Stagger Privacy Policy
Last Updated: April 21, 2026 Effective Date: April 21, 2026
1. Introduction
This Privacy Policy explains how Stagger ("Stagger," "we," "us") collects, uses, and shares personal information in connection with the Stagger service at stagger.dev, app.stagger.dev, mcp.stagger.dev, and docs.stagger.dev (the "Service").
Stagger is a developer tool that uses AI to generate React loading animation components from your prompts. This policy applies whether you visit the marketing site, use the app, connect via MCP, or contact us.
If you are in the EU, UK, Switzerland, California, or another jurisdiction with specific privacy rights, see Section 10 for how those rights apply to you.
The short version. We collect only what we need to run the Service and bill you. We do not train AI models on your prompts, brand kits, uploaded images, or generated code. We keep prompts for a maximum of 90 days in our systems (our AI provider Anthropic may retain them for up to 30 days for their own abuse monitoring). We use a small number of reputable sub-processors, listed below. You can export or delete your data at any time.
2. Information we collect
We collect four categories of information.
2.1 Account information
When you sign up through Clerk, we and Clerk collect:
- Email address.
- Name, if you provide one.
- Age attestation confirming you are at least 18 years old (required at signup).
- Authentication identifiers (for example, your Clerk user ID, OAuth provider IDs if you sign in with Google, GitHub, or similar).
- Password hash (stored by Clerk, not by us).
2.2 Payment information
When you subscribe, Stripe collects your payment card or bank details directly. We do not see or store your full card number. We receive from Stripe:
- A Stripe customer and subscription ID.
- Card brand and last four digits.
- Billing country and postal code.
- Invoice and payment history.
- Tax information relevant to billing.
2.3 Content you provide
When you use the Service you submit:
- Prompts, the natural-language text you send to generate or modify components.
- Brand kits, including color palettes, style notes, and typography preferences you save to your Account.
- Uploaded images (available from v2.5), such as logos or icons you upload for AI vision analysis.
- Generated Output, the TSX components the Service produces for you.
- Library interactions, such as animations you favorite or remix from our curated library.
2.4 Automatically collected data
When you use the Service we and our infrastructure providers automatically collect:
- IP address, approximate location derived from IP, and time zone.
- Device and browser type, operating system, screen size.
- Pages viewed, features used, clicks, and timestamps.
- Referring URL and UTM parameters.
- Diagnostic and error logs.
- For MCP requests, the client identifier and version (for example, Cursor or Claude Code and its version), the requesting IP, endpoint called, token count, and response status.
2.5 Cookies and similar technologies
We use cookies and similar technologies on the marketing site, app, and docs. See Section 13 for the full details.
2.6 Biometric information
We do not collect, store, derive, or use biometric identifiers as defined by the Illinois Biometric Information Privacy Act ("BIPA"), the Texas Capture or Use of Biometric Identifier Act ("CUBI"), Washington HB 1493, or similar laws. When you upload an image (v2.5+), that image may incidentally contain faces or other biometric features. We do not extract biometric templates, perform facial recognition, or analyze uploaded images for biometric identification or authentication. Our AI vision analysis examines images only for design attributes (colors, shapes, composition) to produce animation Output.
3. How we use information
We use information to:
- Provide the Service. Authenticate you, run your prompts through our AI provider, save your brand kits and Output, serve the docs and library, and respond to support requests.
- Process payments. Bill you, prevent fraud, manage subscriptions, and keep tax records.
- Secure and maintain the Service. Detect abuse, prevent unauthorized access, fix bugs, monitor performance.
- Communicate with you. Send transactional emails (receipts, security alerts, product notices), respond to inquiries, and, if you opt in, send product updates.
- Improve the Service. Analyze aggregated, de-identified usage trends (for example, which features are used most). We do not use your Content for this in any form that could identify you, and we never use it to train AI models. See Section 4.
- Comply with law. Respond to legal process, enforce our Terms, and protect rights.
We do not sell your personal information. We do not share it for cross-context behavioral advertising.
4. AI training policy
Stagger does not use your Content to train, fine-tune, or improve AI models. Ever.
This is a core product commitment, not a marketing line. Specifically:
- Your prompts, brand kits, uploaded images, and Generated Output are never used to train any Stagger model, Anthropic model, or any third-party model. We call the Anthropic API under terms that prohibit training on our API traffic.
