Privacy
Last updated July 7, 2026
Still is built to hold your business calmly and quietly. We collect only what we need to do that, we protect it, and we do not sell it. This policy explains what we collect, why, who we share it with, how long we keep it, and the rights you have.
Who we are
Still is operated by House of Troy Enterprises LLC (doing business as “Still”), a California limited liability company. When this policy says “we,” “us,” or “Still,” we mean that company. This policy covers joinstill.co and the Still application. You can reach us any time at hello@joinstill.co.
What we collect
Account and profile information you give us, your name, email, business name, and the details you enter about your company.
Business content you create in Still, your roadmap, focus items, milestones, notes, and the documents you upload.
Financial and transaction data from the accounts you choose to connect, bank transactions and balances (through Plaid), Amazon Seller sales and settlement data, and orders from your website or store (for example WooCommerce). Still reads this data to build your profit-and-loss, cash, and tax views. We never see or store your bank login credentials, those are handled by Plaid.
Payment information: when you subscribe, our payment processor Stripe collects and stores your card and billing details on its own systems. We receive only limited information such as the last four digits, card type, and billing status; Still never sees or stores your full card number.
Basic usage and device data, pageviews, button clicks, waitlist signups, approximate location derived from IP address, browser and device type, and similar diagnostic information, collected first-party so we can keep Still secure, understand what is working, and improve it. We do not build advertising profiles or sell this data.
Connecting your bank through Plaid
When you link a bank or financial account, that connection is made through Plaid. You authorize Plaid to access your account and transmit its data to Still on your behalf, and Plaid collects your information in accordance with its own end-user privacy policy and terms, which govern that part of the flow. Plaid’s policy covers what Plaid does with your data; this policy covers what Still does with the connected-account data once we receive it, namely, building your financial views as described here. You can disconnect a linked account at any time from your settings.
Why we use it
To run Still: to keep your foundation, map, and record in order; to surface your financial, P&L, and tax views; to operate your account and subscription and process payments; to send you service and account email; to provide support; to keep the service secure and prevent fraud and abuse; to analyze and improve the product; and to meet our legal obligations and enforce our terms. We use your data to provide and improve the product for you, not to sell to anyone else.
Who we share it with
We do not sell your personal or financial information, and we do not share it for cross-context behavioral advertising. We share it only with the service providers and processors that make Still work, under agreements that limit them to performing their function for us:
· Plaid, securely connects your bank accounts and delivers transaction data, at your direction.
· Amazon (Selling Partner API) and your website/store platform (for example WooCommerce), the sources of your sales and order data, connected at your direction.
· Stripe, processes subscription payments and stores your card details on its own secure systems; Still never sees or stores your full card number.
· Supabase, our database and storage provider, where your account and business data is held.
· Resend, sends our transactional and account email.
· Vercel, hosts the application.
· AI provider, helps confirm a document is in the right place, categorize transactions, and suggest a starting roadmap. Your files and data are not retained by the AI provider to train its models.
We may also disclose information if required by law or valid legal process, to enforce our terms, or to protect the rights, safety, and security of Still, our users, or the public. If Still is ever involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction, subject to this policy.
Google Drive
If you connect Google Drive, your folder structure and files remain under your control. Still does not retain copies beyond files you upload through the Foundation interface, and it only ever touches folders it created. Still’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements.
Cookies and tracking
We use a small number of first-party cookies and similar technologies to keep you signed in, remember your preferences, keep the service secure, and measure first-party usage. We do not use third-party advertising cookies and we do not track you across other sites for advertising. Because we do not sell or share personal information or use cross-site advertising, there is nothing for a “Do Not Track” or Global Privacy Control (GPC) signal to opt you out of; we honor those signals where required by treating them as a valid opt-out request. You can also control cookies through your browser settings.
Your rights and choices
You can access, correct, or delete your account data at any time from your settings, or by emailing hello@joinstill.co. You can disconnect any linked account (bank, Amazon, or store) whenever you like. You can opt out of non-essential marketing email using the unsubscribe link in those messages; we will still send transactional and account messages you need in order to use the service.
California privacy rights (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act, as amended by the CPRA, gives you specific rights over your personal information. This section describes our practices in the terms that law uses.
Categories we collect: identifiers (such as name and email); commercial information (such as your subscription and transactions); internet and device activity (such as usage and diagnostic data); geolocation inferred from IP address; and financial-account information you connect, which may be treated as sensitive personal information. We collect these from you directly, from your device as you use the service, and from the accounts and providers you connect (such as Plaid, Amazon, and your store). We use them for the business purposes described in “Why we use it,” and we do not use sensitive personal information for any purpose other than providing the service you asked for.
We do not sell your personal information, and we have not sold or “shared” it (as those terms are defined under the CPRA) in the preceding twelve months.
Subject to law, you have the right to: know and access the personal information we hold about you and how we use it; correct inaccurate information; delete your information; opt out of any sale or sharing (we do neither); and limit the use of sensitive personal information (we already limit it to providing the service). We will not discriminate against you for exercising these rights.
To make a request, email hello@joinstill.co with the subject “Privacy Request.” We will verify your request by confirming information associated with your account. You may use an authorized agent to submit a request on your behalf with proof of authorization. If we decline a request, you may appeal by replying to our response, and we will reconsider it.
Retention
We keep personal information for as long as needed to provide the service and for the purposes described here. Account data is kept for the life of your subscription plus 90 days. If you delete your account, your data is permanently removed after a 30-day grace period, except where we must retain limited records to meet legal, tax, security, or dispute-resolution obligations. Waitlist emails are kept for 12 months; usage analytics for 24 months. We may keep aggregated or de-identified data, which cannot reasonably identify you, without time limit.
Security
Connections are made over encrypted channels, access is tenant-scoped so one customer’s data is not visible to another, and sensitive credentials are encrypted at rest. We limit internal access to those who need it. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security, but we work to protect your data and to limit who can reach it. If we experience a data breach that affects your personal information, we will notify you and any regulators as required by applicable law.
Children
Still is a tool for businesses and is not directed to children under 13 (or 16 where applicable), and we do not knowingly collect their personal information. If you believe a child has provided us information, contact us and we will delete it.
Where your data is held
Still is operated from the United States, and your data is stored and processed here. If you access Still from outside the United States, you understand and agree that your information is transferred to and processed in the U.S., where privacy laws may differ from those where you live.
Changes
We may update this policy as Still grows or the law changes. When we do, we will revise the “Last updated” date above, and for material changes we will make a reasonable effort to notify you.
Contact
Questions or requests: hello@joinstill.co, or by mail at House of Troy Enterprises LLC (dba Still), 120 Tidal Line, Irvine, CA 92620.