Skip to main content
← Back to StoraTerms of Service

Privacy Policy

Last updated: April 15, 2026

1. Introduction

Stora (“we”, “our”, or “us”) operates the Stora platform at stora.sh. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

2. Information We Collect

Account Information

When you sign in with GitHub, we receive and store:

  • Your GitHub username and display name
  • Your email address
  • Your profile image URL
  • A GitHub OAuth access token (used to access your repositories on your behalf)

Repository Data

When you connect a project, we access your repository contents solely to provide our services (screenshot capture, compliance scanning, ASO optimization). We do not store copies of your source code. Repository data is processed in memory and discarded after use.

App Store Credentials and Session Tokens

If you choose to use our publishing or submission features, you may provide Apple App Store Connect API keys or Google Play service account credentials. These are encrypted at rest and used only to publish content and submit apps on your behalf. We never share these credentials with third parties.

We may also cache App Store Connect session tokens to maintain authenticated sessions for publishing, submission, and metadata operations. These tokens are encrypted at rest and automatically expire.

Knowledge Base Content

You may upload documents, files, and links to the knowledge base to provide context for AI agents. This content is stored persistently and may be sent to AI providers as context when agents run on your projects.

Organization and Team Data

If you create or join an organization, we collect team membership information, invitation emails, role assignments, and credit transaction history. Project data within an organization is shared among its members.

Agent Run Data

When AI agent workflows execute (QA, compliance, submission agents), we store execution traces, decision logs, and artifacts produced during the run. This data is used to provide run history and debugging information.

Usage Data

We collect anonymized usage analytics (via PostHog) to improve the product, including:

  • Pages visited and features used
  • Screenshot generation, publishing, and submission events
  • Agent run outcomes and credit consumption
  • Error events (without personal data)

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Stora platform
  • Access your GitHub repositories to build and capture screenshots
  • Generate and publish App Store and Google Play assets on your behalf
  • Submit apps for app store review using your credentials
  • Run AI agent workflows (QA, compliance, submission) on your projects
  • Process knowledge base content to improve agent accuracy
  • Run compliance scans against App Store Review Guidelines
  • Manage team membership, roles, and shared credit pools
  • Send you service-related communications
  • Detect and prevent abuse or security issues

4. GitHub Permissions

By default, Stora requests read-only access to your GitHub account and repositories. This includes reading your profile, email, and repository contents.

If you use features that require write access (such as creating pull requests for compliance fixes), we will explicitly ask for additional permissions at that time, with a clear explanation of why they are needed. You can revoke these permissions at any time from your GitHub settings.

5. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information. We may share data with:

  • Service providers: Third-party services that help us operate the platform (hosting, analytics, AI providers). These providers are contractually obligated to protect your data.
  • AI providers: We use Anthropic (Claude), Google (Gemini), and OpenAI APIs to power AI features. Repository code snippets and knowledge base content may be sent to these providers for analysis but are not used for model training.
  • Cloud build providers: When using cloud builds, your source code and build artifacts are transmitted to third-party sandbox providers (including lim.run) for compilation and execution. Build environments are ephemeral and isolated; code and artifacts are deleted after the build completes.
  • App store platforms: When you use submission features, metadata, builds, and app information are transmitted to Apple App Store Connect and/or Google Play Console using credentials you provide.
  • Team members: If your project belongs to an organization, other members of that organization may view project data, agent run history, and shared credentials.
  • Legal requirements: If required by law, regulation, or legal process.

6. Data Security

We implement industry-standard security measures to protect your data, including:

  • Encryption of sensitive credentials at rest (AES-256-GCM)
  • HTTPS-only communication with HSTS
  • Content Security Policy and other security headers
  • Parameterized database queries to prevent injection attacks
  • Regular security audits

While we strive to protect your data, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your account data for as long as your account is active. Generated screenshots and assets are stored until you delete them or your account. Build artifacts are automatically cleaned up after 30 days.

Agent run logs and artifacts are retained for 90 days. Knowledge base content is retained until you delete it or your account. Credit transaction history is retained for the duration of your account for billing purposes.

When a member leaves an organization, their personal account data is retained but their access to the organization’s shared project data is revoked. Organization data is retained as long as the organization exists.

You can request deletion of your account and all associated data by contacting us at the email below.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Object to or restrict processing of your data
  • Export your data in a portable format

9. Cookies

We use essential cookies for authentication and session management. We use PostHog for analytics, which may set its own cookies. We do not use advertising cookies or trackers.

10. Children’s Privacy

Stora is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the “Last updated” date.

12. Contact Us

If you have questions about this Privacy Policy, please contact us at:

carlton@charmtechnologies.co