- We do not sell or share your Content with any data broker, ad network, or third-party AI developer for any purpose.
- This applies to every plan, including free.
4.1 Sub-processor retention for abuse monitoring
Your prompts and uploaded Content may be retained briefly by Anthropic (our AI provider) for up to 30 days, solely for their own abuse monitoring, after which they are deleted. Anthropic does not use this data for training under their API and Commercial Terms. See Anthropic's privacy policy linked in Section 6.1 for details.
4.2 Exceptions
The only narrow exceptions to our no-training commitment are:
- Abuse detection. Automated systems may scan prompts and uploads for clear policy violations (for example, attempts to generate malware or CSAM). A human may review a tiny number of items flagged with high confidence, solely to enforce the Acceptable Use Policy and keep the Service safe.
- Legal compliance. We may preserve and disclose specific Content if required by valid legal process.
If a conflict arises between this Section and any other part of this Policy, this Section controls.
5. Automated decision-making and AI generation
Article 22 of the GDPR and similar provisions in other privacy laws give you rights regarding "decisions based solely on automated processing" that produce "legal or similarly significant effects."
Stagger does not make such decisions. The AI generation at the core of our Service processes your prompt and produces code as Output. This Output is:
- A creative artifact you request, not a decision about you or affecting your legal status, rights, employment, credit, housing, insurance, or similar.
- Reviewed, modified, and deployed solely at your discretion, as acknowledged in our Terms of Service Section 8.3.
- Not used to evaluate, profile, score, or make decisions about you.
For clarity, the act of the Service generating code in response to your prompt does not itself constitute a "decision" under Article 22, and the Output has no effect on you beyond being delivered to you for your voluntary use.
6. Legal bases for processing (GDPR)
If you are in the EU, UK, or Switzerland, we process your personal data on the following Article 6 GDPR legal bases:
| Purpose | Legal basis |
|---|---|
| Creating and running your Account | Performance of a contract (Art. 6(1)(b)) |
| Processing prompts and generating Output | Performance of a contract (Art. 6(1)(b)) |
| Billing and payment | Performance of a contract and legal obligation (Art. 6(1)(b), (c)) |
| Security, fraud prevention, abuse detection | Legitimate interests: protecting the Service and users (Art. 6(1)(f)) |
| Product analytics (cookies) | Consent (Art. 6(1)(a)) where required by ePrivacy law; otherwise legitimate interests (Art. 6(1)(f)) |
| Error monitoring (cookies) | Consent (Art. 6(1)(a)) where required by ePrivacy law; otherwise legitimate interests (Art. 6(1)(f)) |
| Transactional emails | Performance of a contract (Art. 6(1)(b)) |
| Marketing emails | Consent (Art. 6(1)(a)), withdrawable any time |
| Responding to legal process | Legal obligation (Art. 6(1)(c)) |
If you are in the EU/UK and upload images containing identifiable faces (which we do not solicit and, per Section 2.6, do not process for identification), any special-category data under Article 9 is processed only with your explicit consent or as necessary for a substantial public interest.
7. How we share information
We share personal information with the categories of recipients listed below. We do not sell it.
7.1 Sub-processors
We share limited personal information with the service providers we rely on to run Stagger. Each is contractually required to protect the data, use it only on our instructions, and implement appropriate safeguards.
| Sub-processor | Purpose | Data processed | Location | Transfer mechanism | Privacy policy |
|---|---|---|---|---|---|
| Anthropic, PBC | AI generation (Claude API) | Prompts, Content sent to the model, generated Output | USA | DPF certified; SCCs | anthropic.com/legal/privacy |
| Clerk, Inc. | Authentication, account management | Email, name, authentication identifiers | USA | DPF certified; SCCs | clerk.com/legal/privacy |
| Stripe, Inc. | Payment processing, billing, tax | Name, email, billing address, card details, transaction history | USA | DPF certified; SCCs | stripe.com/privacy |
| Vercel, Inc. | Hosting and edge compute | Request and response data, IP, logs | USA; EU edge | DPF certified; SCCs | vercel.com/legal/privacy-policy |
| Cloudflare, Inc. | CDN, DDoS protection, WAF | IP, request metadata | Global edge | DPF certified; SCCs | cloudflare.com/privacypolicy |
| Resend, Inc. | Transactional email | Email address, message content | USA | DPF; SCCs | resend.com/legal/privacy-policy |
| Sentry (Functional Software, Inc.) | Error monitoring | Error traces, IP, limited request metadata | USA | DPF; SCCs | sentry.io/privacy |
| PostHog, Inc. | Product analytics | Pseudonymous user ID, events, page views, device metadata | USA or EU at our election | DPF; SCCs | posthog.com/privacy |
| Amazon Web Services, Inc. (via Cloudflare R2) | Object storage for uploaded images and backups | Uploaded images, Content backups | USA | DPF certified; SCCs | aws.amazon.com/privacy |
We will update this list as the stack changes. Material changes will be notified in accordance with Section 15.
