STEPlus

Privacy Policy

Last updated: March 2026

1. Introduction

STEPlus (“we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information across all STEPlus products and services.

This policy applies to all users who access or interact with our Services, whether through a registered account or as a visitor. By using our Services, you acknowledge that you have read and understood this Privacy Policy. Please also review our Terms of Service, which govern your use of the Services.

2. Information We Collect

We collect information in the following categories:

  • Account Information: When you create a STEPlus Identity account, we collect your name, email address, and mobile number. Passwords are hashed using bcrypt with salt and are never stored in plaintext.
  • Usage Data: We collect information about how you interact with our Services, including pages visited, features used, actions taken, and performance metrics. This helps us improve the Services and diagnose technical issues.
  • Content You Provide: Data you create, upload, or store through our Services, including:
    • Financial records, transactions, and party information in Cashbox
    • Database connection details and query history in ChatWithDB
    • Monitor configurations, status page content, and incident data in StatusAlert
    • Email templates, subscriber lists, campaign data, and SMTP credentials in MailCraft

STEPlus Tools does not collect any user data. All Tools operations run entirely in your browser.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • To provide, operate, maintain, and improve the Services.
  • To authenticate your identity and manage your account across the STEPlus ecosystem via single sign-on.
  • To send essential transactional communications, including password reset emails, email verification, security alerts, and account notifications.
  • To detect, investigate, and prevent security incidents, fraud, and abuse.
  • To monitor and improve the performance, stability, and reliability of the Services.
  • To comply with applicable legal obligations and respond to lawful requests from authorities.
  • To provide customer support when you reach out to us.

What we do NOT do with your data:

  • We do not sell, rent, or trade your personal information to any third party.
  • We do not use your data for advertising, ad targeting, or behavioural profiling.
  • We do not use your content (financial records, queries, emails, etc.) to train machine learning models.
  • We do not share your data with data brokers or marketing platforms.

4. Data Security

We employ industry-standard and advanced security measures to protect your data at every layer:

  • Encryption at rest: All sensitive data is encrypted using AES-256-GCM — the same encryption standard used by banks and government agencies. This includes financial records in Cashbox, database credentials in ChatWithDB, SMTP credentials in MailCraft, and all authentication tokens.
  • Encryption in transit: All communication between your browser and our servers is protected with TLS (Transport Layer Security) encryption.
  • Password security: User passwords are hashed and salted. We never store passwords in plaintext and have no ability to recover them — only reset them.
  • Authentication: JWT-based authentication with automatic token rotation and refresh token management. OAuth2 authorization code flow for cross-product single sign-on.
  • Credential isolation: Database credentials, SMTP credentials, API keys, and other secrets are encrypted independently per product and per user. No credentials are stored in plaintext at any point.
  • Infrastructure security: Our infrastructure is hosted on managed cloud platforms with enterprise-grade physical security, network isolation, automated backups, and regular security updates.

5. Data Sharing

We do not sell your personal information. We may share your information only in the following limited circumstances:

  • Within the STEPlus Ecosystem: Your Identity account information (name, email, profile) is shared across STEPlus products to enable seamless single sign-on. Each product maintains its own isolated data store — Cashbox cannot access your MailCraft data, and vice versa.
  • Service Providers: We use a limited number of third-party service providers for infrastructure (cloud hosting, content delivery) and transactional email delivery. These providers process data on our behalf under strict contractual data protection obligations and are prohibited from using your data for any other purpose.
  • Legal Requirements: We may disclose your information when required by law, court order, subpoena, or governmental regulation, or when we believe in good faith that disclosure is necessary to protect our legal rights, your safety, or the safety of others.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction. We will notify you of any such change and your options regarding your data.

6. Data Retention

We retain your data according to the following principles:

  • Active accounts: Your account data and content are retained for as long as your account remains active and the Services are in use.
  • Deleted accounts: When you delete your account through STEPlus Identity, your personal data and content are deleted immediately and permanently. This action cannot be undone and deleted data cannot be recovered. You are welcome to create a fresh account at any time.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your personal data, subject to legal retention requirements.
  • Data portability: Request your data in a structured, commonly used, machine-readable format (where applicable, products support CSV and PDF export).
  • Restriction: Request that we restrict the processing of your data in certain circumstances.
  • Objection: Object to the processing of your data where processing is based on legitimate interests.

To exercise any of these rights, please contact us through our support portal. We will respond to your request within 30 days or as required by applicable law. We may ask you to verify your identity before processing your request.

8. Cookies & Local Storage

We use minimal cookies and browser storage for essential functionality only:

  • Authentication tokens: Secure HTTP-only cookies or localStorage entries for maintaining your login session across products.
  • Theme preferences: A localStorage entry to remember your light/dark mode preference.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. We do not integrate with any third-party tracking or advertising platforms. We do not use Google Analytics, Facebook Pixel, or similar tracking services.

9. Third-Party Services

Certain STEPlus products integrate with or allow connection to third-party services at your direction:

  • ChatWithDB — AI Providers: When you use ChatWithDB, your natural language queries are sent to the AI provider you select (OpenAI, Anthropic, Google Gemini, or DeepSeek) to generate SQL. If you provide your own API keys, those keys are encrypted and stored securely. We do not control how third-party AI providers process your queries — please review their respective privacy policies.
  • MailCraft — SMTP: MailCraft sends emails through SMTP servers that you configure. Your SMTP credentials are encrypted with AES-256-GCM before storage. Email delivery passes through your SMTP provider, not through STEPlus infrastructure.
  • Cloud Infrastructure: Our Services are hosted on managed cloud platforms. Your data is processed and stored within the infrastructure regions used by these providers, subject to their security certifications and compliance standards.

10. Children’s Privacy

Our Services are not directed to individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that information as promptly as possible. If you believe a child under 16 has provided us with personal information, please contact us immediately.

11. International Data

STEPlus operates globally, and your data may be processed and stored in data centres located in different regions. When we transfer data across borders, we ensure appropriate safeguards are in place to protect your data in accordance with applicable data protection laws. By using the Services, you acknowledge and consent to the transfer of your data to regions where our infrastructure is located.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or the Services themselves. When we make material changes, we will provide at least 30 days' advance notice via email or in-app notification before the changes take effect.

The “Last updated” date at the top of this page indicates when this policy was last revised. We encourage you to review this policy periodically to stay informed about how we protect your data.

13. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us through our support portal. We take every enquiry seriously and aim to respond within a reasonable timeframe.