Privacy Policy

This Privacy Policy is effective as of June 8, 2026 and was last updated on the same date. It applies to all use of the Stages service operated by SalesEdge LLC d/b/a Stages.

Stages is a workspace product for client services businesses: agencies, consultants, and freelancers. Stages is operated by SalesEdge LLC, a New Jersey limited liability company doing business as “Stages” (referred to in this Policy as “Stages,” “we,” “us,” or “our”).

Privacy-specific questions, data-access requests, and complaints should be sent to privacy@trystages.com. For all other matters, see § 13 (Contact).

Stages collects three kinds of data: what you explicitly type into the product, what attaches to your activity automatically, and what our payment processor passes to us.

You provide directly

• Account information. Your email address, a name you choose (typically your full name), and a password. For agency users, optionally your company name. For users who sign in with Google, the name and profile picture URL Google passes us.
• Workspace content. Workspace and pipeline names, client company labels, stages, tasks, notes, chat messages, files you upload, and external URLs you paste in.
• Invitations. Email addresses of teammates and clients you invite into your workspace or to a specific pipeline.
• Payment-context information. Your billing email. Stripe (our payment processor) collects card details directly in its own hosted checkout flow; we never see your card number, CVC, or expiry.

Automatically attached to your activity

• Authentication session. An encrypted session token stored in HTTP-only cookies, used to keep you signed in.
• Interface state. A small number of preference flags stored in your browser's local storage (e.g., dismissed-banner state, recently picked emojis).
• Server logs. Standard request logs (URL paths, timestamps, error messages) captured by our hosting provider (Vercel) for operational debugging. We do not extract IP addresses, User-Agent strings, or referrer headers ourselves. Those are captured at the hosting-platform layer per our provider's defaults.
• Subscription state. If you upgrade to a paid plan, we mirror your subscription status (trialing, active, past-due, etc.) and the timing of the current billing period from Stripe.

What we do not collect

• We do not use analytics, session-replay, or third-party tracking scripts. There are no Google Analytics, Mixpanel, PostHog, Sentry, or similar SDKs in our application.
• We do not collect device fingerprints, geolocation, or browser permissions (camera, microphone, etc.).
• We do not see or store your payment card details. Those go directly to Stripe.
• As of the date of this Policy, we do not process your content with AI or machine-learning models. See § 9 for our forward-looking commitments on AI features.

We use the data we collect to provide and improve the Stages service. Specifically:

• To authenticate you, route you to the correct workspace, and enforce who can see and edit what.
• To store the workspace content you create and make it available to your teammates and clients per the access rules each workspace owner configures.
• To send you transactional emails about your account and workspace activity (invitations, trial reminders, billing changes, and similar). We do not send marketing email from the product.
• To process payments via Stripe and keep our records of your subscription state accurate.
• To investigate and respond to support requests, security incidents, and abuse.
• To improve the product based on aggregate, non-personal usage patterns (e.g., which features are used at what rate). When AI features ship, this category extends. See § 9.

We share data only with the service providers we need to operate the product. Each is listed below with a one-sentence purpose. None of these providers receives more than what they need; none has permission to use your data for their own purposes beyond providing their service to us.

• Supabase.Our primary backend (database, auth, file storage). All workspace content is stored on Supabase's infrastructure. Supabase DPA.
• Stripe. Payment processing. Stripe holds your card details under PCI-DSS Level 1 attestation; we hold only Stripe identifiers and subscription state. Stripe DPA.
• Resend. Transactional email delivery (invites, trial reminders). Resend receives recipient emails and the rendered email body. Resend DPA.
• Vercel. Hosting and serverless functions. Vercel handles edge requests and captures standard request logs. Vercel DPA.
• cron-job.org. External cron scheduler used to trigger our background-task endpoints. Receives a bearer-token header; receives no user data in request or response bodies.
• Google.Identity provider for “Sign in with Google.” Google operates as an independent controller for the authentication transaction; Stages is the relying party and receives only the email, name, profile picture URL, and a stable user identifier from Google.

We will list any future processors (including AI service providers; see § 9) at the same level of detail. We give at least 30 days notice in-app before adding a new sub-processor.

Our primary processing happens in the United States. Supabase hosts our database in a region we have selected; the other processors above (Stripe, Resend, Vercel, Google) primarily process in the United States.

For users in the European Economic Area, the United Kingdom, or Switzerland: data transferred to the United States relies on the European Union–United States Data Privacy Framework (including the UK Extension and Swiss-U.S. Framework where applicable) and Standard Contractual Clauses, where required by our processor agreements.

We retain your data for as long as your account is active and as needed to operate the service. When you or your workspace owner delete content, here is what happens:

• Workspace deletion cascades to delete every pipeline, stage, task, note, chat message, file, and audit record in that workspace.
• Pipeline deletion cascades to delete every stage, task, note, attachment, link, channel, and message in that pipeline.
• User account deletion deletes your profile, memberships, and stored authentication metadata. Some attribution metadata may remain in workspace audit logs.
• Email delivery records are retained for up to 90 days for support and debugging purposes, then deleted.
• File binaries may persist briefly after a deletion request, pending a storage cleanup pass.
• Stripe transaction history is retained by Stripe per its own policies (typically multiple years) to satisfy financial-records regulations. We do not control this retention window.

