StemmaStemma

Effective February 27, 2026

Privacy Policy

Stemma is an open-source LLM observability tool. This policy explains what data we collect when you use the hosted cloud version, how we use it, and what controls you have. If you self-host Stemma, this policy does not apply — you are the data controller.

1. What we collect

When you use the hosted version of Stemma, we collect:

  • Account data — your email address, collected at sign-up via Supabase Auth.
  • Prompt logs — the LLM call data you send to Stemma: model name, input/output tokens, latency, and the prompt and response text. You control what you log.
  • Usage metadata — call counts used to enforce free-tier limits.
  • Theme preference — stored only in your browser's localStorage. Never sent to our servers.

We do not use analytics trackers, third-party ad pixels, or session-recording tools.

2. How we use your data

  • To provide the Stemma dashboard — displaying your logs, metrics, and cost analytics.
  • To enforce plan limits (free tier: 10,000 calls/month).
  • To send transactional emails (e.g. password reset). We do not send marketing email without explicit opt-in.

We do not sell your data. We do not use your prompt content to train models.

3. Data storage and security

All data is stored in a Supabase PostgreSQL database. Data is encrypted at rest and in transit (TLS). Row-level security policies ensure you can only access your own project's data.

Prompt log data (your LLM inputs and outputs) may contain sensitive information — treat your API key as a secret and do not log personally identifiable information unless you have the appropriate legal basis to do so.

4. Data retention

Prompt logs are retained for as long as your account is active. You can delete individual logs or your entire account at any time. On account deletion, all your projects, logs, and API keys are permanently removed within 30 days.

5. Third-party services

We use the following sub-processors:

  • Supabase — database and authentication (EU/US data centres).
  • Vercel — hosting and edge functions.
  • Fontshare — font delivery (no cookies, no tracking).

6. Your rights

You can at any time:

  • Export your prompt logs from the dashboard.
  • Delete individual logs or your entire account.
  • Request a copy of your account data by emailing us.

If you are in the EU/EEA, you have additional rights under the GDPR including the right to access, rectify, port, and erase your data.

7. Cookies

The hosted dashboard sets one functional session cookie via Supabase Auth to keep you logged in. We do not set advertising or analytics cookies.

8. Changes to this policy

We may update this policy as the product evolves. Material changes will be communicated by updating the effective date above and, where appropriate, by emailing registered users.

9. Contact

Questions or requests relating to this policy: privacy@stemma.dev