7.2 Legal disclosures
We may disclose personal information when we reasonably believe it is necessary to:
- Comply with law, valid legal process, or an enforceable government request.
- Enforce our Terms, including investigation of violations.
- Detect, prevent, or address fraud, abuse, security, or technical issues.
- Protect the rights, property, or safety of Stagger, our users, or the public.
Where legally permitted, we will notify you of a government request for your data before responding.
7.3 Business transfers
If Stagger is acquired, merges with another entity, or sells substantially all of its assets, personal information may be transferred as part of that transaction. We will notify you by email before your information becomes subject to a materially different privacy policy.
8. Data retention
We keep personal information only as long as we need it for the purposes described in this Policy, unless a longer period is required by law (for example, tax records).
| Data category | Retention |
|---|---|
| Account information (email, name) | Active during your Account; deleted within 30 days of Account deletion |
| Brand kits, saved animations, Generated Output | Active during your Account; deleted within 30 days of Account deletion |
| Prompts (in Stagger systems) | 90 days by default, then deleted. Longer only if you opt in at the Account level |
| Prompts and Content (at Anthropic for abuse monitoring) | Up to 30 days, per Anthropic's API policy |
| Uploaded images (v2.5+) | While associated with your Account; deleted within 30 days of Account or asset deletion |
| Payment and billing records | Up to 7 years, as required by US tax and financial recordkeeping laws |
| Security and access logs | Up to 12 months, longer only for an active investigation |
| MCP request metadata (non-content) | Rolling 12 months |
| Abuse-flagged prompts and classifier results | Up to 24 months, for enforcement of the Acceptable Use Policy |
| Marketing email subscribers | Until you unsubscribe |
| Backups | Rolling 30-day window; deleted content is purged on the next cycle |
After deletion, residual copies may remain in encrypted backups for up to 30 days, then are overwritten.
9. Data security
We take administrative, technical, and physical safeguards to protect personal information appropriate to the risk, including:
- TLS encryption in transit and encryption at rest for production data.
- Least-privilege access controls and multi-factor authentication for internal systems.
- Logging and monitoring of administrative access.
- Regular security updates and dependency monitoring.
- Segregation of environments (production, staging, development).
- Sub-processor due diligence and contractual data protection commitments.
- Incident response procedures.
No system is perfectly secure. If a security incident affects your personal information, we will notify you and any required regulators in accordance with applicable law, including:
- GDPR Articles 33 and 34: notification to the lead supervisory authority within 72 hours of becoming aware, and to affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
- New York SHIELD Act: notification to affected New York residents and the New York Attorney General in the most expedient time possible and without unreasonable delay.
- California CCPA/CPRA and other US state laws: notification to affected residents in accordance with the applicable state timelines.
Our notification will describe, to the extent known: the nature of the incident, categories of information involved, steps we are taking, and recommendations for you.
10. International data transfers
Stagger operates from the United States. If you access the Service from outside the US, your information will be transferred to and processed in the US and, through our sub-processors, potentially in other countries.
For personal information transferred from the EU, UK, or Switzerland to the US, we rely on:
- Sub-processor certifications under the EU-US Data Privacy Framework (and UK Extension and Swiss-US DPF), where the sub-processor is listed on the DPF List. See Section 7.1.
- Standard Contractual Clauses adopted by the European Commission (2021/914) for sub-processors that are not DPF-certified, together with appropriate supplementary measures.
Stagger itself is currently operated as a sole proprietorship and is not self-certified under the DPF. We are evaluating DPF self-certification as the business structure matures. In the meantime, if you require SCCs directly with Stagger, contact privacy@stagger.dev and we will provide Module 1 or Module 2 SCCs as appropriate.
