Privacy Policy

Strata ("we", "our", or "the Service") is a multi-tenant B2B analytics platform. This Privacy Policy describes how we collect, use, store, and protect information when you use the Service.

By using Strata, you agree to the practices described in this policy. If you do not agree, please do not use the Service.

Account Information

When you register, we collect your name, email address, and organization name through our authentication provider (Kinde).

Uploaded Data

You may upload CSV files, spreadsheets, or connect SaaS data sources. This data is stored in your tenant-isolated warehouse and is never shared with other tenants.

Usage Data

We collect anonymized usage metrics (pages visited, features used, query counts) to improve the Service. Error logs may be captured by our error tracking service (Sentry).

Payment Information

Payment details are processed by Stripe and are never stored on our servers. We retain only your Stripe customer identifier and subscription status.

Each tenant's data is stored in a dedicated, isolated warehouse. Tenant data is segregated at the storage, query, and API layer. Cross-tenant data access is architecturally prevented through scoped credentials and namespace prefixing.

• To provide and maintain the analytics Service
• To process natural-language queries against your data
• To generate ML analyses (forecasting, anomaly detection)
• To send transactional emails (billing, alerts)
• To improve Service reliability and performance

We use third-party service providers ("subprocessors") to operate Strata. Key examples include Stripe (payments), Kinde (authentication), Google Gemini (AI queries), Cloudflare (storage and CDN), Sentry (error tracking), and Plaid / QuickBooks / Xero (connector data). Your query text may be sent to the Gemini API for processing; raw data rows are not.

A complete, up-to-date list of all subprocessors — including country of operation and purpose — is available on our Subprocessors page. Enterprise customers on the Scale plan may request advance notice of subprocessor changes via [email protected].

We do not use your data to train, fine-tune, or improve any AI or machine learning models. Data sent to the Gemini API for query generation is processed under Google's API terms, which prohibit training on API inputs.

All customer data is stored on infrastructure located in the United States. Uploaded files are stored in Cloudflare R2 (US-based). Database records are stored in PostgreSQL on our managed VPS. Tenant warehouses (DuckDB) are stored in R2 and processed on compute in the same US region.

We retain your data for as long as your account is active. Upon account deletion, tenant data (warehouse, uploaded files, connectors) is permanently deleted within 30 days. Billing records may be retained longer as required by law.

We implement industry-standard security measures including encryption in transit (TLS), encryption at rest, scoped API credentials, and regular security audits. Access to production systems is restricted and logged.

• Access — Request a copy of the data we hold about you.
• Deletion — Request deletion of your account and all associated data.
• Portability — Export your data at any time through the dashboard.
• Correction — Update your account information through the dashboard settings.

We use strictly necessary cookies for authentication and session management. We do not use advertising or tracking cookies.

We may update this policy from time to time. Material changes will be communicated via email or an in-app notification. Continued use of the Service after changes constitutes acceptance of the updated policy.

For privacy-related questions or requests, email us at [email protected]. See also our Data Processing Agreement and Subprocessors pages for GDPR-specific details.