Stoa

Privacy Policy

Effective date: March 30, 2026
Operated by: Happiness Global Inc. | support@meetstoa.com

Stoa is an AI relationship guide designed to help you reflect on and navigate your personal relationships. Because Stoa works by understanding context about your life and relationships, it necessarily processes personal and sometimes sensitive information. We take that responsibility seriously.

This Privacy Policy explains what data we collect, why we collect it, who we share it with, and the rights you have over it. We have written it to be as plain and specific as possible, because we believe you deserve to know exactly what happens to your information.

1. Who We Are

Stoa is operated by Happiness Global Inc., a Delaware C-corporation. For the purposes of EU data protection law, Happiness Global Inc. is the data controller. If you have questions or requests relating to this policy, please contact us at:

Happiness Global Inc.
support@meetstoa.com

2. What Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Your email address and display name
  • Your preferred name, as set during onboarding
  • Your birth month and year, which is converted to an age range and stored in your memory profile
  • Your Google name and email address if you sign in with Google Sign-In

2.2 Conversation Content

We store the full text of every message you send to Stoa and every response Stoa sends to you. These transcripts are retained according to your chosen retention setting (see Section 6). In addition, we generate and store the following metadata for each conversation:

  • A short title and summary
  • Hashtags categorising the conversation topic
  • A structured “Stoa Take” where relevant (a brief analysis of the relational situation you described)
  • Your feedback rating (nope / meh / yes), if you provide one

2.3 Memory Data (Persists Across Conversations)

This is one of the most important things to understand about Stoa. After each conversation, our system automatically extracts information that may be relevant to future conversations. This includes:

  • Personal details you share (e.g. your age, life stage, location)
  • Information about people in your life: their names, your relationship to them, notable events, and relational dynamics
  • Themes and concerns you return to across conversations
  • Values and patterns in how you approach relationships

This extracted data is consolidated into a memory summary that is included in the context of every future conversation, so Stoa remembers what you've shared.

Important: Memory data persists even if you delete a conversation or set a short retention period. Deleting a conversation removes the transcript, but not the memories extracted from it. You can delete all memory data by deleting your account entirely (see Section 6).

2.4 Usage and Technical Data

We collect limited technical and usage data, including:

  • Monthly token usage (an estimate of how much processing your conversations require)
  • Analytics metadata such as model used, response latency, and session events (via PostHog). This does not include conversation content.
  • Session cookies and a JWT token used to keep you logged in
  • Your selected AI model preference, stored locally in your browser
  • If you upload images or files during a conversation, these are stored in Vercel Blob storage and served via a public CDN URL. Uploaded files up to 5MB are supported. Files associated with deleted conversations are not automatically removed from Blob storage (see Section 6).

We also enforce a burst rate limit of 8 messages per 60 seconds to ensure fair access for all users.

2.5 Information You Provide About Others

Stoa is a relationship guide, so you will naturally share information about other people — partners, friends, family members, colleagues. We process this information solely to provide the service to you. We do not use it to build profiles on third parties, and we do not share it with anyone except as described in Section 4.

2.6 Payment and Subscription Data

  • Stripe customer ID and subscription ID (identifiers linking your account to Stripe's payment system)
  • Subscription status (trialing, active, cancelled, past due)
  • Trial end date and billing period dates
  • Card details are collected and processed directly by Stripe — we never receive or store your full card number, CVV, or bank details
  • Notification dismissal records (tracking which account alerts you have seen)

3. Why We Process Your Data

We rely on the following legal bases under GDPR. California residents: see Section 11 for CCPA/CPRA rights.