Depending on where you live, you may have legal rights to access, correct, delete, or export your personal data, and to object to certain processing. We honor these rights regardless of jurisdiction.

• Access. Email privacy@trystages.com to request a copy of the personal data we hold about you.
• Correction. Most personal data (your name, company name) is editable directly in your account settings. For anything else, email us.
• Deletion.You can delete content yourself in the app. For full account deletion, email us. Note: a small amount of denormalized data may remain in workspace audit logs for integrity purposes (e.g., “Sarah completed stage X” in activity history).
• Data portability. Email us to request an export of your workspace data in a structured format.
• Opt-out of AI-improvement signals. Always available, even after the first AI feature ships. See § 9.

AI and machine learning.When Stages AI features are active, you and your AI assistant collaborate to manage client work. The AI acts on your behalf within tools you've connected, like a smart assistant who can take actions you delegate. Here's how that works and how you stay in control.

How you stay in control. Stages AI is gated by four layers of consent that you control.

1. Workspace AI enablement. A workspace owner must explicitly turn on AI agent features for the workspace. Default off.
2. Per-integration consent. When you connect an external service (Google Docs, Slack, Instantly, etc.) to Stages, you grant Stages AI permission to read or write that service on your behalf when you invoke AI actions.
3. Per-action consent.Routine, low-risk actions are pre-authorized once you've connected an integration. Actions that are high-risk (e.g., sending an email) require a confirmation. Actions that are high-value or irreversible (e.g., moving money) require an explicit re-authentication.
4. Improvement signals. Optionally, you can let us learn from anonymized usage patterns (which features you use, which suggestions you accept) to make AI features better for everyone. Default off; turn it on at Settings → Privacy if you wish.

We do not train AI models on your data. When you use AI features, your data is processed by zero-retention AI providers (currently Anthropic and/or OpenAI API tiers that contractually prohibit training on inputs) to generate the specific output you requested. Your data is not stored, learned from, or used for any other purpose by those providers.

Improvement signals (opt-in). With your explicit consent (off by default), we may use anonymized signals about how AI features get used (e.g., which suggestions get accepted, which actions you redo) to make AI features better for everyone. We never use the content of your work, your messages, or your connected-service data for this; we only use aggregated, anonymized behavioral signals. You can turn this on or off any time at Settings → Privacy.

What data flows where during an AI action.When you invoke an AI feature, Stages may need to send relevant context to an AI provider to generate the output you asked for. For example, if you ask the AI to draft a reply to a client based on the project history, Stages may send the conversation history from that pipeline to our AI provider. If you ask the AI to perform an action in a connected integration (e.g., “draft a thank-you email in Instantly”), Stages sends the necessary context to the AI provider and the resulting draft to the integration on your behalf. The data flow is scoped to the action you invoked; AI providers never receive your full workspace, only the slice relevant to the request. The AI provider's no-training commitment applies to the entire flow.

Sub-processor notice.We publish our AI sub-processor list at the link in § 5 (Who we share with). Before we add a new AI provider, we will give you at least 30 days' notice via an in-app banner so you can pause your use of AI features if you object to the new provider.

Security-incident carveout.We may swap one AI provider for another without 30 days' advance notice if we need to do so to address an active security incident. For example, if a current provider experiences a breach or sustained outage that puts your data at risk. In that case, we will inform you promptly after the swap and explain why.

Human review for safety and quality. A small percentage of AI agent inputs and outputs may be sampled for review by Stages employees, under confidentiality agreements, solely to evaluate quality and detect safety issues (for example, prompt-injection attempts or misuse of an integration). Reviewed material is never used to train AI models. This is consistent with our broader commitment that no AI provider trains on your data.

Questions or concerns.For any AI-related question (including requests to clarify what an action did, to revoke an integration's permission, or to opt out of improvement signals), email privacy@trystages.com.

Stages uses cookies only for authentication. Specifically:

• Supabase Auth session cookie. An HTTP-only, same-origin cookie that keeps you signed in. JavaScript on the page cannot read it (the HttpOnly flag prevents this). The cookie expires after 30 days of inactivity for client users and after our standard session window for agency users.
• Supabase Auth PKCE-flow cookie (transient). Used briefly during OAuth-style signin to coordinate the redirect handshake; expires within the same session.

We do not use marketing, advertising, or analytics cookies. We do not embed third-party tracking pixels, share you with ad networks, or set tag-manager cookies.

Stages is a business product intended for users 16 years of age or older. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact privacy@trystages.com and we will delete it.

We will update this Privacy Policy from time to time. For material changes (including the addition of new processors or AI providers), we will give at least 30 days' notice via an in-app banner before the changes take effect, so you can review them and (if applicable) pause your use of affected features.

The “Last updated” date at the top of this page reflects the most recent change.

For all privacy-related inquiries (access requests, deletion requests, data portability, complaints, or general questions), please email privacy@trystages.com.

For Terms-of-Service and other legal correspondence, see § 16 of our Terms of Service.

Operated by SalesEdge LLC, a New Jersey limited liability company doing business as Stages.

Mailing address:
SalesEdge LLC d/b/a Stages
1070 State Route 34, Ste H PMB 1022
Matawan, NJ 07747
United States