Privacy Policy

Stringbase is a Translation Management System built for product teams. It lets you manage translation keys, run AI-powered translations, collaborate on reviews, and deliver translations to your applications via a REST API. We take your privacy seriously and have tried to write this policy in plain English rather than dense legal language.

By creating an account and using Stringbase, you acknowledge that you have read this policy and understand how we handle your data. If you have any questions, you can always reach us at hello@stringbase.io.

The data controller for personal data processed through Stringbase is:

As the data controller, we determine the purposes and means of processing your personal data. For questions about this policy or your data, please contact us at the email address above.

We use the data we collect only to provide, maintain, and improve the Stringbase service. Specifically:

To provide the service. Your account data enables you to sign in. Your product data (keys, translations, projects) is stored so you can manage it and share it with your team. Legal basis: performance of a contract (GDPR Art. 6(1)(b)).

To process payments. We pass billing information to Stripe to handle subscriptions and invoicing. Legal basis: performance of a contract (GDPR Art. 6(1)(b)).

To send transactional emails. We send you one-time passwords (OTP) for sign-in, team invitation emails, and @mention notifications. These emails are required for the service to function — you cannot opt out of them while using Stringbase. Legal basis: performance of a contract (GDPR Art. 6(1)(b)).

To monitor and improve the service. Anonymous, aggregate analytics help us understand which features are used and where we should improve the product. Legal basis: legitimate interests (GDPR Art. 6(1)(f)).

We do not use your data for advertising. We do not sell your data to any third parties. We do notuse your translation content — the actual text of your keys and translations — to train AI models or for any purpose beyond storing it in your account and passing it to xAI's API when you request a translation.

Stringbase uses the xAI Grok APIto power AI translation. When you request an AI translation for a key, the source text (and optionally a description and any glossary terms) is sent to xAI's API. The translated output is returned and stored in your account.

We do not store AI API request logsbeyond the translated output that is saved to your account. The source text sent to xAI is subject to xAI's own Privacy Policy. We recommend reviewing their policy if you have concerns about specific content being processed.

xAI is a US-based company. Sending data to their API constitutes a transfer of personal data outside the European Economic Area (EEA). This transfer is made under appropriate safeguards in accordance with GDPR requirements (Standard Contractual Clauses where applicable).

Your content is not used to train AI models. We do not use the text of your translation keys, translations, or any other content in your account to train any AI system — whether operated by us or a third party. Your content is exclusively used to provide the translation service to your account.

We use the following third-party service providers (data processors) to operate Stringbase. Each is bound by contractual obligations to process your data only on our instructions and in compliance with applicable data protection law.

Your data is stored on Supabase infrastructure using EU-region servers where available. All data is encrypted in transit using TLS (Transport Layer Security) and encrypted at rest.

Authentication is handled via email-based one-time passwords (OTP). Passwords are never stored — we use a passwordless sign-in flow. API keys are stored as SHA-256 hashes; we never store the raw key value after it is first generated.

We implement industry-standard security measures including access controls, encrypted communications, and regular review of our security practices. However, no system is completely secure and we cannot guarantee absolute security. In the event of a data breach that is likely to affect your rights and freedoms, we will notify you and the relevant supervisory authority as required by GDPR.

We retain your personal data for as long as your account is active or as needed to provide the service. The following retention periods apply:

Account and product data (your profile, projects, translation keys, translations, comments, and team information) is retained for as long as your account exists. When you delete your account, this data is permanently deleted within 30 days.

Payment recordsare retained for 5 years after the relevant transaction, as required by Polish tax law (ustawa o rachunkowości). This data is held in Stripe's systems and our billing records.

Anonymous analytics data collected via Vercel Web Analytics cannot be linked to individual users and may be retained indefinitely for statistical purposes.

Server logs containing IP addresses and technical request data are retained for a short period (typically 30–90 days) for security and debugging purposes, after which they are automatically deleted.

As an EU resident, you have the following rights under the General Data Protection Regulation. To exercise any of these rights, email us at hello@stringbase.io. We will respond within 30 days.

Right of access. You can request a copy of all personal data we hold about you.

Right to rectification. You can ask us to correct inaccurate or incomplete personal data. You can update your name and profile directly in your account settings.

Right to erasure.You can request deletion of your personal data (“right to be forgotten”). You can delete your account directly from settings. All personal data will be permanently removed within 30 days. Note that some data (payment records) must be retained for legal reasons as described in Section 8.

Right to data portability. You can export your translation data at any time using the JSON export feature or the Stringbase REST API. You can request a complete export of your personal data by emailing us.

Right to restrict processing. You can ask us to stop processing your data in certain circumstances, for example while a complaint is being investigated.

Right to object. You can object to processing based on legitimate interests (for example, our anonymous analytics). If you object, we will stop processing unless we have compelling legitimate grounds that override your interests.

Right to withdraw consent. Where processing is based on your consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.

Right to lodge a complaint. If you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the Polish data protection supervisory authority: Urząd Ochrony Danych Osobowych (UODO), uodo.gov.pl. You may also contact the supervisory authority in your country of residence within the EU.

Stringbase uses only essential cookies. Specifically, we use a session cookie provided by Supabase to maintain your authenticated login state. Without this cookie, you would need to sign in on every page visit. This cookie is strictly necessary for the service to function and does not require your consent under the ePrivacy Directive.

Vercel Web Analytics, which we use to understand product usage, is completely cookieless — it does not set any cookies and does not track you across sessions or websites. No cookie consent banner is displayed because no consent is required.

We do not use advertising cookies, social media tracking cookies, or any third-party cookies beyond the essential authentication session described above.

We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page. For material changes — such as new categories of data collection, new third-party processors, or changes to your rights — we will notify you by email at least 14 days before the changes take effect.

Continued use of Stringbase after changes take effect constitutes your acceptance of the updated policy. If you disagree with a material change, you may close your account before the change takes effect.