What we see. What we refuse to see.

The business model decides the shape of the product. Ours is subscription, paid by organizations that want their people's context to survive a timezone crossing. That model does not require — and is actively harmed by — monitoring the people using it.

StandIn does not monitor people. StandIn does not track presence. StandIn does not read private messages. Those three sentences are not a marketing choice. They are an architectural constraint we enforce on ourselves.

Three categories. Nothing beyond them.

1. i

   Account information

   Name, work email, organization membership, and role. Used for sign-in, attribution, and access control. Nothing is enriched from third-party data brokers.

2. ii

   Published content

   Wraps, declarations, and handoffs you explicitly write and publish. Plus metadata you allowlist from connected systems — issue titles, PR statuses, calendar shapes. Never full message or document bodies.

3. iii

   System records

   Audit events (who read whose wrap, who changed a setting) and request logs for reliability. These never contain the substance of your content — only the shape of the action.

This list is load-bearing. Each item is a design decision we turned down, not a feature waiting to be built.

• Keystroke logs, mouse-movement, or typing-cadence metrics
• Screen recordings, screenshots, or window focus history
• Content from private DMs — in Slack, email, or anywhere else
• "Active" / "idle" / "in a meeting" presence signals
• Inferred sentiment, engagement scores, or productivity rankings

Data is used to answer work-context questions. The LLM retrieves already-published wraps and allowlisted metadata at query time, generates a grounded response, and discards the context window. We do not use your data to train public AI models — ours or anyone else's — and our LLM vendor contracts forbid it on their side too.

Project data is visible only to members of that project. Published wraps are visible to the team they were published to. Admins can manage membership and audit access. There is no manager surveillance dashboard. Every read of another person's wrap is logged and visible in the audit trail.

Context is ephemeral by default. Personal wraps are retained per your organization's configuration — typically 24 months — and decay in retrieval relevance before hard deletion. You can request deletion of your data at any time, and an admin can delete a user's records within thirty days of a request.

TLS 1.3 in transit. AES-256 at rest. Encrypted integration tokens. Logged audit events. Responsible disclosure welcomed at [email protected]. The full technical breakdown lives on the Security page.

We may update this policy. If we make material changes — especially any that affect the Core Promise above — we will notify you via email and in-app banner. Minor clarifications will be versioned here with a changelog entry. You should not need a lawyer to read this page.