Privacy Policy
Last updated: 2026-06-23
StoneAI — The Covenant Engine — is an enterprise AI-governance platform. We hold ourselves to the same discipline we sell: nothing of consequence happens without an explicit, recorded human decision. This Privacy Policy describes how we treat the personal data entrusted to us.
StoneAI is advisory by design. Our platform proposes content-hashed decrees — recommended actions for autonomous systems. No decree takes effect until a human authority seals a covenant: an Ed25519 cryptographic signature bound to the decree's content hash. Nothing changes without explicit human consent, and every consent is written to an append-only, hash-chained audit ledger. This consent-first architecture shapes the minimal data we collect and how long we keep it.
01Who We Are
StoneAI is a product of FanXus ("FanXus," "StoneAI," "we," "us," or "our"), a company organized in the United States. StoneAI is a standalone business-to-business software-as-a-service product offered to enterprise customers ("Customers" or "tenants"). FanXus is the parent company and sole operator of the StoneAI platform.
StoneAI governs the autonomous agents and bots operated by its Customers. One such Customer — the FANZ ecosystem — is StoneAI's first production tenant ("tenant zero"); FANZ is a customer of StoneAI, not its operator, parent, or affiliate. References to any individual Customer in this Policy are illustrative only.
02Scope of This Policy
This Policy applies to personal data we process as a controller — for example, account and billing information for the individuals who administer a Customer's StoneAI subscription. Where StoneAI processes personal data on behalf of a Customer (data contained within decrees, covenants, or the governed systems themselves), we act as a processor, and that processing is governed by our Data Processing Addendum and the Customer's own privacy notices.
03Data We Collect
Account & Identity Data
When an administrator creates or manages a StoneAI tenant, we collect names, business email addresses, organization names, authentication credentials (stored only as salted hashes), and the public keys used to verify covenant signatures. We do not collect or store the private keys used to seal covenants — those remain under the Customer's exclusive control.
Usage & Metering Data
To operate, secure, and bill the Service, we record metering data: the volume of decrees evaluated, covenants sealed, API calls made, plan tier, and overage counts. This data drives invoicing under your plan (see our Terms of Service) and capacity planning.
Decree Metadata
We retain metadata about decrees and covenants — content hashes, timestamps, the identity of the human who consented, the signing public key, and the decree's status. We design our pipeline to minimize the retention of decree payloads; where a Customer directs us to store payload content, that processing is governed by the DPA.
Audit Logs
Every consequential action — a covenant sealed, a decree rejected, a key rotated, a setting changed — is written to an append-only, hash-chained audit ledger. These tamper-evident records are essential to the integrity guarantees we provide and are described in our Security & Trust overview.
Technical Data
We collect IP addresses, device and browser identifiers, and diagnostic logs to authenticate sessions, detect abuse, and maintain reliability. We use only strictly necessary and functional cookies; we do not sell personal data or use third-party advertising trackers.
04Payments & Card Data
StoneAI accepts payment through established processors — Stripe, PayPal, and Coinbase Commerce. When you pay, your card, bank, or cryptocurrency credentials are submitted directly to the relevant processor under their own security controls.
StoneAI does not store full payment card numbers or cryptocurrency wallet credentials. We receive only non-sensitive references — a token, the last four digits, a card brand, an expiry month, or a transaction identifier — sufficient to recognize a payment and reconcile your account. Each processor is an independent controller of the payment data it handles under its own privacy policy.
05How We Use Personal Data
- To provision, operate, and secure the Service for your organization.
- To authenticate users, verify covenant signatures, and maintain the integrity of the audit ledger.
- To meter usage, calculate overages, and bill your plan through our payment processors.
- To prevent fraud and abuse and to enforce our Acceptable Use Policy.
- To monitor reliability against our Service Level Agreement and to improve the Service in aggregate.
- To send transactional and administrative communications (security notices, billing receipts, service-status updates).
- To comply with legal obligations and respond to lawful requests.
06Legal Bases (GDPR)
For individuals in the European Economic Area, the United Kingdom, and Switzerland, we rely on the following legal bases under the General Data Protection Regulation:
| Processing Activity | Legal Basis |
|---|---|
| Providing and operating the Service to your organization | Performance of a contract (Art. 6(1)(b)) |
| Billing, metering, and fraud prevention | Legitimate interests & contractual necessity (Art. 6(1)(b)/(f)) |
| Security, audit-ledger integrity, and abuse detection | Legitimate interests (Art. 6(1)(f)) |
| Legal, tax, and regulatory compliance | Legal obligation (Art. 6(1)(c)) |
| Optional product communications | Consent (Art. 6(1)(a)), withdrawable at any time |
For California residents, we process personal information consistent with the California Consumer Privacy Act (CCPA/CPRA). We do not "sell" or "share" personal information as those terms are defined under California law.
07Sub-Processors
We engage a limited set of vetted vendors to deliver the Service. Each is bound by written data-protection obligations no less protective than this Policy and our DPA.
| Sub-Processor | Purpose | Region |
|---|---|---|
| Amazon Web Services | Cloud hosting, compute, and encrypted storage | United States |
| Stripe | Card and bank payment processing | United States |
| PayPal | Wallet and bank payment processing | United States |
| Coinbase Commerce | Cryptocurrency payment processing | United States |
We maintain a current list of sub-processors and will provide reasonable advance notice of material changes so Customers may object as permitted under the DPA.
08Data Retention
We retain account and billing data for the life of the subscription plus the period required to meet legal, tax, and accounting obligations. Audit-ledger records are retained for the contracted retention term to preserve their tamper-evident integrity; because the ledger is append-only and hash-chained, individual entries cannot be silently altered or removed. Diagnostic and technical logs are retained on a rolling basis and then purged. On termination, Customer data is handled per the DPA.
09Your Rights
Subject to applicable law, you may have the right to access, correct, delete, restrict, or object to the processing of your personal data; to data portability; and to withdraw consent. EEA/UK residents may lodge a complaint with a supervisory authority. California residents may exercise rights to know, delete, correct, and to opt out of "sale"/"sharing" (which we do not engage in). To exercise any right, contact us at support@fanzunlimited.com. We will not discriminate against you for exercising your rights.
10International Transfers
StoneAI is operated from the United States. Where we transfer personal data from the EEA, UK, or Switzerland to the United States or other countries, we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), together with supplementary technical and organizational measures including encryption in transit and at rest.
11Security
We protect personal data with per-tenant cryptographic isolation, Ed25519 covenant verification, an append-only hash-chained audit ledger, encryption in transit and at rest, and least-privilege access controls. Our full posture is described in our Security & Trust overview. No system is perfectly secure, but our consent-first, append-only design is engineered so that unauthorized changes are detectable rather than silent.
12Children
StoneAI is an enterprise product not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, contact us and we will delete it.
13Changes to This Policy
We may update this Policy to reflect changes in our practices or the law. Material changes will be announced through the Service or by email, and the "Last updated" date above will change. Continued use after an update constitutes acceptance.
14Contact Us
Questions, requests, or complaints regarding this Policy or your personal data: