legal

Privacy Policy

Last updated: 2026-05-19

1. Who we are

Stealth Pilot AI ("StealthPilot", "we", "us") is the data controller for personal data processed through the StealthPilot website and desktop application. Contact: privacy@stealthpilot.tech.

2. Local-first by design

Prep Mode stores all candidate-memory data — profile, stories, projects, evidence, opportunities, and debriefs — in a local SQLite database on your machine. This data is never sent to StealthPilot servers. We have no access to it.

3. Data we collect and why

  • Account email and password hash — to authenticate you and send transactional notifications (email verification, password resets, license alerts). Legal basis: contract performance (LGPD Art. 7, VII).
  • Session metadata (IP address, browser/app user-agent) — for fraud and abuse prevention. Stored for up to 90 days, after which IP addresses are anonymized (last octet zeroed) and user-agent strings are deleted. Legal basis: legitimate interest (LGPD Art. 7, IX).
  • License data (license key, tier, status, machine identifiers) — to enforce per-device limits and validate your subscription. Legal basis: contract performance (LGPD Art. 7, VII).
  • Google account email (if you use Google Sign-In) — to link your Google identity to your account. Legal basis: consent given at the Google OAuth screen (LGPD Art. 7, I).
  • Website analytics data (optional) — page views, referral source, campaign parameters, button clicks, checkout starts, and purchase confirmation events collected through Google Tag Manager and Google Analytics only after you allow analytics cookies. We do not send account email, interview content, prompts, screenshots, or AI responses to analytics tools. Legal basis: consent (LGPD Art. 7, I).
  • Crash reports (optional, opt-in only) — anonymous crash data sent via Electron's crash reporter if you enable telemetry in app settings. No interview content, prompts, or AI responses are ever included. Legal basis: consent (LGPD Art. 7, I).

4. Data processors

We share data with the following sub-processors:

  • Google LLC — identity verification via OAuth 2.0 and optional website analytics via Google Tag Manager and Google Analytics.
  • Stripe Inc. — payment processing (future; we never see your card number).
  • Email provider — transactional email delivery (provider to be disclosed when configured).

5. AI provider data

Live Mode and certain Prep features send screenshots or text to your chosen AI provider (OpenAI, Anthropic, Gemini) using your own API key. Those requests go directly from your device to the provider — we do not route or store them. Their privacy policies govern that data.

6. Retention

  • Session records: IP anonymized and user-agent deleted after 90 days; session records themselves deleted when your account is deleted.
  • Website analytics cookies and identifiers: retained according to your browser settings and Google Analytics data retention configuration. You can decline analytics on the website before optional analytics cookies are set.
  • Account data: permanently deleted 30 days after you submit a deletion request.
  • License records: retained for business audit purposes after account deletion; your personal identifier is removed from license records when your account is deleted.

7. Your rights under LGPD (Art. 18)

As a data subject under Brazil's Lei Geral de Proteção de Dados (Lei n. 13.709/2018), you have the right to:

  • Access — obtain a copy of all personal data we hold about you. Use the "Download my data" button on your account page.
  • Deletion — request deletion of your account and personal data. Use "Delete account" on your account page. You have 30 days to undo.
  • Portability — receive your data in a structured, machine-readable format (JSON). Use "Download my data" on your account page.
  • Correction — request correction of inaccurate data. Email privacy@stealthpilot.tech.
  • Revocation of consent — disable crash report telemetry at any time in app Settings → General. For website analytics, clear your browser's StealthPilot site data and choose "Decline" when the analytics banner appears again.
  • Information about sharing — see Section 4 above.

To exercise any right, email privacy@stealthpilot.tech. We respond within 15 days.

8. Security

Passwords are stored as argon2 hashes. Authentication tokens use short-lived JWTs (15 minutes) with 30-day rotating refresh tokens transmitted only over HTTPS as httpOnly cookies.

9. Governing law

This policy is governed by the laws of the Federative Republic of Brazil. Disputes are subject to the jurisdiction of the courts of São Paulo, SP.

10. Contact

privacy@stealthpilot.tech