Strato Privacy Policy

Last Updated: October 11, 2025

Welcome to Strato ("we," "our," or "us"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web platform available at https://app.strato.so (the "Service"). By using Strato, you consent to the practices described in this Privacy Policy.

1. Information We Collect

1.1 Information You Provide

• Account Information: When you sign up using Google OAuth (via Supabase Auth), we collect your email address, name, and profile picture from your Google account.
• Project Data: Aircraft designs, project files, design parameters, analysis results, and related content you create or upload.
• Chat History: Conversations with our AI-powered chat assistant, including your queries and AI-generated responses.
• Team Data: Information about teams you create or join, including team member details.
• Payment Information: Processed securely by our payment processor Paddle.com. We do not store your full credit card details.

1.2 Information Collected Automatically

• Usage Data: Information about how you interact with the Service, including features used, time spent, and navigation patterns.
• Device Information: Browser type, operating system, IP address, device identifiers, and general location data.
• Cookies and Tracking: We use cookies and similar technologies for authentication, session management, and analytics.

2. How We Use Your Information

We use the collected information to:

• Provide and Maintain the Service: Create and manage your account, process designs, run analyses, and enable core features.
• Improve User Experience: Analyze usage patterns, develop new features, and optimize performance.
• AI Features: Power AI-assisted design generation, chat interactions, and automated analysis using OpenAI services.
• Communication: Send service updates, technical notices, security alerts, and support messages.
• Billing and Payments: Process subscriptions, manage renewals, and provide invoices via Paddle.
• Security and Fraud Prevention: Detect and prevent unauthorized access, abuse, and security threats.
• Legal Compliance: Comply with applicable laws, regulations, and legal processes.

3. How We Store and Secure Your Information

We implement industry-standard security measures to protect your data:

• Database: User data and authentication managed through Supabase with encryption at rest and in transit.
• File Storage: Design files, meshes, and exports stored securely on AWS S3 with access controls.
• Encryption: All data transmission uses HTTPS/TLS encryption.
• Access Controls: Limited employee access on a need-to-know basis.

While we use reasonable efforts to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

4. How We Share Your Information

We may share your information with:

• Service Providers:
  • Supabase: Authentication, database, and real-time features
  • AWS (Amazon Web Services): File storage and cloud infrastructure
  • OpenAI: AI-powered chat and design generation
  • Paddle.com: Payment processing and subscription management
  • Vercel: Hosting and edge network services
• Team Members: Project data is shared with team members you explicitly invite.
• Legal Requirements: When required by law, subpoena, court order, or to protect our rights and safety.
• Business Transfers: In connection with a merger, acquisition, or sale of assets.

We do not sell your personal information to third parties for marketing purposes.

5. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. When you delete your account:

• Personal data is deleted within 90 days, except where retention is required by law.
• Design files and project data are permanently deleted from our systems.
• Some metadata may be retained in aggregated, anonymized form for analytics.

6. Your Privacy Rights

Depending on your location, you may have the following rights:

6.1 General Rights

• Access: Request a copy of the personal information we hold about you.
• Correction: Update or correct inaccurate information.
• Deletion: Request deletion of your personal data (subject to legal retention requirements).
• Data Portability: Request your data in a machine-readable format.
• Opt-Out: Unsubscribe from marketing communications.

6.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request details about the personal information we collect, use, disclose, and sell (if applicable).
• Right to Delete: Request deletion of personal information, subject to exceptions.
• Right to Opt-Out: We do not sell personal information. If this changes, you will have the right to opt out.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Limit Use of Sensitive Information: Limit the use of sensitive personal information (if applicable).

To exercise these rights, contact us at support@strato.so. We will respond within 45 days.

6.3 Other U.S. State Privacy Laws

If you reside in Virginia, Colorado, Connecticut, Utah, or other states with comprehensive privacy laws, you may have similar rights to those described above. Contact us to exercise your rights.

7. Children's Privacy

Strato is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 13 in compliance with the Children's Online Privacy Protection Act (COPPA). If you are under 18, you must have parental consent to use the Service. If we learn we have collected information from a child under 13, we will delete it promptly.

8. Cookies and Tracking Technologies

We use cookies and similar technologies for:

• Essential Cookies: Required for authentication and core functionality.
• Performance Cookies: Analyze usage patterns and service performance.
• Functional Cookies: Remember your preferences and settings.

You can control cookies through your browser settings, but disabling essential cookies may affect Service functionality.

9. Third-Party Links and Services

The Service may contain links to third-party websites or integrate with external services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

10. International Data Transfers

Strato operates in the United States. If you access the Service from outside the U.S., your information may be transferred to, stored, and processed in the U.S. and other countries. By using the Service, you consent to the transfer of your information to the U.S. and other jurisdictions that may not have the same data protection laws as your country.

11. AI and Machine Learning

Strato uses AI technologies (including OpenAI's services) to provide design generation, chat assistance, and analysis features:

• Your chat messages and design requests are processed by AI models to generate responses and designs.
• We do not use your personal data to train third-party AI models unless you explicitly opt in.
• AI-generated content is provided for informational purposes and should be validated before real-world application.

12. Do Not Track Signals

Our Service does not currently respond to "Do Not Track" (DNT) browser signals. We will update this policy if we implement DNT support in the future.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Material changes will be notified via email or through a prominent notice on the Service at least 30 days before the changes take effect. Continued use after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us at:

Email: support@strato.so

Address: Strato, Delaware, United States

For EU Users (GDPR)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR), including the right to lodge a complaint with your local data protection authority. Our legal basis for processing your data includes: (1) contractual necessity to provide the Service, (2) legitimate interests in improving and securing our platform, and (3) your consent where applicable.

Service Providers Notice

Strato uses the following key service providers to deliver and improve the Service:

• Supabase: Database, authentication, and real-time features (Privacy Policy: supabase.com/privacy)
• OpenAI: AI-powered chat and design generation (Privacy Policy: openai.com/policies/privacy-policy)
• Paddle.com: Payment processing and merchant of record (Privacy Policy: paddle.com/legal/privacy)

By using Strato, you acknowledge that you have read and understood this Privacy Policy. Please also review our Terms of Service for additional information about your use of the Service.

If there is any inconsistency between the English version and translations, the English version controls.