in-app AI agents act on your behalf, with the permissions of the user who authorized them. We log agent actions to the audit trail so you can review what was read or written. You are in control of which agents you authorize and what scopes you grant.

We may use aggregated, de-identified usage data (such as feature-usage counts, latency distributions, or error rates) that does not identify you or any individual to operate and improve the Service.

With your organization. In an Enterprise Account, administrators can access the account's content and audit logs, manage users, and configure SSO/SCIM.

With collaborators you choose. When you share a document, invite a user to a Space, or publish a page, those recipients see the content and associated attribution.

With subprocessors. We use vetted service providers to run the Service. Current primary subprocessors include:

• Amazon Web Services (AWS) — cloud infrastructure (compute, storage, databases, CDN, email via Amazon SES), primarily in US regions.
• Amazon Cognito — user authentication, SSO federation, and identity management.
• Cohere — generation of text embeddings for semantic search over your Spaces. Content sent for embedding is processed under a no-training commitment.
• Anthropic and other LLM providers — powering AI-assistant features you explicitly invoke, under no-training commitments.

Subprocessors are bound by written agreements that obligate them to protect your data and use it only to provide services to us.

For legal reasons. We may disclose information when we reasonably believe disclosure is necessary to comply with a law, regulation, legal process, or governmental request; to enforce our Terms; or to protect the rights, property, or safety of Strata, our users, or the public. We will push back on overbroad requests where lawful.

Business transfers. If we are involved in a merger, acquisition, or sale of assets, information may be transferred as part of that transaction, subject to standard confidentiality protections.

We do not sell your personal information, and we do not "share" it for cross-context behavioral advertising as those terms are defined under applicable U.S. state privacy laws.

Strictly-necessary cookies. We use first-party cookies to keep you signed in, carry CSRF tokens, and remember preferences like language and theme. These cookies are required for the Service to function and are not subject to consent.

Performance analytics (with your consent). When you accept the consent banner, we load AWS CloudWatch RUM to measure page load timing, Web Vitals (LCP, INP, CLS), and JavaScript errors. The RUM SDK sets two first-party cookies on our domain:

• cwr_s — session identifier, expires when the session ends.
• cwr_u — anonymous user identifier, expires after a fixed window.

These cookies are never shared with third parties for advertising or profiling. Event data (URLs, timing measurements, error stack traces) is transmitted to AWS, which acts as our data processor under a no-training, no-resale commitment. Data is retained in AWS for a limited window scoped to our operational needs and deleted thereafter.

Your controls. The consent banner lets you accept or decline the performance analytics at any time. You can change your decision later in Settings → Privacy preferences. We also honor the Global Privacy Control signal — if your browser sends it, we treat it as an opt-out and do not load the analytics SDK. Declining or revoking clears the cwr_* cookies on our domain.

Scope. Consent is stored per origin. If you access Strata on a different subdomain (for example, a vanity or customer-specific domain), you will be asked again.

We keep Customer Content for as long as your account is active. When you delete a document, space, or account, the content is removed from active systems; backup copies expire on our ordinary retention schedule (typically within 35 days).

Account, billing, and audit-log data are retained as long as reasonably necessary for legal, security, and accounting purposes. Aggregated and de-identified data may be retained indefinitely.

We use industry-standard safeguards to protect your data, including encryption in transit (TLS) and at rest, least-privilege access controls, audit logging, multi-factor authentication for internal systems, and continuous monitoring. No system is perfectly secure; if you discover a vulnerability, please report it to security@strata.space.

Strata is based in the United States, and the Service is primarily operated from U.S. AWS regions. If you access the Service from outside the U.S., you understand your data will be transferred to and processed in the U.S. Where required, we rely on Standard Contractual Clauses (and the UK Addendum) to transfer personal data from the EEA, UK, and Switzerland. If your organization requires a specific regional commitment, contact us to discuss available options.

Depending on where you live, you may have rights to: access the personal data we hold about you; correct inaccurate data; delete data; port data to another service; object to or restrict certain processing; and withdraw consent. You can also opt out of marketing communications at any time using the unsubscribe link in the email or by emailing us.

To exercise these rights, contact privacy@strata.space. If you are a member of an Enterprise Account, please direct your request to your organization first; we will route content-level requests through them. We do not discriminate against users who exercise their rights.

California residents (CCPA/CPRA). In the 12 months before this Policy was published, we collected the categories of personal information described above. We do not sell personal information or share it for cross-context behavioral advertising. You may designate an authorized agent to make a request on your behalf.

EEA, UK, and Swiss residents (GDPR). We rely on one or more of the following legal bases: performance of a contract with you, legitimate interests (including operating and securing the Service), compliance with legal obligations, and consent (where applicable). You have the right to lodge a complaint with your supervisory authority.

The Service is not directed to children under 13 (or the equivalent minimum age in your jurisdiction), and we do not knowingly collect personal information from them. If you believe a child has provided us with personal information, contact privacy@strata.space and we will take appropriate steps to delete it.

The Service may contain links to third-party websites or content. We are not responsible for their privacy practices. Review their policies before providing them with information.

We may update this Policy from time to time. When we make material changes, we will post the updated version here and update the "Last updated" date, and we will provide additional notice where required (for example, by email or in-product banner). Your continued use of the Service after the effective date means you accept the updated Policy.

Questions about this Policy or our privacy practices? Write to us at privacy@strata.space.