We collect the minimum necessary to run Stoney. No tracking pixels, no ad networks, no selling your data.
When you sign up, we collect your name and email address via OAuth (Google or GitHub) or magic-link email. We do not store passwords.
Org name, plan tier, and member roles are stored to operate your dashboard and enforce plan limits.
When your CI pushes a run, we store: which contracts passed or failed, the Git SHA, branch name, actor, duration, and timestamp. We do not store your source code, environment variables, secrets, or HTTP request/response payloads.
We store only the SHA-256 hash of your API tokens. The raw token is shown once and never stored. We cannot recover it.
Billing is handled by Stripe. We store your Stripe customer ID and subscription status. We never see or store card numbers, CVVs, or bank details.
We collect server-side logs for debugging and reliability. These may include IP addresses and are retained for 30 days.