Stokik

Privacy Policy

Last updated: June 2026

1. Information we collect

We collect information you provide directly to us, including:

  • Account information — email address, name, and password when you register.
  • Profile information — optional details gathered during onboarding such as your role, how you heard about us, intended use (personal or team), and areas of interest. This is used solely to personalise your experience.
  • Planning content — projects, canvas nodes, edges, sticky notes, documents, and folder structures you create within Stokik.
  • Organisation and team data — organisation names, member email addresses, roles, and invite records when you create or join a team workspace.
  • Contact, sales, and billing inquiries — information you submit through contact forms or upgrade conversations, including your name, email address, message, and plan or add-on interests.
  • AI and MCP data — prompts, project context, task/document content, MCP token metadata, agent run events, and related outputs when you use AI-assisted features or connect MCP clients.

We also automatically collect certain technical information when you use the service or contact us, including your IP address, browser type, operating system, user agent, referring URLs, pages visited, and marketing attribution fields such as UTM source, medium, campaign, term, and content.

2. How we use your information

We use the information we collect to:

  • Provide, maintain, and improve the service.
  • Send transactional emails — account verification, password reset, team invitations, and other service notifications.
  • Personalise your onboarding and in-app experience based on the profile information you provide.
  • Monitor and analyse usage patterns to understand how the product is used and where it can be improved.
  • Respond to contact, support, billing, upgrade, and add-on inquiries.
  • Operate AI-assisted workflows, MCP integrations, agent run tracking, and related product features when you choose to use them.
  • Detect and prevent fraudulent or abusive activity.
  • Send product updates and occasional announcements if you have opted in.

We do not sell your personal information to third parties.

3. Data storage and security

Your data is stored on servers located in the European Union. We use industry-standard encryption in transit (TLS) and at rest. We implement appropriate technical and organisational measures to protect your information against unauthorised access, alteration, disclosure, or destruction.

4. Data retention

We retain your account data for as long as your account is active. If you delete your account, we will delete or anonymise your personal information within 30 days, except where we are required to retain it by law or for legitimate business purposes such as fraud prevention.

Content you have shared with organisation members (projects, documents) may remain visible to those members until the organisation or workspace is also deleted.

5. Cookies

We use the following categories of cookies and similar technologies:

  • Strictly necessary cookies — session cookies required for authentication and CSRF protection. These cannot be disabled without breaking the service.
  • Analytics cookies — we use Google Analytics 4 to understand aggregate usage patterns (pages visited, session duration, geographic region). Google Analytics sets its own cookies. No personally identifiable information is shared with Google Analytics beyond what it collects automatically. You can opt out using the Google Analytics opt-out browser add-on.
  • Marketing pixels — we use Meta Pixel on the marketing site to understand visits, conversions, and campaign performance. Meta may process information such as your browser, device, IP address, pages visited, and events according to Meta's own policies.

We do not sell data derived from cookies to third parties.

6. Third-party services

We use the following third-party services:

  • Google OAuth — optional sign-in via Google. If you use this, Google's privacy policy governs the information shared during authentication. We only receive your email address and name from Google.
  • Google Analytics 4 — aggregate usage analytics. See section 5 for details.
  • Meta Pixel — marketing analytics and conversion measurement on the marketing site. See section 5 for details.
  • Transactional email provider — we send emails (verification, invites, password reset) via a third-party provider. Your email address is shared with this provider solely to deliver these messages.
  • AI providers — if you use AI features with a personal or organisation-configured provider key, relevant prompts and workspace context may be sent to providers such as OpenAI or Anthropic to generate results. Their processing is governed by their own terms and policies.
  • MCP clients and connected tools — when you create MCP tokens or connect an MCP client, that client may access project data according to the scopes, permissions, and credentials you grant.

7. Sharing within organisations

When you create or join an organisation workspace in Stokik, other members of that workspace can see your name, email address, and role within the organisation. Projects and documents shared within an organisation are visible to members according to the permission settings the project owner or admin configures.

We do not share your information across separate, unrelated organisations.

8. AI and MCP controls

AI and MCP features are optional. You control whether to configure personal AI provider keys, whether an organisation configures shared provider keys, and whether to create MCP tokens for external clients. MCP tokens are scoped, and connected clients can only access data according to the scopes and permissions granted.

You should only connect AI providers, MCP clients, or external tools that you trust. Removing a provider key or MCP token stops future use of that credential, but it does not delete data already processed by a third-party provider or client.

9. Your rights

Depending on your location, you may have the right to access, correct, export, or delete your personal information. To exercise these rights, contact us. We will respond within 30 days. For deletion requests, note that content shared with organisation members may need to be handled separately by the organisation admin.

10. Changes to this policy

We may update this privacy policy from time to time. We will notify you of material changes by email or via a notice in the application at least 14 days before they take effect. Continued use of the service after changes constitutes acceptance of the updated policy.

11. Contact

Questions about this privacy policy? Contact us.