Effective date: [EFFECTIVE DATE]·Version: privacy-2026-06-01
Stesso Privacy Policy
DRAFT — pending licensed-attorney ratification.
This document is a best-effort engineering/product draft prepared for review by licensed counsel. It is not legal advice and is not in force. Nothing here should be published, linked from a clickwrap flow, or relied on by any user, partner, or merchant until a qualified attorney has reviewed and ratified it. Bracketed placeholders —
[EFFECTIVE DATE],[STATE OF INCORPORATION],[CONTACT],[ARBITRATION BODY], and inline[ ... — counsel to confirm]notes — mark facts and wording that counsel must confirm before publication.Companion documents: This Privacy Policy is intended to be read alongside the Stesso Terms of Service draft (which carries the governing-law, arbitration, limitation-of-liability, warranty-disclaimer, indemnification, eligibility, assumption-of-risk, and AI-safety terms). Where this Policy references those terms, the Terms of Service controls the legal substance; this Policy describes data handling only.
Effective Date: [EFFECTIVE DATE — counsel to confirm; do not publish without a real date] Last Updated: [EFFECTIVE DATE] Policy Version: v[X.Y] (recorded server-side with each acceptance — see §15)
1. Who We Are and What This Policy Covers
Stesso, Inc. ("Stesso," "we," "us," or "our") is a [STATE OF INCORPORATION — Delaware, pending confirmation of incorporation] corporation with its principal place of business in the United States. Stesso operates an AI-powered platform that helps people plan and complete do-it-yourself ("DIY") projects by generating step-by-step guidance and matching it to instructional video content.
This Privacy Policy explains what personal information we collect, how we use and share it, and the choices and rights you have. It applies to all of the surfaces through which Stesso technology reaches you, collectively the "Service":
- The Stesso web application at stesso.com and related Stesso-owned domains (the "core web app").
- AI features within the Service — including the chat/search interface, AI-generated project plans, step instructions, clarifying questions, and clip-search results ("AI Features").
- Embedded Stesso experiences — chat widgets, search bars, and related components that Stesso provides for placement on third-party merchant or publisher websites (for example, a Shopify storefront), where the Stesso experience runs inside the merchant's domain or in an embedded frame ("Embedded Surfaces").
- Brand demonstration sites — demonstration-only environments that showcase how the Service can be configured for a brand or retailer ("Demo Sites").
- The Stesso public API, made available only to vetted, contractually approved partners ("API").
- The Stesso mobile application (built with React Native, distributed via app stores) ("Mobile App").
- Creator tools, including the channel-admin tooling and the automated, creator-voice reply features that may post on connected video platforms (e.g., YouTube) ("Creator Tools").
- Content syndication / answer-engine distribution — Stesso content that we make available to be crawled, indexed, and re-served by search engines and large-language-model "answer engines."
[Counsel to confirm scope: whether a single combined policy across all surfaces is preferable to surface-specific addenda — especially for the Embedded Surfaces and API, where the relevant controller/processor (GDPR) or business/service-provider (CCPA/CPRA) roles differ by surface. See §6 and §9.]
Important — even without an account, we collect personal information. You can use much of the Service anonymously, without creating an account. We still collect personal information from anonymous use (for example, an analytics identifier, IP address, device data, and the prompts you type). Under laws such as the EU/UK GDPR and the California CCPA/CPRA, this is "personal data" / "personal information," and you have rights regarding it (see §11).
2. A Note on How AI and Safety Affect Privacy
Stesso is an AI product that generates DIY guidance, including for tasks that can be hazardous. Two things follow that are relevant to privacy:
- AI can be wrong. AI-generated guidance may contain errors, omissions, or unsafe instructions, and is not a substitute for a licensed or qualified professional. The safety, warranty, assumption-of-risk, and liability terms governing your use of AI guidance live in the Terms of Service, not in this Policy. This Policy only explains how the data that flows through those AI Features is handled.
- Some inputs are gated or refused. For certain high-risk guidance, we require you to be signed in, to accept the Terms of Service, and to affirm that you are 18 or older (see §10). We also refuse to generate the most dangerous categories of content and decline to make food-safety / allergen safety determinations. To enforce these limits, we process the content of your prompts (see §3.3 and §4).
