Skip to main content
S
StyrbyBack to Home

Privacy Policy

Effective date: March 22, 2026. Last updated: March 22, 2026.

Steel Motion LLC ("we," "our," or "us") operates Styrby, including the website at styrbyapp.com, the Styrby mobile app, and the Styrby CLI tool (collectively, the "Service"). This policy explains what data we collect, why we collect it, and how we handle it.

By using Styrby, you agree to this policy. If you do not agree, please do not use the Service.

Our Zero-Knowledge Architecture

Styrby is designed so that we never see the content of your work. Session messages (your prompts, code, and AI responses) are end-to-end encrypted using TweetNaCl public-key authenticated encryption. Your private key never leaves your devices. Our servers relay encrypted ciphertext and cannot read the plaintext content of your sessions.

What this means in practice: we process metadata (timestamps, token counts, costs, agent type, session status, machine identifiers) but we do not process the actual content of your AI sessions. That content is yours, encrypted, and invisible to us.

1. Information We Collect

Account Information

When you create an account, we collect:

  • Email address -- used for authentication, account recovery, and essential service notifications
  • Display name -- an optional name you choose
  • GitHub OAuth data -- if you sign in via GitHub, we receive your GitHub username, email, and avatar URL as authorized by you during the OAuth flow

Session Metadata

We collect metadata about your AI agent sessions. We do not collect the content of your sessions (see Zero-Knowledge Architecture above).

  • Session records -- agent type (Claude, Codex, Gemini), session start and end times, status, and any tags or summaries you create
  • Token usage and costs -- input tokens, output tokens, cache tokens, and calculated cost in USD, used to power your cost dashboard and budget alerts
  • Encrypted message ciphertext -- stored only to relay to your authorized devices. We cannot read this content.

Device and Machine Information

  • Machine identifiers -- an anonymized identifier and display name for each CLI instance you register
  • Public keys -- cryptographic public keys used for end-to-end encryption. Private keys never leave your devices.
  • Push notification tokens -- APNs (iOS) or FCM (Android) tokens used to deliver real-time alerts to your mobile device

Configuration Data

  • Agent configurations -- your per-agent settings, auto-approve rules, and blocked tool lists
  • Budget alerts -- your spending thresholds and chosen actions
  • Notification preferences -- your push and email notification settings

What We Do Not Collect

  • We do not use analytics services (no Mixpanel, Amplitude, Segment, Google Analytics, or similar). We do not track your behavior across the app.
  • We do not collect your AI API keys or credentials. You configure those directly with the AI provider on your local machine.
  • We do not collect the plaintext content of your AI sessions.

2. How We Use Your Information

  • Providing the Service -- authenticating your account, connecting your mobile device to CLI instances, relaying encrypted messages, and enabling session management
  • Cost tracking and billing -- calculating and displaying your AI token usage costs, managing your subscription tier, and processing payments through Polar
  • Notifications -- sending push notifications when your AI agents need attention, approval, or when budget thresholds are reached
  • Security -- detecting and preventing unauthorized access, fraud, and abuse
  • Service communications -- sending essential updates, security alerts, and (only with your consent) product announcements

We do not use your data to train AI models. We do not sell, rent, or share your personal data with third parties for their marketing purposes.

3. Cookies

Styrby uses only two cookies. No tracking cookies. No analytics cookies. No third-party advertising cookies.

  • Authentication cookie (sb-[ref]-auth-token) -- set by Supabase Auth when you log in. Required for the Service to work. Contains your session token, stored as an httpOnly cookie.
  • Sidebar preference cookie (sidebar:state) -- remembers whether your sidebar is open or closed. Expires after 7 days. Not required; the Service works without it.

Because we use only strictly necessary and functional cookies, we do not require an opt-in consent gate. We display a notice informing you of these cookies when you first visit.

4. Data Storage and Security

  • End-to-end encryption -- session message content is encrypted on your device before it reaches our servers. We relay ciphertext only.
  • Encryption at rest -- all data stored in our database is encrypted at rest (AES-256)
  • Encryption in transit -- all connections use TLS 1.2 or higher. HTTP is redirected to HTTPS.
  • Row Level Security -- database access is restricted so each user can only read and write their own data

Data is stored on servers operated by Supabase (SOC 2 Type II compliant). The web application is hosted on Vercel (SOC 2 Type II compliant). No method of storage or transmission is 100% secure. We cannot guarantee absolute security.

5. Sub-processors (Third-Party Services)

We use the following third-party services to operate Styrby. Each is bound by its own privacy policy. We do not share your data with any other parties.

  • Supabase (United States) -- database, authentication, and real-time infrastructure. Stores your account data, session metadata, and encrypted message ciphertext.
  • Vercel (United States) -- web application hosting. Receives your IP address and standard HTTP request metadata as part of serving web requests. Vercel does not use this for advertising.
  • Polar (European Union) -- payment processing and subscription management. Polar is our merchant of record. They handle all payment card data. We never store your payment card information.
  • Resend (United States) -- transactional email delivery. Receives your email address to send service notifications and account emails.
  • Expo (United States) -- push notification delivery for the iOS and Android apps. Receives your device push token to deliver alerts.

6. Data Retention

We retain data for as long as your account is active, subject to the following limits:

  • Session history -- retained based on your subscription tier: 7 days on Free, 90 days on Pro, 1 year on Power. Older sessions are automatically deleted.
  • Cost records -- retained for the lifetime of your account for billing accuracy and dispute resolution
  • Account data -- retained until you delete your account
  • Audit logs -- retained for 90 days for security monitoring, then deleted

When you delete your account, we delete or anonymize your personal data within 30 days, except where we are required to retain it for legal compliance (for example, financial records required by tax law).

7. Your Rights

You have the following rights over your personal data. Most can be exercised directly in the app under Settings.

  • Access -- request a copy of all personal data we hold about you
  • Portability -- export a machine-readable (JSON) copy of your data via Settings
  • Correction -- update your profile information at any time via Settings
  • Deletion (right to be forgotten) -- delete your account and all associated data via Settings, or by emailing us. Data is permanently deleted within 30 days.
  • Restrict processing -- request that we limit how we use your data by contacting us
  • Opt-out of marketing -- unsubscribe from non-essential emails at any time. Essential service notifications cannot be disabled while your account is active.

California Residents (CCPA)

California residents have additional rights under the CCPA, including the right to know what personal information we sell (we do not sell personal information) and the right to non-discrimination for exercising privacy rights.

EU and UK Residents (GDPR)

If you are in the EU or UK, our legal basis for processing your data is performance of the contract (providing the Service you signed up for) and our legitimate interest in preventing fraud and maintaining security. You have the right to lodge a complaint with your local data protection authority.

To exercise any right, contact us at support@styrby.dev. We respond within 30 days.

8. Children's Privacy

Styrby is not intended for anyone under the age of 13. We do not knowingly collect personal data from children under 13. If we learn that we have, we will delete it promptly.

9. Changes to This Policy

We may update this policy. For material changes, we will notify you by email at least 14 days before the change takes effect and update the "Last updated" date above. Minor clarifications may be made without notice.

Continued use of the Service after a change takes effect constitutes acceptance of the updated policy.

10. Contact

For a full breakdown of how we handle data in B2B contexts, see our Data Processing Agreement.

© 2026 Steel Motion LLC. All rights reserved.

Terms of ServicePrivacy Policy