statelod e
Docs Log in
Start free

Privacy Policy

Last updated June 26, 2026

StateLode (“StateLode”, “we”, “us”) provides a hosted, MCP-native shared task layer for AI coding agents. This Privacy Policy explains what we collect, how we use it, who we share it with, and the choices you have. It applies to the StateLode service at statelode.dev, app.statelode.dev, and the MCP/API endpoints at api.statelode.dev (together, the “Service”).

1. Who this applies to

  • Account holders who sign in to StateLode.
  • Members of a workspace whose tasks are managed in StateLode.
  • AI coding agents that connect to the Service on your behalf over MCP.
  • Visitors to our marketing site and documentation.

2. Information we collect

Identity and account data

Sign-in is handled by WorkOS AuthKit, our identity provider. Through this OAuth flow we receive and store your email address, your display name (if provided), a unique user identifier, and the identifiers of the login method you used (for example, Google, GitHub, or email). We never receive or store your password or the credentials you use with a third-party login provider.

Workspace and task content

The core of the Service is the content you and your connected agents create and manage, including:

  • workspace and project names;
  • task titles, descriptions, comments, statuses, priorities, tags, assignees, and sprint data;
  • access tokens that authorize an agent or IDE to reach your workspace.

This content is supplied by you and by the AI agents you authorize. Because agents read and write task content over MCP, treat any text you place in a task (titles, descriptions, comments) as data that will be processed by StateLode and by the agents you connect.

Usage, logs, and diagnostics

When you or your agents call the API/MCP endpoints, we automatically record operational data such as:

  • IP address, user agent, and request timestamps;
  • the MCP tools invoked and the project/workspace involved (for rate-limiting, abuse prevention, and debugging);
  • error and performance diagnostics captured by our monitoring provider (Sentry).

Product and website analytics

We use PostHog to understand how the Service and our marketing site are used. On the marketing site this is limited to a small number of events (such as a page view and a call-to-action click) along with referral/UTM parameters, joined by a single anonymous identifier stored in your browser’s localStorage. We do not set advertising cookies, and we instruct PostHog not to build a person profile from these events. In the product we record high-level funnel events (for example, that a workspace was provisioned or an agent connected) to measure activation.

Email

If we send you transactional email (for example, account or notification messages), your email address is processed by our email provider (Resend) to deliver that message. We do not send marketing email without your consent.

3. How we use information

We use the information above to:

  • provide, operate, and secure the Service and synchronize task state across your agents and IDEs;
  • authenticate you and authorize access to the correct workspace;
  • prevent abuse, enforce limits, debug, and maintain reliability;
  • communicate with you about your account and service-related notices;
  • understand product usage and improve StateLode;
  • comply with legal obligations.

For users in the EEA/UK, our legal bases are performance of our contract with you (operating the Service), our legitimate interests (security, abuse prevention, and product improvement), your consent where required (for example, certain analytics), and compliance with legal obligations.

4. How we share information — sub-processors

We do not sell your personal data and we do not share it for advertising. We share data with a small set of service providers (“sub-processors”) who process it only on our instructions to run the Service:

Sub-processor Purpose Data processed
WorkOS Authentication / identity (OAuth) Email, name, user & login identifiers
Neon Managed Postgres database hosting Account data and all workspace/task content
Vercel Application & website hosting / edge delivery Request metadata, IP address
Resend Transactional email delivery Email address, message content
PostHog Product & website analytics Usage events, anonymous id, referral data
Sentry Error monitoring & diagnostics Error reports, request and device metadata

We may also disclose information if required by law, to enforce our terms, or to protect the rights, safety, and security of StateLode, our users, or the public. If StateLode is involved in a merger, acquisition, or asset sale, your information may be transferred as part of that transaction; we will note any such change here.

5. AI agents and third-party tools

StateLode is designed to be connected to AI coding agents and IDEs (such as Claude Code, Cursor, Codex, Windsurf, and Antigravity) over MCP. When you authorize one of these tools, it can read and write your workspace and task content. Those tools are operated by their own vendors under their own privacy policies and are not StateLode sub-processors; what they do with content they read is governed by their terms, not ours. Only connect tools you trust, and revoke a token if you no longer want a tool to have access.

6. International transfers

Our providers may process data in the United States, the European Union, and other regions. Where personal data is transferred across borders, we rely on appropriate safeguards (such as the providers’ Standard Contractual Clauses) to protect it.

7. Data retention

  • Workspace and task content is retained for as long as your workspace is active. When you delete a task, workspace, or your account, we remove the corresponding content from our production database within 30 days, after which it ages out of encrypted backups within a further 30 days.
  • Operational logs and diagnostics are retained for a limited period (typically up to 30 days) and then deleted or aggregated.
  • Analytics events are retained according to our analytics configuration and are not tied to your account identity beyond what is described above.

We may retain limited information for longer where necessary to comply with legal obligations, resolve disputes, or enforce our agreements.

8. Security

We protect your data with encryption in transit (TLS), access controls, scoped workspace tokens, and reputable infrastructure providers. No system is perfectly secure, but we work to protect your information and to limit access to it on a need-to-know basis. If you believe your account or a token has been compromised, contact us immediately and rotate the affected token.

9. Your rights and choices

Depending on where you live, you may have the right to access, correct, export, or delete your personal data, to object to or restrict certain processing, and to withdraw consent. You can:

  • access and edit most account and workspace data directly in the app;
  • revoke a workspace token at any time to cut off an agent’s access;
  • request access, export, or deletion of your data by contacting us.

We will respond to verified requests as required by applicable law. You may also have the right to lodge a complaint with your local data protection authority.

10. Children’s privacy

StateLode is a tool for software developers and is not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us personal data, contact us and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, provide additional notice. Your continued use of the Service after an update means you accept the revised policy.

12. Contact us

Questions, requests, or concerns about this policy or your data? Email us at hello@statelode.dev.

statelod e

The hosted task/state layer for AI coding agents.

Docs Privacy llms.txt OG card