3. Information We Collect
We collect the categories below. Not every category applies to every surface; we note surface-specific points where relevant.
3.1 Account and Identity Information
If you create an account or sign in:
- Single Sign-On (SSO) identity. We primarily authenticate via Google and Apple SSO (with an email-verified fallback). From the SSO provider we receive your name, email address, a stable account identifier, and, depending on the provider and your settings, a profile image. We do not receive your SSO password.
- Profile and account data you provide or that is created for your account (display name, preferences, role/membership in any channel or organization, subscription/billing status).
- Authentication and security data — session tokens (stored server-side, hashed), login events, two-factor authentication status, password-reset events, and similar records needed to keep accounts secure.
- Creator / channel data — for Creator Tools users: connected platform account identifiers (e.g., a connected YouTube channel via OAuth), channel membership and role, and the OAuth tokens needed to act on a connected account. [Counsel/privacy to confirm the YouTube API Services data-handling and disclosure requirements that attach to connected-account data and to automated replies — these are governed by the platform's developer terms in addition to this Policy.]
3.2 The Analytics Identifier (PostHog distinct_id)
We use PostHog for product analytics. PostHog assigns a pseudonymous analytics identifier called a distinct_id to a browser/app instance so we can understand usage across a session and (for signed-in users) across devices.
Accuracy note (important and intentional). In some of our databases this analytics identifier is stored in a column historically named
fingerprint. Despite the column name, the value is the PostHogdistinct_id— it is NOT a browser fingerprint and is not derived from canvas, WebGL, fonts, or other device-fingerprinting techniques. The legacy column name is retained only for backward compatibility; the database schema itself documents this (aCOMMENT ON COLUMNnotes that the field carries the PostHogdistinct_id, not a fingerprint). We describe it accurately here because earlier published copy incorrectly described "browser fingerprinting." [Counsel/privacy: this corrects prior public language; confirm the corrected description and that no surface still performs true device fingerprinting before publishing.]
When you sign in, we may associate ("identify"/"alias") the pre-login distinct_id with your account so your activity is continuous. For anonymous users, the distinct_id is the primary way we recognize a returning visitor; it is not tied to a real-world identity unless and until you sign in.
3.3 AI Prompts, Inputs, and Generated Content
When you use AI Features, we collect and process:
- Your prompts and inputs — the natural-language descriptions, questions, problem statements, search queries, clarifying-question answers, and any project/context details you submit (of any length).
- Uploaded media — photos, screenshots, or other images you upload for analysis (for example, a photo of a part or a problem area). Image attachments are subject to a short retention window and an automated purge (see §8).
- AI-generated outputs — the project plans, step instructions, recommendations, clip selections, tips/warnings, and other content the AI produces in response to your inputs.
- AI feedback signals — ratings, thumbs, "expand"/"skim"/engagement signals on clips, and similar feedback you provide about results. (Note: admin/expert pairwise quality votes are kept in a separate signal store and are not merged with end-user feedback.)
3.4 Usage and Interaction Data
- Navigation and behavior — pages/screens viewed, features used, time on page, click and scroll interaction, session duration, and return frequency.
- Project/task activity — projects or queries created, viewed, refined, completed, or abandoned; steps completed; saved/bookmarked items; searches and filters.
- Content engagement — video playback events (play, pause, seek, complete), clip interactions, resource/link clicks, and downloads.
3.5 Device, Connection, and Diagnostic Data
- Device and app data — device/OS type and version, app or build version, browser type and version, language and timezone, screen/viewport characteristics. On the Mobile App, this may include a mobile OS-provided advertising/vendor identifier [only if used — confirm; otherwise remove].
- Connection data — IP address, approximate location derived from IP, referring URLs, and network information.
- Diagnostics — performance metrics, error/crash reports, stack traces, and similar logs used to keep the Service working.