11. Your rights and choices
You have rights over your personal information. We honor them globally to the extent we reasonably can, and we honor the specific legal rights below in the jurisdictions where they apply.
11.1 Universal rights (all users)
Every user, regardless of location, may:
- Access the personal information in their Account via the Account settings.
- Export Content, brand kits, and Generated Output in standard formats.
- Correct inaccurate Account information.
- Delete their Account, which triggers the deletion timelines in Section 8.
- Contact us at privacy@stagger.dev with any privacy question.
11.2 GDPR rights (EU, UK, Switzerland)
If you are in the EU, UK, or Switzerland, you have the right to:
- Access the personal data we hold about you (Art. 15).
- Rectification of inaccurate data (Art. 16).
- Erasure (right to be forgotten) (Art. 17).
- Restriction of processing (Art. 18).
- Data portability in a structured, machine-readable format (Art. 20).
- Object to processing based on legitimate interests (Art. 21).
- Withdraw consent at any time, without affecting past processing (Art. 7(3)).
- Not be subject to solely automated decisions that produce legal or similarly significant effects (Art. 22). See Section 5 for why Stagger's AI generation does not fall within Article 22.
- Lodge a complaint with your local supervisory authority. Contacts are listed at edpb.europa.eu/about-edpb/board/members_en.
We will respond to GDPR requests within 30 days, extendable by up to two additional months for complex requests, in which case we will tell you within 30 days.
EU Representative (Article 27). [To be appointed before launch to EU users. When appointed, full contact details will be listed here, including name, postal address, and email.]
UK Representative. [To be appointed if offering services to UK users at scale. When appointed, full contact details will be listed here.]
11.3 CCPA/CPRA rights (California)
If you are a California resident, you have the right to:
- Know what categories of personal information we collect, the sources, purposes, and categories of recipients.
- Access the specific pieces of personal information we have about you.
- Delete personal information, subject to legal exceptions.
- Correct inaccurate personal information.
- Opt out of the sale or sharing of your personal information. Stagger does not sell personal information and does not share it for cross-context behavioral advertising. A "Do Not Sell or Share My Personal Information" link is provided in the footer of every Stagger page, as required by CPRA regulations.
- Limit the use of sensitive personal information. We do not use sensitive personal information for purposes requiring a "limit" right under CPRA.
- Non-discrimination for exercising these rights.
Categories of personal information collected in the last 12 months (California Civil Code § 1798.140):
| Category | Collected? | Sold or shared? |
|---|---|---|
| A. Identifiers (name, email, IP) | Yes | No |
| B. Customer records (billing info) | Yes | No |
| C. Protected classifications | No | No |
| D. Commercial information (subscriptions) | Yes | No |
| E. Biometric information | No (see Section 2.6) | No |
| F. Internet activity (usage logs) | Yes | No |
| G. Geolocation (approximate, from IP) | Yes | No |
| H. Sensory data | Yes (uploaded images, v2.5+) | No |
| I. Professional/employment info | No | No |
| J. Education info | No | No |
| K. Inferences | Minimal, for product analytics | No |
| L. Sensitive personal information | No | No |
To submit a request, email privacy@stagger.dev with the subject "CCPA Request." We will verify your request by matching identifiers you provide against your Account, and we will respond within 45 days, extendable once by another 45 days with notice. An authorized agent may submit a request with your signed permission.
Global Privacy Control (GPC). We honor GPC signals as a valid opt-out of sale or sharing, even though we do not currently sell or share.
11.4 Other US state rights
If you are a resident of a US state with a comprehensive consumer privacy law, including Virginia, Colorado, Connecticut, Utah, Texas, Florida, Oregon, Delaware, Iowa, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, or Rhode Island, you have rights broadly similar to the California rights above, which may include the right to access, delete, correct, data portability, opt out of targeted advertising, opt out of the sale of personal data, and opt out of profiling with legal effects.
Although Stagger likely falls below the applicability thresholds of these laws, we honor these rights on request as a matter of policy. Email privacy@stagger.dev with the subject "State Privacy Request" and identify your state of residence. If we deny a request, you may appeal by replying to our decision, and where applicable you may complain to your state attorney general.
11.5 Nevada
Nevada residents may direct us not to sell their personal information by emailing privacy@stagger.dev. We do not sell personal information.
