Short version: We collect the bare minimum to run Stratam for you (your email, your conversations, your tool outputs). We store it in your own isolated container. We don't sell it, we don't train models on it, and you can ask us to delete all of it anytime.
1. What we collect
Waitlist signup
When you join the waitlist we store your email, the timestamp, your user-agent, the page you came from, and the IP address of the request. We use this to (a) email you when your access opens and (b) detect abuse if the form gets spammed.
Account & operation data
When your access opens and you start using Stratam, we store:
- Your conversations — everything you say to Stratam and everything he replies. Used to give him memory across sessions and to debug coherence issues.
- Tool outputs — the results of browser, code-execution, and web-search tool calls he makes on your behalf. Used to audit claims and prevent fabrication.
- Configured integrations — Discord bot token, Twilio number, Gmail OAuth refresh token if you connect them. Encrypted at rest with a per-operator Fernet key.
- Usage telemetry — count of API calls, token usage, error rate. Used for billing and to keep the system healthy.
2. Where it lives
Stratam runs on dedicated DigitalOcean infrastructure. Your data sits in a persistent Docker volume scoped to your operator account. Background backups go to a separate volume on the same droplet. Nothing is shipped to third-party analytics providers.
Builder-tier customers can run Stratam on their own droplet. In that case, none of your operational data ever touches our infrastructure — it's all in your VPS, your OAuth tokens, your storage.
3. Who we share it with
Nobody, with three narrow exceptions:
- The LLM providers we route through (Anthropic, OpenAI, Google, OpenRouter). When Stratam answers a message of yours, the prompt + recent context goes to the provider for inference. They have their own privacy policies; we don't store anything extra at their end.
- The tools you ask him to use. If you ask him to send an email via Gmail, that email reaches Google. If you ask him to post to Discord, Discord receives the message. That's how the action gets done.
- Law enforcement if we receive a valid, narrowly-scoped subpoena. We don't volunteer data and we'll contest overbroad requests.
4. What we DON'T do
- We don't sell your data to advertisers.
- We don't train any model on your conversations.
- We don't share your data with other operators.
- We don't track you across other websites — there's no cross-site cookie, no fingerprint library, no analytics SDK on stratam.us.
5. Your rights
At any time you can email hello@stratam.us and ask us to:
- Export all data we have on you, in JSON.
- Delete your account and all associated data. We honor this within 7 days.
- Correct any data we have wrong.
If you're in the EU or UK, those are GDPR rights. If you're in California, those are CCPA rights. We honor them either way.
6. Security
OAuth tokens and API keys are encrypted at rest with a per-operator key. All traffic between you and Stratam goes through TLS (Caddy + Let's Encrypt). Internal Docker traffic is on a private bridge network not exposed to the host. We rotate the Fernet keys every 90 days.
No security is perfect. If a breach happens, we'll email every affected operator within 72 hours of detection with what we know and what we're doing about it.
7. The public demo
The chat at /demo is stateless — we record the IP for rate-limiting (30 turns/hour) but we do NOT store the conversation content beyond the request itself. Each visit starts fresh.
8. Changes
If we update this policy materially, we'll email all operators and post a notice on the homepage 14 days before it takes effect. The full version history lives in our public git repo (URL provided to operators on request).
9. Contact
Questions, requests, complaints: hello@stratam.us.