3.6 Cookies and Similar Technologies
We and our providers use cookies, local/session storage, and similar technologies for authentication/session management, security, preference storage, and analytics (including the PostHog distinct_id). On Embedded Surfaces, browser limits on third-party cookies mean some features (for example, signed-in high-risk flows) route to a first-party or popup context — see §6. Where required by law, we present a cookie/consent notice and honor your choices, including Global Privacy Control where applicable. [Counsel/privacy: confirm cookie-consent banner requirements per jurisdiction (EU/UK ePrivacy, etc.) and whether a separate Cookie Notice is needed.]
3.7 Information We Do Not Intentionally Collect
We do not seek to collect special-category / sensitive data (e.g., health, precise geolocation beyond IP-derived approximation, government IDs). Because prompts and uploaded images are free-form, please do not submit sensitive personal information in AI Features. [Counsel/privacy: confirm whether IP-derived location or any inferred data triggers "sensitive personal information" obligations under CPRA, and whether a sensitive-data disclosure/limitation is required.]
4. How We Use Information
We use the information above to:
- Provide the Service — authenticate you, generate AI guidance, match and serve relevant videos/clips, maintain your history and progress, and operate the surfaces you use.
- Process AI inputs and outputs — interpret your prompts, generate responses, and run them through our safety/guardrail logic (including high-risk gating, refusal of the most dangerous requests, and food-safety/allergen determination refusal — see §10 and the Terms of Service).
- Personalize and improve — understand usage, fix bugs, measure performance, and improve features and result quality.
- Develop AI/ML models — see §5 for how we handle the use of your content for model training and the choices available to you.
- Security, fraud prevention, and abuse mitigation — protect accounts, detect misuse, and enforce our terms.
- Communicate with you — service messages, security notices, and (with consent where required) product updates.
- Comply with law and protect rights — meet legal obligations and protect Stesso, our users, partners/merchants, and the public.
- Record agreement acceptance — see §15 (clickwrap acceptance records).
Legal bases (GDPR/UK GDPR). Where the GDPR/UK GDPR applies, we rely on: performance of a contract (providing the Service); legitimate interests (security, improvement, analytics, model development — balanced against your rights); consent (where required, e.g., certain cookies/analytics and certain communications); and legal obligation. You may object to or withdraw consent for processing as described in §11. [Counsel/privacy to confirm the legal-basis mapping, especially for analytics and model training, per jurisdiction.]
5. How We Handle AI Inputs and Outputs (Including Model Training)
- Processing to serve you. Your prompts, uploaded images, and the resulting outputs are processed to produce your guidance and may be sent to the AI/ML providers and infrastructure described in §9 strictly to generate your response.
- Improvement and model development. We may use AI inputs and outputs to evaluate quality, improve safety guardrails, and train/refine current and future AI/ML models. [Counsel/privacy — load-bearing decision to confirm before publishing: whether model training on user content is (a) on by default with an opt-out, (b) opt-in, and/or (c) limited to de-identified/aggregated data; and how this interacts with GDPR legal basis and CCPA/CPRA "sharing"/opt-out. The prior public draft asserted broad training rights by default; counsel must ratify the final posture and the corresponding user control.]
- De-identification/aggregation. Where feasible, we de-identify or aggregate data used for analytics and model development so it is not reasonably linkable to you.
- No sale of your prompts. We do not sell your prompts or AI content. Whether any analytics/advertising activity constitutes a "sale" or "sharing" under CCPA/CPRA is addressed in §11. [Counsel to confirm the CCPA/CPRA "sale"/"share" characterization, particularly for third-party analytics.]
- Third-party platform content (Creator Tools). Automated creator-voice replies and content posted to connected platforms (e.g., YouTube) are also governed by that platform's terms and data policies, which may grant the platform its own rights to that content. See §7.
6. Data in Embedded / Third-Party Merchant Contexts
When you interact with a Stesso Embedded Surface on a merchant's or publisher's website (for example, a Stesso chat widget on a Shopify storefront):
- A persistent notice is shown. The embedded experience displays a non-removable notice that the experience is powered by Stesso (and AI-powered), so you know you are interacting with Stesso technology, not the merchant directly. On first use, where required, you are asked to consent before the embedded chat processes your inputs.
- What Stesso receives. When you use the embedded experience, Stesso receives the data described in §3 that is generated by your interaction with that embedded experience — for example, your prompts, the embedded page/context, your analytics identifier, device/IP data, and diagnostics. Stesso does not receive the merchant's other customer data unless the merchant separately and lawfully shares it.
