Privacy Policy

01 Who this covers

This policy applies to the Steerly desktop workbench for macOS and Windows, the Steerly account and billing portal at app.steerly.ai, the optional GitHub App for pull-request risk briefs, and this marketing site. It applies to individuals who install Steerly and to organizations whose engineers use it.

Where your employer administers Steerly on your behalf, that organization is the data controller for workspace data; Steerly acts as a processor under their instructions.

02 What Steerly sees — and what it doesn't

Steerly sits between your coding agents and your machine. To classify actions it inspects, in memory and on your device:

• Commands and tool calls an agent proposes — the command string, the matched policy rule, and the resulting allow / ask / deny verdict.
• Metadata about touched files — paths and change types for risk scoring. Pull-request diffs are scanned to produce a risk brief.
• Approvals and audit events — who approved what, when, and in which session.

Steerly does not store or retain your source code. When the data-loss-prevention detector matches a secret, only byte offsets of the match are recorded — the literal secret never enters audit storage.

03 Information we collect

Account & billing

Your name, work email, organization, and the subscription tier you chose. Payments are processed by our payment provider; we store the last four digits and card brand for receipts, never the full number.

Product telemetry

Aggregate, privacy-preserving counts — sessions started, verdicts by class, feature usage, crash diagnostics. Telemetry is metadata about how the product is used, not the content of your work, and can be disabled in settings.

Support

If you contact us, we keep the correspondence and any diagnostics you choose to attach.

04 What stays on your machine

Steerly is local-first by design — it has to run on your machine to watch the agents there. Your command audit log, memory-graph notes, and policy packs live in a local .steerly/ directory in your project. They are synced to our control plane only if you are on a plan with cloud policy sync or team audit, and only the events described above are sent — never your repository contents.

05 How we use information

• To provide the workbench, firewall, Security Room, and PR risk briefs.
• To operate your account, process subscriptions, and send service notices.
• To improve reliability and accuracy using aggregate telemetry.
• To detect abuse and keep the service secure.

We do not use your data to train foundation models, and we never sell personal information.

06 Sharing & subprocessors

We share data only with vendors that help us run Steerly — cloud hosting, payment processing, error monitoring, and email delivery — each bound by a data-processing agreement. We disclose information when required by law, and we will tell you about any change of control affecting your data. A current list of subprocessors is available on request.

07 Data retention

Account and billing records are kept for the life of your subscription and as long as the law requires afterward. Cloud-synced audit events are retained for your plan's audit window (30 days on Security, configurable on Enterprise). Local data is kept until you delete it. Telemetry is retained in aggregate.

08 Your rights

Depending on where you live, you may have the right to access, correct, export, or delete your personal data, and to object to or restrict certain processing. We honor these rights for everyone, regardless of location. To exercise them, email [email protected]; we respond within 30 days.

09 International transfers

Steerly is operated from the United States. Where we move data across borders, we rely on appropriate safeguards such as Standard Contractual Clauses. Enterprise customers can request regional data residency.

10 Changes & contact

We will post any material change here and update the date above; significant changes are also emailed to account holders. Questions about this policy, or about your data, go to [email protected] or our contact page.