12. Children's privacy
The Service is for users 18 and older. We do not knowingly collect personal information from anyone under 18. Our authentication provider Clerk is configured to require an age attestation at signup, and we enforce this minimum in our account provisioning logic.
If we learn that we have collected information from a user under 18, we will delete it and terminate the Account. If you believe a child has provided us personal information, contact privacy@stagger.dev.
Because we do not target or permit use by anyone under 13, COPPA does not apply to Stagger. Our 18+ minimum also exceeds the thresholds for children's and teen provisions in every US state comprehensive privacy law currently in effect.
13. Third-party links and services
The Service includes links to and integrations with third-party sites and services, including documentation references, MCP clients, and the sub-processors in Section 7.1. This Policy does not apply to those third parties. Their privacy practices are governed by their own policies, which you should review.
14. Cookies and similar technologies
14.1 What we use
We use cookies, local storage, and similar technologies. The table below lists the specific cookies you should expect to encounter.
| Category | Cookie / storage key | Set by | Purpose | Duration | Requires consent? |
|---|---|---|---|---|---|
| Strictly necessary | __session, __clerk_db_jwt | Clerk | Authentication, session integrity | Session / 7 days | No |
| Strictly necessary | __cf_bm, cf_clearance | Cloudflare | Bot management, DDoS protection | 30 min / 1 year | No |
| Strictly necessary | CSRF tokens | Stagger | Request integrity | Session | No |
| Functional | Local storage: theme, recent-prompts, cookie-consent | Stagger | Remember preferences | Persistent until cleared | No |
| Analytics | ph_[project_id]_posthog | PostHog | Pseudonymous user ID, session ID, device ID, feature flag cache | 1 year | Yes, in EU/UK |
| Analytics | ph_optout | PostHog | Records your analytics opt-out | 10 years | No |
| Error monitoring | Sentry session replay identifier (if enabled) | Sentry | Link errors to anonymous sessions | Session | Yes, in EU/UK |
14.2 No advertising cookies
We do not use advertising or retargeting cookies.
14.3 Consent
In the EU, UK, and other jurisdictions that require prior consent for non-essential cookies, we ask for your consent through a cookie banner before setting analytics or error-monitoring cookies. Strictly necessary cookies are set without consent because they are required for the Service to function. You can change your consent at any time at stagger.dev/cookie-settings.
14.4 Browser controls
Most browsers allow you to refuse or delete cookies. Doing so may affect how the Service works.
15. Do Not Track and Global Privacy Control
Do Not Track (DNT). Because there is no industry standard for DNT, we do not currently respond to DNT signals. We honor the Global Privacy Control signal instead.
Global Privacy Control (GPC). We treat a GPC signal sent by your browser or extension as an opt-out of "sale" and "sharing" under CCPA/CPRA and as a request to stop non-essential analytics where applicable law treats it as an opt-out signal.
16. Changes to this policy
We may update this Policy. If we make material changes, we will give you at least 30 days' notice by email or an in-app notice before they take effect. The "Last Updated" date at the top reflects the most recent revision. Your continued use of the Service after the effective date means you accept the updated Policy.
17. Contact us and data protection inquiries
For any privacy question, request, or complaint:
- Email: privacy@stagger.dev
We aim to respond to every privacy inquiry within 15 days and to every formal data rights request within the statutory deadline that applies to you (30 days under GDPR, 45 days under CCPA/CPRA).
DISCLAIMER
This Privacy Policy is a template provided as a starting point and does not constitute legal advice. It has been drafted against 2026 US state privacy laws, GDPR, UK GDPR, and common AI product practices, but it has not been reviewed for your specific facts, sub-processor configuration, or data flows. Privacy law is jurisdiction-specific and changes frequently, and enforcement risk is meaningful even for small operators. Before publishing or relying on this policy, you should retain privacy counsel in New York (and, for EU/UK coverage, European counsel) to review the sub-processor list against your actual vendors, validate transfer mechanisms (DPF, SCCs, supplementary measures), confirm the retention matrix matches your production systems, check cookie disclosures against your actual analytics and marketing stack, and advise on whether to appoint an EU and UK representative and self-certify to the Data Privacy Framework. Plan at least annual reviews and a review before every material product change, new sub-processor, or expansion into new data categories.