- High-risk flows in embeds. Because browsers restrict third-party cookies/popups inside frames, high-risk AI guidance inside an Embedded Surface uses placement-native authentication (for example, the merchant platform's own customer login, such as Shopify's, handled seamlessly in-domain) or routes to a first-party/popup Stesso flow, so that sign-in, Terms acceptance, and the 18+ affirmation can be reliably recorded (see §10 and §15).
- Roles of the parties. Stesso and the merchant are independent companies. [Counsel/privacy to confirm the data-protection roles: typically the merchant is responsible for its own site and its own customer relationship, and Stesso is responsible for the Stesso experience and the data it collects through that experience. Confirm whether Stesso acts as an independent controller / "business" vs. a processor / "service provider" for embedded data, and ensure the merchant flow-down terms (display the notice, no holding-out of Stesso content as the merchant's own, indemnify Stesso) and any required data-processing terms are in the merchant agreement.]
- The merchant's own privacy practices are governed by the merchant's privacy policy, which we do not control.
7. Creator Tools and Automated Creator-Voice Replies
For creators who connect a channel and use Creator Tools:
- Connected-account data. We process the connected platform account identifiers and OAuth tokens needed to operate the tools and, where enabled, to post replies on the creator's behalf.
- Automated replies and disclosure. Where automated creator-voice replies are enabled, an AI/automation and material-connection disclosure is shown by default and cannot be silently disabled. Replies posted to a third-party platform (e.g., YouTube) become subject to that platform's terms and data handling.
- Scope limits. Certain reply types (for example, high-hazard advice and certain product-endorsement language) are routed to human review rather than fully automated. These controls are operational; the data we process to run them is described in §3.
- Platform terms govern the platform. What the connected platform collects, stores, and displays is governed by the platform's own policies. [Counsel/privacy to confirm YouTube API Services / connected-platform disclosure obligations are reflected here and in the in-product disclosures.]
8. Data Retention
We keep personal information only as long as needed for the purposes in this Policy, then delete or de-identify it, unless a longer period is required for legal, security, dispute-resolution, or contractual reasons.
Indicative retention (to be finalized by counsel/privacy):
- Image attachments to AI Features — short-lived; subject to an automated purge job with an approximately 24-hour time-to-live, unless you have saved the result to your account. [Confirm exact TTL and any exceptions.]
- AI prompts, outputs, and feedback —
[retention period — counsel/privacy to set], then de-identified or deleted; de-identified/aggregated data may be retained longer. - Analytics data (incl. PostHog
distinct_idevents) —[retention period — confirm with PostHog configuration]. - Account, authentication, and security logs — for the life of the account plus a reasonable period afterward, and as required for security/legal purposes.
- Clickwrap acceptance records (Terms version + content hash + timestamp) — retained for the period needed to evidence agreement, typically for the duration of the relationship plus the applicable limitations period. See §15.
- Records subject to legal hold — retained until the hold is lifted.
[Counsel/privacy to confirm all retention periods and a documented retention schedule.]
9. Service Providers and Disclosure of Information
We share information only as described here. We do not sell your personal information (see §11 for the CCPA/CPRA "sale"/"sharing" characterization, which counsel must confirm).
Categories of recipients:
- Hosting/infrastructure — our cloud hosting and deployment platform (e.g., Vercel) and database/storage providers, including blob storage for uploaded media.
- Analytics — PostHog (product analytics; assigns the
distinct_id) and similar product/performance analytics tools. - AI/ML providers — providers that process prompts, images, and context to generate outputs and that support model development (for example, Google / Vertex AI and other AI model providers we use). [List the specific AI subprocessors and confirm their data-use terms, including whether they may use inputs for their own training — counsel/privacy to confirm and to ensure DPAs are in place.]
- Authentication providers — Google and Apple (SSO) and connected platforms (e.g., YouTube via OAuth).
- Payments/subscriptions — our payments processor (e.g., Stripe) for subscription billing; Stesso does not store full card numbers.
- Communications — email/notification providers for service messages.
