Back|Stageholder

Privacy Policy

Effective date: April 13, 2026

1. Introduction

Stageholder (“we,” “our,” or “us”) operates the Stageholder Hub at id.stageholder.com. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our Service.

The Hub is the centralized authentication hub for the Stageholder product suite, including Atlas, Meridian, and Almanac. By using the Service, you agree to the collection and use of information in accordance with this policy. We are committed to protecting your privacy and handling your data transparently and responsibly.

2. Information We Collect

We collect the following categories of information:

Account Information

  • Email address — used as your primary identifier and for transactional communications.
  • Display name — the name you provide during registration, shared with Stageholder products.
  • Password hash — your password is never stored in plain text. We store only a hash derived using argon2id with a unique salt.
  • Account metadata — creation date, last updated timestamp, and account status.

Organization Data

  • If you are associated with an organization on the Stageholder platform, organization membership information including your role within that organization.

Authentication Data

  • Session tokens — signed tokens stored in secure cookies to maintain your authenticated session.
  • Login timestamps — the date and time of successful authentication events.
  • OIDC grants — records of which Stageholder products you have authorized to receive your identity information via OpenID Connect.

Audit Logs

  • IP address — recorded at authentication events for security and fraud detection purposes.
  • User agent — the browser or client software used to access the Service.
  • Authentication events — a log of sign-in attempts, password changes, session revocations, and other security-relevant actions on your account.

Usage Data

  • Basic service interaction data, such as pages visited within Stageholder Hub, to support service operation and improvement. We do not use third-party analytics trackers.

3. How We Use Your Information

We use your information for the following purposes:

  • Provide and maintain the Service — to create and manage your account, authenticate your identity, and enable access to Stageholder products.
  • Authentication and SSO — to verify your identity and issue OIDC tokens that allow you to sign in to Stageholder products without re-entering your credentials.
  • Security and fraud prevention — to detect and respond to unauthorized access attempts, protect your account, and maintain the security and integrity of the Service.
  • Communication — to send you transactional emails such as password reset instructions, security alerts, and account notifications. We do not send marketing emails through the Hub.
  • Service improvement — to understand how the Service is used, diagnose technical issues, and improve reliability and performance.
  • Legal compliance — to comply with applicable laws, regulations, and lawful requests from public authorities.

4. How We Share Your Information

We do not sell your personal information to third parties. We share your information only in the following limited circumstances:

With Stageholder Products

When you authenticate with a Stageholder product (Atlas, Meridian, Almanac) via Single Sign-On, we share your identity information through a signed OIDC token. This token contains your email address, display name, and a unique user identifier. Products receive only the information necessary for authentication; your password hash and audit logs are never shared.

With Service Providers

We work with third-party service providers who assist us in operating the Service, including:

  • Infrastructure and hosting — providers who host our servers and databases.
  • Email delivery — providers who send transactional emails on our behalf, such as password reset messages.

These providers are contractually obligated to process your data only as directed by Stageholder and in accordance with this Privacy Policy.

For Legal Requirements

We may disclose your information if required to do so by law or in response to a valid legal process, such as a court order or government request. We will notify you of such requests where legally permitted to do so.

Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of Stageholder’s assets, your information may be transferred to the acquiring entity. You will be notified of any such change in ownership.

5. Data Security

We implement industry-standard security measures to protect your personal information:

  • Encryption in transit — all data transmitted between your browser and the Service is encrypted using HTTPS/TLS.
  • Password hashing — passwords are hashed using argon2id, a memory-hard function designed to resist brute-force attacks, with a unique salt per password.
  • Signed session cookies — session cookies are cryptographically signed using HMAC-SHA256 to prevent tampering and session forgery.
  • Audit logging — security-relevant events are logged to enable detection of and response to unauthorized access.
  • Access controls — access to production systems and personal data is restricted to authorized Stageholder personnel on a need-to-know basis.

While we take security seriously and implement these measures, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security of your information.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the Service. Specifically:

  • Account data — retained for the lifetime of your account. Upon account deletion, your profile data is removed within 30 days.
  • Audit logs — retained for up to 90 days to support security investigations and comply with legal obligations.
  • Session data — active sessions expire after 24 hours of inactivity. Session records are purged after expiry.
  • Backup data — database backups may retain data for up to 30 additional days following deletion before being overwritten.

7. Your Rights

You have the following rights with respect to your personal information:

  • Access — you may request a copy of the personal information we hold about you.
  • Correction — you may update your name and email address directly from your account settings at any time.
  • Deletion — you may delete your account from your account settings. Upon deletion, we will remove your personal data in accordance with our retention policy.
  • Export — you may request an export of your account data in a machine-readable format by contacting us.
  • Objection and restriction — you may object to certain processing activities or request that we restrict processing in specific circumstances.

To exercise any of these rights, contact us at privacy@stageholder.com. We will respond to requests within 30 days.

8. Cookies and Tracking

We use cookies solely for essential service functions — specifically, to maintain your authenticated session and manage the OpenID Connect login flow. We do not use marketing cookies, advertising trackers, or third-party analytics cookies.

The cookies we use include:

  • sid — an essential session cookie that authenticates your identity with the Service.
  • OIDC cookies — essential cookies used to manage the Single Sign-On flow between the Hub and Stageholder products.

For full details, please see our Cookie Policy.

9. International Data Transfers

Your information may be stored and processed in any country where Stageholder or its service providers operate. By using the Service, you acknowledge that your information may be transferred to countries that may have different data protection laws than your country of residence.

Where required, we will implement appropriate safeguards for such transfers, including standard contractual clauses approved by the relevant data protection authority.

10. Children’s Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have inadvertently collected such information, we will take steps to delete it promptly.

If you believe we have collected information from a child under 16, please contact us at privacy@stageholder.com.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the effective date at the top of this page. For material changes, we will provide additional notice, such as an email to the address associated with your account.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

© 2026 Stageholder. All rights reserved. Terms · Privacy · Cookies