Privacy language must match the product
A privacy policy is not a collection of ideal statements. It is the plain record of which data the current service handles, why it handles it, where it goes, and what a person can do about it.
Stemma is reconciling the public policy with the shipping product, security boundary, vendor list, retention behavior, and legal obligations before publishing a final version.
What the final policy needs to answer
Data categories
The final policy must identify the information the service collects, the information users provide, and any operational data required to run the service.
Purpose and access
It must explain why each category is processed, who can access it, and how the privacy boundary described in the security documentation applies.
Retention and deletion
It must state retention periods, deletion behavior, export scope, and the practical steps a customer can take when their relationship with the service changes.
Before publication
- Product and engineering confirm actual data flows, support tooling, and export or deletion behavior.
- Operations confirm subprocessors, notifications, retention, and incident procedures.
- Legal approves jurisdictional language, contact information, and the version that will govern customer use.
Privacy question
Ask the team about the current public documentation. Do not send passwords, recovery material, or personal documents by email.
Contact Stemma