- Merchants/partners (Embedded Surfaces and API) — see §6 and the API terms; data exchange is governed by the partner/merchant agreement.
- Professional advisors, and corporate transactions — legal/accounting advisors; and, in a merger, acquisition, financing, or sale of assets, a successor entity (with this Policy continuing to apply or notice provided).
- Legal/safety — government authorities or others when required by law or to protect rights, safety, and the integrity of the Service.
We require service providers, by contract, to use personal information only to provide services to us and not for their own purposes, except as permitted by law. [Counsel/privacy: confirm CCPA "service provider"/"contractor" contractual terms and GDPR Article 28 DPAs are in place for each recipient, and consider publishing a current subprocessor list.]
Public/syndicated content. Content Stesso publishes publicly (including content we allow search engines and answer engines to crawl and re-serve) is, by design, publicly accessible. Do not include anything you consider private in content intended to be public. Note that safety disclaimers and provenance attached to on-platform content may not travel into copies re-served by third-party answer engines; those third parties control how they display Stesso-derived content.
10. Eligibility, Children, and the 18+ Affirmation
- General audience; not directed to young children. The Service is a general-audience product and is not directed to children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal information from children under that age. If you believe a child under that age has provided us personal information, contact us at
[CONTACT]and we will take steps to delete it. - 18+ for high-risk guidance. To access high-risk AI guidance, you must be 18 or older. As part of a single combined sign-in/acceptance step, you provide a self-declared affirmation that you are 18 or older, which we record with your acceptance (see §15). The Terms of Service prohibit under-18 use of high-risk features.
- Teens (13–17). Where teens use general-audience, low-risk features, we process the minimum necessary data and apply applicable youth-privacy protections. [Counsel/privacy to confirm COPPA (under-13), state teen-privacy laws (e.g., minors' data rules), and GDPR age-of-consent thresholds (13–16 by member state), and whether any age-assurance beyond self-declaration is required.]
11. Your Privacy Rights and Choices
The rights you have depend on where you live. To exercise any right, contact us at [CONTACT]. We will verify your request as required and respond within the timeframe the law requires. You may use an authorized agent where the law allows. We will not discriminate against you for exercising your rights.
11.1 California (CCPA/CPRA)
If you are a California resident, you may have the right to: know/access the categories and specific pieces of personal information we collect; delete personal information; correct inaccurate personal information; opt out of "sale" or "sharing" of personal information; and limit the use of sensitive personal information.
- "Sale"/"Sharing." We do not sell personal information for money. Whether our use of third-party analytics constitutes "sharing" (cross-context behavioral advertising) or a "sale" under the CPRA, and whether we must therefore honor a "Do Not Sell or Share My Personal Information" control and Global Privacy Control signals, is [a determination counsel/privacy must confirm; if applicable, we will provide the opt-out link and honor GPC].
- Sensitive personal information. See §3.7 — [confirm whether any SPI is processed and whether a "Limit the Use of My Sensitive Personal Information" link is required].
- Notice at collection and the categories of information collected, sources, purposes, and recipients are described in §3, §4, and §9.
11.2 EU / EEA / UK (GDPR / UK GDPR)
If you are in the EEA or UK, you may have the right to: access; rectification; erasure ("right to be forgotten"); restriction of processing; data portability; object to processing (including processing based on legitimate interests and direct marketing); and to withdraw consent at any time (without affecting prior lawful processing). You also have the right to lodge a complaint with your supervisory authority.
- Controller. For most Service surfaces, Stesso, Inc. is the data controller. For some Embedded Surface / API data, roles may differ — see §6 and §9. [Counsel/privacy to confirm controller/processor mapping and whether an EU/UK representative or DPO is required, and to provide that contact.]
- International transfers. See §13.
- Automated decision-making. AI Features generate guidance but do not make decisions producing legal or similarly significant effects about you. [Counsel/privacy to confirm no Article 22 automated-decision concerns arise from high-risk gating/refusal logic.]
