Privacy Policy
Your privacy is important to us. Here is the straightforward breakdown of how we handle personal data, what we collect when you use the Styra dashboard, and how we protect your information.
What information we collect
We collect minimal information to provide and improve the Styra service. When you create an account, we collect your email address, name, and basic account credentials.
We also collect basic usage statistics when you interact with the Styra dashboard (e.g. page views, dashboard actions) to help us find and resolve UI bugs and optimize page performance.
Data collection by the SDK
As covered in our Security Policy, the Styra SDK itself does not collect personal data from your website's visitors. We do not inspect, collect, or store device details, IP addresses, or visitor identities.
The SDK solely queries our API to fetch configuration variables and returns event counts for feature rollout tracking.
Data sharing and third parties
We do not sell, trade, or rent your personal information to anyone. We only share information with trusted third-party service providers who assist us in operating our platform, conducting our business, or serving you (such as database hosting and authentication services).
All third-party service providers are contractually obligated to keep your information confidential and secure under strict data protection terms.
Your control and data rights
You are always in control of your account data. You can inspect, modify, or delete your account information directly from your Styra dashboard settings at any time.
If you wish to permanently delete your account and all associated configuration data, you can trigger this in the account dashboard or contact our support team. Once requested, your account data will be permanently deleted from our active databases within 30 days.
Security Policy
Short version: we don't want your users' personal data, we don't ask for it, and the SDK isn't built to collect it. Here's the breakdown of what we do, what we don't, and what you should avoid putting into Styra.
What we actually store
Styra's whole job is delivering config values, A/B test assignments, and event counts back to your app. That's it. We store the values you put in your dashboard, the test and event names you create, and counts of how often things happen.
We don't collect names, emails, IP addresses, or device info as part of normal SDK use. There's no field for it in the SDK — there's literally nowhere to put that kind of data even if you wanted to.
We run on our own, separate infrastructure
Styra runs independently from your app and from every other customer using Styra. Your variables, test results, and event data are scoped to your API key — they never mix with anyone else's.
The SDK only talks to our backend, over HTTPS. No hidden analytics pipeline, no ad network, no selling data. Your data exists to power your config — that's the whole transaction.
What ends up in your visitors' browsers
In client-side mode, the SDK saves values in localStorage so it doesn't have to ask the dashboard every time. This only ever contains what your dashboard is already serving publicly — variable values, test versions, which events have fired. It's encoded, not encrypted, and tied to your domain.
Anyone with dev tools open and enough patience can read what's in localStorage. That's true for every SDK that does client-side caching, not just ours. Good rule of thumb: assume anything you pass through getVariable() could eventually be seen by a curious user.
What to store (and what not to)
Don't put these in Styra variables
- •API keys or secrets for other services
- •Server-only environment variables — database URLs, signing secrets, etc.
- •Personal info like emails, names, or phone numbers
- •Anything that would cause a problem if someone extracted it from their own browser
These are exactly what variables are for
- •Feature flags and rollout percentages
- •Banner text, promo messages, UI copy
- •Non-sensitive limits — rate limits, max items, that kind of thing
- •A/B test setup and routing logic
Keep your secret key on the server
- •Your server-side key should never show up in client bundles, console logs, or a public repo
- •Use your client-side (public) key for anything running in the browser — it's built to be exposed
You're always the one in control
Everything Styra can return is something you put there yourself. We don't guess, infer, or quietly add anything about your users. No sensitive data goes in, no sensitive data can come out.
Got questions about retention, deletion, or anything else here? Just ask us directly — we'd rather give you a straight answer than point you at a 40-page document.