Contractual necessity (Art. 6(1)(b) GDPR) — processing required to provide the service:

  • Creating and managing your account
  • Delivering AI-generated responses to your messages
  • Storing and enforcing your retention preferences

Legitimate interests (Art. 6(1)(f) GDPR) — our legitimate interest in improving and operating the service:

  • Generating conversation titles, summaries, and hashtags
  • Monitoring token usage to prevent abuse
  • Analysing aggregate, anonymised usage patterns via PostHog

Consent (Art. 6(1)(a) and Art. 9(2)(a) GDPR) — for sensitive data processing:

  • Building and maintaining your memory profile, which may include sensitive personal information about your relationships, emotional wellbeing, and life circumstances
  • Sending marketing emails via Loops.io, if you opt in during onboarding

4. Who We Share Your Data With

We do not sell your personal data. We do not share it with advertisers. The following third parties process your data on our behalf as data processors:

4.1 Anthropic (Claude AI)

Your full conversation transcripts and your memory summary are sent to Anthropic's API to generate Stoa's responses, and to extract and consolidate memory data. Anthropic processes this data as a subprocessor under its API Data Processing Agreement. Anthropic states that it does not use API inputs/outputs to train its models by default. See Anthropic's privacy policy at anthropic.com/privacy.

4.2 Google (Vertex AI / Gemini)

Full conversation transcripts are sent to Google's Vertex AI platform (Gemini models) for generating conversation titles, summaries, hashtags, and wrap-up detection. Google processes this data under its Cloud Data Processing Addendum. See cloud.google.com/terms/data-processing-addendum.

4.3 Google (OAuth)

If you sign in with Google, we receive your email address and name from Google. We do not receive or store your Google password.

4.4 Vercel / Neon / Redis / Blob Storage

Our infrastructure runs on Vercel. Your data (including account information, conversations, and memory data) is stored in a Vercel-hosted PostgreSQL database (Neon), Redis cache, and Vercel Blob storage. As our infrastructure provider, Vercel has access to all data we store. Data is hosted in the United States.

4.5 PostHog

We use PostHog for product analytics. We send PostHog metadata only — model identifiers, response latency, event types, and session identifiers. We do not send conversation content to PostHog. PostHog events, once sent, cannot be deleted on a per-user basis; we disclose this because it affects your right to erasure (see Section 8).

4.6 Loops.io

If you opt in to email communications during onboarding, your email address and display name are synced to Loops.io for product updates and announcements. You can unsubscribe at any time via the link in any email, which will also trigger removal of your data from Loops.io. Additionally, Loops.io is used to send transactional service emails (subscription confirmation, payment failure alerts, cancellation confirmation, trial expiry notices) — these are sent regardless of marketing opt-in as they relate to your account and billing.

4.7 Stripe

Payment processing is handled by Stripe, Inc. Your card details are entered directly into Stripe's embedded checkout — they never pass through our servers. We store only Stripe-issued identifiers (customer ID, subscription ID) and subscription metadata (status, billing dates). Stripe may store your payment method, transaction history, and billing address under their own privacy policy. See: stripe.com/privacy

4.8 Other Disclosures

We may disclose your data if required by law, court order, or to protect the rights, property, or safety of Happiness Global Inc., our users, or others.

5. International Data Transfers

Stoa is operated from the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data will be transferred to and processed in the United States.

We rely on Standard Contractual Clauses (SCCs) as the transfer mechanism for data sent to our US-based processors (Anthropic, Google, Vercel, PostHog, Loops.io). Where our processors have their own SCCs or equivalent mechanisms, we rely on those. You may request a copy of the applicable transfer mechanisms by contacting us.

6. How Long We Keep Your Data

You control how long your conversation transcripts are retained. During onboarding (and in settings at any time), you can choose from the following options:

  • Keep forever — conversations are retained indefinitely
  • 30 days — conversations older than 30 days are automatically deleted
  • 7 days — conversations older than 7 days are automatically deleted
  • Ephemeral (12 hours) — conversations are deleted approximately 12 hours after they end

These settings govern conversation transcripts and AI-generated metadata (titles, summaries, takes). They do not affect memory data.

Memory retention: Memory data (your extracted profile and per-person relationship summaries) is retained until you delete your account. This means memory persists even if you choose a short transcript retention window. To delete memory data, you must delete your account.

