Privacy Policy

Version 2026-06-18 ยท how we handle your data.
Draft - pending legal review. Straight Chaos is in alpha. This is a good-faith, plain-language description of the data we collect and how we use it, not yet reviewed by counsel. It does not constitute legal advice, and the final policy may differ.

This policy explains what Straight Chaos ("we", "us") collects when you use the platform, why we collect it, who we share it with, and the choices you have. It covers the website, the control plane, and the chaos agent you install. For how the software behaves and the risks of running experiments, see the Terms of Service & Risk Acknowledgment.

1. What we collect

CategoryExamplesWhy
Account Workspace name, your email address, a hashed password, team invites, session tokens, API tokens (stored hashed). To create and secure your account and let your team sign in.
Experiment & agent data Experiments, schedules, scenarios, results, agent hostnames/instance IDs, discovered dependencies, and the audit log of actions in your workspace. To run the product and show you what happened.
Guardrail / AI-agent activity The metadata your guarded agents report, identity, destination host/model/table, verb, decision (allow/deny), token counts, and estimated cost. We do not store the body of your agents' requests or responses. To power the monitoring dashboard, alerts, and the spend & governance digest you enable.
Billing Your plan, subscription status, and a Stripe customer/subscription ID. Card details go directly to Stripe, we never see or store your card number. To process payments for paid plans.
Operational Server logs (IP address, user agent, timestamps), needed for security and debugging. To keep the service running and safe.

2. How we use it

We do not sell your data, and we do not use your experiment or agent-activity data to train models.

3. Who we share it with (subprocessors)

We use a small set of vendors to run the service. They process data on our behalf, only as needed:

SubprocessorPurpose
StripePayment processing and subscription billing.
Fly.ioHosting for the control plane and website.
TigrisObject storage for release downloads and assets.
Email relay (e.g. SES / Postmark / Resend)Delivery of transactional email.

We may also disclose information if required by law, or to protect the rights, safety, and security of our users or the service.

4. Where your agent data goes

The chaos agent runs on infrastructure you control. Faults execute locally on your hosts; we don't see the traffic, files, or processes involved, only the experiment results and activity metadata your agent chooses to report back to the control plane. When you enable TLS termination, decryption happens on your host via a CA you install; the decrypted content stays on your side.

5. Retention

We keep account and workspace data for as long as your account is active. You can delete a guarded agent's activity from the dashboard at any time, and deleting a resource removes it from your workspace. When you close your account we delete or anonymize your data within a reasonable period, except where we must retain records (e.g. payment/tax records held by Stripe).

6. Security

No system is perfectly secure, but we work to protect your data and limit who can access it.

7. Cookies

We use a session token stored in your browser to keep you signed in to the dashboard. We don't use third-party advertising or cross-site tracking cookies.

8. Your choices & rights

9. International users & children

Straight Chaos is operated from the United States; using it means your data may be processed there. The service is for businesses and professionals and is not directed to children under 16, and we don't knowingly collect their data.

10. Changes

We may update this policy as the product evolves. We'll revise the version date above, and for material changes we'll surface a notice in the app. Continuing to use the platform after a change means you accept the updated policy.

Questions about your data? Email hello@straightchaos.com.
See also the Terms of Service & Risk Acknowledgment.