StoneAI A FanXus Company Return to the Engine
Covenant Documents

Privacy Policy

Last updated: 2026-06-23

StoneAI — The Covenant Engine — is an enterprise AI-governance platform. We hold ourselves to the same discipline we sell: nothing of consequence happens without an explicit, recorded human decision. This Privacy Policy describes how we treat the personal data entrusted to us.

StoneAI is advisory by design. Our platform proposes content-hashed decrees — recommended actions for autonomous systems. No decree takes effect until a human authority seals a covenant: an Ed25519 cryptographic signature bound to the decree's content hash. Nothing changes without explicit human consent, and every consent is written to an append-only, hash-chained audit ledger. This consent-first architecture shapes the minimal data we collect and how long we keep it.


01Who We Are

StoneAI is a product of FanXus ("FanXus," "StoneAI," "we," "us," or "our"), a company organized in the United States. StoneAI is a standalone business-to-business software-as-a-service product offered to enterprise customers ("Customers" or "tenants"). FanXus is the parent company and sole operator of the StoneAI platform.

StoneAI governs the autonomous agents and bots operated by its Customers. One such Customer — the FANZ ecosystem — is StoneAI's first production tenant ("tenant zero"); FANZ is a customer of StoneAI, not its operator, parent, or affiliate. References to any individual Customer in this Policy are illustrative only.

02Scope of This Policy

This Policy applies to personal data we process as a controller — for example, account and billing information for the individuals who administer a Customer's StoneAI subscription. Where StoneAI processes personal data on behalf of a Customer (data contained within decrees, covenants, or the governed systems themselves), we act as a processor, and that processing is governed by our Data Processing Addendum and the Customer's own privacy notices.

03Data We Collect

Account & Identity Data

When an administrator creates or manages a StoneAI tenant, we collect names, business email addresses, organization names, authentication credentials (stored only as salted hashes), and the public keys used to verify covenant signatures. We do not collect or store the private keys used to seal covenants — those remain under the Customer's exclusive control.

Usage & Metering Data

To operate, secure, and bill the Service, we record metering data: the volume of decrees evaluated, covenants sealed, API calls made, plan tier, and overage counts. This data drives invoicing under your plan (see our Terms of Service) and capacity planning.

Decree Metadata

We retain metadata about decrees and covenants — content hashes, timestamps, the identity of the human who consented, the signing public key, and the decree's status. We design our pipeline to minimize the retention of decree payloads; where a Customer directs us to store payload content, that processing is governed by the DPA.

Audit Logs

Every consequential action — a covenant sealed, a decree rejected, a key rotated, a setting changed — is written to an append-only, hash-chained audit ledger. These tamper-evident records are essential to the integrity guarantees we provide and are described in our Security & Trust overview.

Technical Data

We collect IP addresses, device and browser identifiers, and diagnostic logs to authenticate sessions, detect abuse, and maintain reliability. We use only strictly necessary and functional cookies; we do not sell personal data or use third-party advertising trackers.

04Payments & Card Data

StoneAI accepts payment through established processors — Stripe, PayPal, and Coinbase Commerce. When you pay, your card, bank, or cryptocurrency credentials are submitted directly to the relevant processor under their own security controls.

StoneAI does not store full payment card numbers or cryptocurrency wallet credentials. We receive only non-sensitive references — a token, the last four digits, a card brand, an expiry month, or a transaction identifier — sufficient to recognize a payment and reconcile your account. Each processor is an independent controller of the payment data it handles under its own privacy policy.

05How We Use Personal Data

06Legal Bases (GDPR)

For individuals in the European Economic Area, the United Kingdom, and Switzerland, we rely on the following legal bases under the General Data Protection Regulation:

Processing ActivityLegal Basis
Providing and operating the Service to your organizationPerformance of a contract (Art. 6(1)(b))
Billing, metering, and fraud preventionLegitimate interests & contractual necessity (Art. 6(1)(b)/(f))
Security, audit-ledger integrity, and abuse detectionLegitimate interests (Art. 6(1)(f))
Legal, tax, and regulatory complianceLegal obligation (Art. 6(1)(c))
Optional product communicationsConsent (Art. 6(1)(a)), withdrawable at any time

For California residents, we process personal information consistent with the California Consumer Privacy Act (CCPA/CPRA). We do not "sell" or "share" personal information as those terms are defined under California law.

07Sub-Processors

We engage a limited set of vetted vendors to deliver the Service. Each is bound by written data-protection obligations no less protective than this Policy and our DPA.

Sub-ProcessorPurposeRegion
Amazon Web ServicesCloud hosting, compute, and encrypted storageUnited States
StripeCard and bank payment processingUnited States
PayPalWallet and bank payment processingUnited States
Coinbase CommerceCryptocurrency payment processingUnited States

We maintain a current list of sub-processors and will provide reasonable advance notice of material changes so Customers may object as permitted under the DPA.

08Data Retention

We retain account and billing data for the life of the subscription plus the period required to meet legal, tax, and accounting obligations. Audit-ledger records are retained for the contracted retention term to preserve their tamper-evident integrity; because the ledger is append-only and hash-chained, individual entries cannot be silently altered or removed. Diagnostic and technical logs are retained on a rolling basis and then purged. On termination, Customer data is handled per the DPA.

09Your Rights

Subject to applicable law, you may have the right to access, correct, delete, restrict, or object to the processing of your personal data; to data portability; and to withdraw consent. EEA/UK residents may lodge a complaint with a supervisory authority. California residents may exercise rights to know, delete, correct, and to opt out of "sale"/"sharing" (which we do not engage in). To exercise any right, contact us at support@fanzunlimited.com. We will not discriminate against you for exercising your rights.

10International Transfers

StoneAI is operated from the United States. Where we transfer personal data from the EEA, UK, or Switzerland to the United States or other countries, we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), together with supplementary technical and organizational measures including encryption in transit and at rest.

11Security

We protect personal data with per-tenant cryptographic isolation, Ed25519 covenant verification, an append-only hash-chained audit ledger, encryption in transit and at rest, and least-privilege access controls. Our full posture is described in our Security & Trust overview. No system is perfectly secure, but our consent-first, append-only design is engineered so that unauthorized changes are detectable rather than silent.

12Children

StoneAI is an enterprise product not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, contact us and we will delete it.

13Changes to This Policy

We may update this Policy to reflect changes in our practices or the law. Material changes will be announced through the Service or by email, and the "Last updated" date above will change. Continued use after an update constitutes acceptance.

14Contact Us

Questions, requests, or complaints regarding this Policy or your personal data:

FanXus — StoneAI · United States
support@fanzunlimited.com