Legal review pending. This is a working draft and not yet a final, attorney-reviewed policy. Use at your own discretion until we publish the reviewed version.

Privacy Policy

Last updated: May 13, 2026

This Privacy Policy explains what information Stashville collects from you, how we use it, who we share it with, and the rights you have over it. By using the Service you consent to the practices described here.

1. Information We Collect

We collect the following categories of information:

  • Account information. Your email address, display name, and (if you sign in with GitHub) the public GitHub profile fields exposed by the standard read:user and user:email OAuth scopes. If you opt in to the public repo scope, we also see the list of repositories you authorize.
  • Activity data. Metadata about your development work that you choose to send us, including commit timestamps, repository names, branch names, file paths you authorize, coding session start/stop events from our optional daemon, and ticket transitions from connected integrations. We do not read source code contents unless an integration you explicitly enable requires it.
  • City and gameplay data. Buildings you place, decorations, virtual currency balances, friend connections, interactions with other players' cities, and similar in-game state.
  • Telemetry and diagnostics. Standard request logs (IP address, user agent, timestamps), client-side error reports, and aggregated usage metrics. We use these to operate, secure, and improve the Service.

2. How We Use Information

  • To provide, maintain, and operate the Service.
  • To render your city and apply the gameplay rules associated with your activity events.
  • To send transactional and account-related email (sign-in verification, password resets, security alerts, and similar).
  • To detect and prevent abuse, fraud, and security incidents.
  • To debug, monitor performance, and improve features based on aggregated usage patterns.
  • To comply with our legal obligations.

3. Third-Party Processors

We rely on the following providers to operate the Service. Each processes data only as needed to perform their function:

  • Better Auth — session management and OAuth flow.
  • GitHub — OAuth identity provider and source of authorized GitHub activity data.
  • Inngest — runs background jobs such as event processing, decay calculations, and scheduled cadence updates.
  • Resend — sends transactional and notification email.
  • Sentry — receives client and server error reports for debugging and reliability.

We do not sell your personal information. We do not share your data with advertisers or use it for advertising.

4. Retention

We retain account information and gameplay state for as long as your account is active. Activity events older than 24 months may be aggregated or deleted as part of normal data lifecycle. Server logs and error reports are typically retained for up to 90 days. If you delete your account, we delete your account, gameplay data, and associated activity events within 30 days, except where we are required to retain certain records to comply with legal obligations or resolve disputes.

5. Your Rights

You can:

  • Access the personal data we hold about you.
  • Correct inaccurate account information.
  • Delete your account, which removes your gameplay data and the activity events associated with your account.
  • Export your account and gameplay data in a portable format on request.
  • Disconnect any integration (GitHub, daemon, third-party tools) from your settings, which stops further data collection from that source.

To exercise any of these rights, email privacy@stashville.city. If you are in a jurisdiction with additional rights (such as the EU or California), those rights apply in addition to the ones listed here.

6. Security

We use industry-standard practices to protect your data, including encrypted transport (HTTPS), hashed credentials, scoped API tokens, and least-privilege access controls. No system is perfectly secure; if we ever experience a breach affecting your data, we will notify you in accordance with applicable law.

7. Children

Stashville is not directed at children under 13 (or the minimum digital-consent age in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.

8. International Transfers

Stashville is operated from the United States. By using the Service, you understand that your information may be processed in the United States or other countries where our processors operate.

9. Changes to This Policy

We may update this Privacy Policy as the Service evolves. Material changes will be announced in-app or by email. Your continued use of the Service after a change takes effect constitutes acceptance of the updated policy.

10. Contact

Privacy questions? Email privacy@stashville.city.