Privacy Policy

Information we collect

• Account data — email, name, and authentication identifiers when you sign in. Sign-in supports email/password, a one-time email code, or optional Google/GitHub OAuth.
• Usage & billing — build credits, ShipGate runs, subscription tier, and metered task history for wallet enforcement. Payment card details are collected and stored by Stripe, not by us.
• Project content — prompts, build ideas, blueprints, canvas state, generated code, verification artifacts, and uploaded repositories you choose to process or store through cloud features.
• Deployment data — when you use managed deploys or previews, we process the application code, configuration, and logs needed to host them. Secrets you provide for your applications (such as third-party API keys) are stored encrypted and used only to operate your deployments.
• Technical data — IP address, browser/device information, and request logs used for security, rate limiting, and abuse prevention.
• Diagnostics — optional crash reports (Sentry) and product analytics (PostHog) when enabled; local IDE runs may stay offline without sending telemetry.

AI processing

To generate and edit code, your prompts and relevant project content are sent to third-party model providers (such as Anthropic, OpenAI, Google, OpenRouter, and Cerebras) under agreements that restrict their use of your data to providing the service. We do not use your private project content to train our own models, and we select provider configurations that do not train on API data where available. Do not include secrets, credentials, private keys, or sensitive personal data in prompts — generated output and prompts may be retained as part of your project history.

Blockchain & crypto data

If you use web3 features, smart contract source, bytecode, deployment transactions, and the deploying address are recorded on public blockchain networks. Anything written to a public blockchain is permanent, public, and outside our control — we cannot edit or delete it, and deletion rights under privacy laws do not extend to on-chain data. We never ask for, store, or take custody of your private keys or seed phrases. Wallet addresses you use with the service may be stored with your account to attribute deployments and audits. Audit and proof certificates may reference contract addresses and code hashes.

Applications you build

Applications generated and deployed through Wholestack are operated by you. You are the data controller for any personal data your application collects from its end users; this policy does not cover your applications, and you are responsible for providing your own privacy policy to your users. Where we host your deployment, we act only as a processor/infrastructure provider for that end-user data.

How we use data

We use collected information to operate the product, generate and verify code at your request, enforce credit-based metering, prevent fraud and abuse, improve reliability, respond to support requests, and comply with legal obligations. We do not sell personal information and do not share it for cross-context behavioral advertising.

Third-party services

We use subprocessors such as Stripe (payments), Google and GitHub (optional OAuth sign-in and repository access you authorize), Trigger.dev (background jobs), Resend (transactional email), PostHog (product analytics), Sentry (error monitoring), AI model providers (see AI processing above), and cloud hosting providers (Netlify, Railway). Account authentication and sessions are handled in-house (no third-party identity provider). Each subprocessor processes data under its own policies and our data-processing agreements where applicable. See our security overview for the full subprocessor list and data-flow map.

Data retention & security

We retain account and project data while your account is active and for a reasonable period afterward for backups, dispute resolution, and legal compliance. Ephemeral build and preview environments are deleted automatically. Billing records are retained as required by tax and accounting law. We use industry-standard safeguards (encryption in transit and at rest, access controls, audit logging), but no system is perfectly secure — notify us immediately at the address below if you suspect unauthorized access to your account.

International transfers & your rights

We are based in the United States and process data there and in regions used by our subprocessors. Where required, transfers rely on appropriate safeguards such as standard contractual clauses. Depending on your jurisdiction (including the EEA, UK, and California), you may have rights to access, correct, delete, port, or restrict processing of your personal data, and to object or withdraw consent. We do not discriminate for exercising these rights. Note the blockchain limitation above: on-chain data cannot be deleted.

Children

The service is not directed to children under 13 (or the higher minimum age in your jurisdiction), and we do not knowingly collect their data. If you believe a child has provided us personal data, contact us and we will delete it.

CLI telemetry

Our command-line tools may collect anonymized usage telemetry only after explicit opt-in. You can disable it at any time, and we never collect your source code or prompts through telemetry.

Changes & contact

We may update this policy; material changes will be announced via the website or email. You may request access, correction, or deletion of account data by contacting support@wholestack.ai. Offline desktop usage without sign-in does not require an account; cloud AI features require authentication and debit your wallet meters per the pricing page.