How Storgy handles your data.

Independent reviews & agreements

Where we are in the formal review queue.

Sub-processors

Six third parties touch customer data. Here they are.

Every external service that processes Storgy customer data is listed below with the specific purpose and a direct link to their privacy policy. If we add or remove a sub-processor, this list is updated and the date band at the top of the page is bumped. Districts on the SDPC DPA are notified by email.

• Anthropic

  Privacy policy →

  Claude API — first-pass editorial drafts

• OpenAI

  Privacy policy →

  GPT-4o-mini — humaniser pass over AI-drafted text

• Resend

  Privacy policy →

  Transactional email — magic-link auth, digests, receipts

• Paddle

  Privacy policy →

  Billing merchant of record — global VAT and refunds

• Hetzner

  Privacy policy →

  Application and Postgres hosting — Falkenstein, Germany

• Cloudflare

  Privacy policy →

  CDN + WAF — read-only HTML and image cache, no PII at edge

AI policy

What the models do, and what they do not do.

• We draft with Claude (Anthropic).

• We humanise with OpenAI (GPT-4o-mini).

• Every editorial block is read by a human teacher before publishing.

• We do not train models on customer data. Both API providers contractually exclude API inputs from training by default.

Customer paste content — anything submitted via the Poem Analyzer, Essay Scaffold, or other tools — is held only to serve the response and to maintain the share URL. It is never reused as training data on our side either.

Going deeper

For procurement teams.

The page you’re reading is the short version. The full security disclosure — encryption, residency, breach notification, vulnerability disclosure, and the honest list of certifications we do not yet hold — lives at /security/. The legal privacy policy with retention windows and contact details lives at /privacy/.