Account data (email, name, preferences) is retained for as long as your account exists. Subscription and billing metadata (Stripe identifiers, status, dates) and notification dismissal records are retained while your account exists. Upon account deletion, we delete all account data, conversations, messages, memory logs, memory summaries, token usage records, subscription data, and notification records. Deleting your account will also immediately cancel any active Stripe subscription. Stripe retains its own records (invoices, transaction history) per their data retention policy.

Limitations: PostHog analytics events and Vercel Blob uploads associated with deleted conversations cannot be retroactively deleted from those third-party systems.

7. AI Nature and Memory Disclosure

Stoa is an AI-powered application. You are interacting with an AI, not a human. Stoa is not a licensed therapist, counsellor, or mental health professional. Please see our Terms of Service for important disclaimers about the nature and limitations of Stoa's responses.

During onboarding, we indicate that Stoa will remember information from your conversations even if you delete transcripts — specifically, who is in your life and the stories you share. This is intended to save you from having to re-explain context in every conversation.

8. Your Rights

Depending on where you live, you have the following rights over your personal data. To exercise any of these rights, contact us at support@meetstoa.com. We will respond within 30 days (GDPR) or 45 days (CCPA/CPRA).

8.1 Rights Under GDPR (EEA / UK Users)

  • Access: You have the right to receive a copy of the personal data we hold about you, including your memory profile.
  • Rectification: You can ask us to correct inaccurate data.
  • Erasure (“right to be forgotten”): You can request deletion of your account and all associated data. Note the PostHog and Vercel Blob limitations described in Section 6.
  • Portability: You can request your data in a machine-readable format.
  • Restriction: You can ask us to limit processing of your data in certain circumstances.
  • Objection: You can object to processing based on legitimate interests.
  • Withdraw consent: Where processing is based on consent, you may withdraw at any time without affecting the lawfulness of prior processing.
  • Lodge a complaint: You have the right to complain to your local data protection authority.

8.2 Rights Under CCPA / CPRA (California Residents)

  • Right to know: You can request disclosure of the categories and specific pieces of personal information we have collected about you.
  • Right to delete: You can request deletion of your personal information, subject to certain exceptions.
  • Right to correct: You can ask us to correct inaccurate personal information.
  • Right to opt out of sale or sharing: We do not sell or share personal information for cross-context behavioural advertising.
  • Right to limit use of sensitive personal information: Your conversation content is used only to provide the service to you.
  • Right to opt out of automated decision-making: You may request that we not use automated processing in ways that produce legal or similarly significant effects.
  • Non-discrimination: We will not discriminate against you for exercising your privacy rights.

9. Cookies and Local Storage

Stoa uses the following cookies and browser storage:

  • Session cookie (NextAuth JWT): Contains your user ID, email, account type, and name. Required for authentication. Duration: 30 days.
  • localStorage (model preference): Stores your selected AI model locally on your device only; not transmitted to our servers.

We also use PostHog, which sets its own analytics cookies. These do not contain conversation content.

10. Security

We implement the following security measures:

  • Encryption in transit: All data is transmitted over HTTPS/TLS.
  • Encryption at rest: Data stored in Neon (PostgreSQL) and Vercel Blob is encrypted at rest.
  • Password hashing: Passwords are hashed using bcrypt before storage. We never store plaintext passwords.
  • Access controls: Access to production systems is restricted to authorised personnel.

No method of transmission or storage is 100% secure. In the event of a personal data breach, we will notify affected users and relevant supervisory authorities within 72 hours where required by GDPR or applicable law.

11. Children's Privacy

Stoa is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you are between 13 and 17, please review this policy with a parent or guardian before using Stoa.

If you believe we have inadvertently collected data from a child under 13, please contact us immediately at support@meetstoa.com and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page and, for material changes, notify you by email or by a prominent notice within the app.

13. Contact Us

Happiness Global Inc.
support@meetstoa.com

If you are in the EEA and believe your rights have not been addressed, you may also contact your local data protection authority. A list of EEA supervisory authorities is available at edpb.europa.eu.

Copyright 2026 Happiness Global Inc. | meetstoa.com