11.3 Other U.S. States and Jurisdictions
Residents of other U.S. states with comprehensive privacy laws (for example, Virginia, Colorado, Connecticut, Texas, and others as enacted) and of other countries may have similar rights (access, correction, deletion, portability, opt-out of targeted advertising/profiling/sale). We honor applicable rights based on your residency. [Counsel/privacy to confirm the list of in-scope state/country regimes and any regime-specific disclosures or appeal mechanisms (e.g., a right-to-appeal a denied request under several state laws).]
11.4 Choices Available to Everyone
- Account settings — update profile data and manage certain preferences.
- Cookies/analytics — manage via our consent tools (where presented) and your browser/OS controls; we honor Global Privacy Control where applicable/required.
- Communications — opt out of non-essential email via unsubscribe links.
- Deletion — request deletion of your account and associated data, subject to legal/retention exceptions (see §8).
- Model training choice — see §5 [final control to be set by counsel/privacy].
12. Security
We use technical and organizational measures designed to protect personal information, including: encryption in transit (TLS) and encryption at rest for sensitive data; Argon2id password hashing and server-side, hashed session tokens; httpOnly/secure/sameSite cookies; access controls and authentication (including optional two-factor authentication); rate limiting on sensitive endpoints; monitoring; and periodic review. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security. [Counsel/privacy to confirm breach-notification obligations and timelines per jurisdiction.]
13. International Data Transfers
Stesso is based in the United States, and we and our service providers may process personal information in the United States and other countries whose data-protection laws may differ from yours. Where we transfer personal data out of the EEA, UK, or other regulated regions, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses (and the UK Addendum) or other lawful transfer mechanisms. [Counsel/privacy to confirm the transfer mechanisms in place with each provider and any supplementary measures, and whether Stesso participates in the EU-U.S. Data Privacy Framework.]
14. The Public API (Vetted Partners)
The Stesso API is available only to vetted, manually approved partners under signed agreements. Those agreements require partners to, among other things, acknowledge the AI nature of the content, pass through end-user AI/safety disclaimers, and indemnify Stesso. When you interact with a partner application that uses the API, the partner is responsible for its own privacy disclosures to you, and the partner's processing of your data is governed by the partner's agreement with Stesso and the partner's own privacy policy. [Counsel/privacy to confirm the API partner data terms, the controller/processor allocation, and any required end-user notice in partner apps.]
15. Clickwrap Acceptance and Agreement Records
When you accept the Terms of Service (and, for high-risk features, complete the combined sign-in / acceptance / 18+ affirmation step), we record the acceptance server-side, including the Terms version, a content hash of the accepted text, a timestamp, and the associated account or session identifier. We retain these records to evidence the agreement and your eligibility affirmation (see §8 and §10). The legal effect of acceptance — including the arbitration agreement, class-action waiver (with a 30-day opt-out), limitation of liability, warranty disclaimers, indemnification, assumption of risk, and governing law — is set out in the Terms of Service, which controls those matters. This Policy describes only the data recorded.
16. Changes to This Policy
We may update this Policy from time to time. When we make material changes, we will update the "Last Updated" date, increment the Policy Version, and, where required by law, provide additional notice (and, where required, obtain consent). Your continued use of the Service after an update takes effect constitutes acceptance of the updated Policy to the extent permitted by law. We maintain prior versions and acceptance records as described in §15.
17. Contact Us
For privacy questions or to exercise your rights:
- Privacy contact / email:
[CONTACT — e.g., privacy@stesso.com; counsel/privacy to confirm the address and any postal address] - Mailing address:
[CONTACT — postal address, counsel to confirm] - EU/UK representative or Data Protection Officer (if applicable):
[CONTACT — counsel/privacy to confirm whether required and provide]
When you contact us about a rights request, please include enough information for us to verify your identity and locate your data (without sending sensitive information unnecessarily). We will respond as required by applicable law.
End of DRAFT. Counsel must (1) ratify every bracketed
[ ... ]item, (2) confirm the model-training default/opt-out posture in §5 and §11.4, (3) confirm the CCPA/CPRA "sale"/"sharing" and GPC determinations in §11.1, (4) confirm controller/processor roles for Embedded Surfaces and the API (§6, §14), (5) confirm the correcteddistinct_iddescription in §3.2, and (6) set all retention periods (§8) and the effective date before any publication.