This policy explains what Straight Chaos ("we", "us") collects when you use the platform, why we
collect it, who we share it with, and the choices you have. It covers the website, the control
plane, and the chaos agent you install. For how the software behaves and the risks of
running experiments, see the Terms of Service & Risk Acknowledgment.
| Category | Examples | Why |
|---|---|---|
| Account | Workspace name, your email address, a hashed password, team invites, session tokens, API tokens (stored hashed). | To create and secure your account and let your team sign in. |
| Experiment & agent data | Experiments, schedules, scenarios, results, agent hostnames/instance IDs, discovered dependencies, and the audit log of actions in your workspace. | To run the product and show you what happened. |
| Guardrail / AI-agent activity | The metadata your guarded agents report, identity, destination host/model/table, verb, decision (allow/deny), token counts, and estimated cost. We do not store the body of your agents' requests or responses. | To power the monitoring dashboard, alerts, and the spend & governance digest you enable. |
| Billing | Your plan, subscription status, and a Stripe customer/subscription ID. Card details go directly to Stripe, we never see or store your card number. | To process payments for paid plans. |
| Operational | Server logs (IP address, user agent, timestamps), needed for security and debugging. | To keep the service running and safe. |
We do not sell your data, and we do not use your experiment or agent-activity data to train models.
We use a small set of vendors to run the service. They process data on our behalf, only as needed:
| Subprocessor | Purpose |
|---|---|
| Stripe | Payment processing and subscription billing. |
| Fly.io | Hosting for the control plane and website. |
| Tigris | Object storage for release downloads and assets. |
| Email relay (e.g. SES / Postmark / Resend) | Delivery of transactional email. |
We may also disclose information if required by law, or to protect the rights, safety, and security of our users or the service.
The chaos agent runs on infrastructure you control. Faults execute locally on
your hosts; we don't see the traffic, files, or processes involved, only the experiment results and
activity metadata your agent chooses to report back to the control plane. When you enable TLS termination,
decryption happens on your host via a CA you install; the decrypted content stays on your side.
We keep account and workspace data for as long as your account is active. You can delete a guarded agent's activity from the dashboard at any time, and deleting a resource removes it from your workspace. When you close your account we delete or anonymize your data within a reasonable period, except where we must retain records (e.g. payment/tax records held by Stripe).
No system is perfectly secure, but we work to protect your data and limit who can access it.
We use a session token stored in your browser to keep you signed in to the dashboard. We don't use third-party advertising or cross-site tracking cookies.
Straight Chaos is operated from the United States; using it means your data may be processed there. The service is for businesses and professionals and is not directed to children under 16, and we don't knowingly collect their data.
We may update this policy as the product evolves. We'll revise the version date above, and for material changes we'll surface a notice in the app. Continuing to use the platform after a change means you accept the updated policy.