Privacy Policy
Last updated:
Steward is operated by Horizon Analytic Studios, LLC ("we," "us," or "our"). This Privacy Policy describes how we collect, use, and protect information when a local union ("the local") deploys Steward for its members and representatives.
Steward is licensed to the local. The local is the controller of its members' data; Horizon is the processor. Where this Policy describes choices about retention, access, or sharing, the local makes those choices and Horizon implements them.
Information We Collect
- Account information for representatives — name, email address, and authentication credentials. TOTP secrets for second-factor login are stored encrypted at rest.
- Member identifiers as the local provides them — typically a roster email or a local-issued member number. No SSNs, no payroll data; Steward does not need them.
- Questions members ask, the retrievals that answered them, and the answer text. This is the audit log; it is the product, not surveillance, and it exists so any answer a member saw on any date can be reconstructed for DFR purposes.
- Documents uploaded by reps into research threads (CBA excerpts, employer correspondence, claim files, MOU drafts). These stay in the local's storage prefix and are visible only inside the thread that owns them.
- Server logs — standard web server logs including IP addresses, user-agent strings, and request paths, used for support and abuse-prevention.
How We Use Information
- To provide and maintain the Steward service for the local
- To send transactional emails (member sign-in links, rep digest emails, account notifications)
- To respond to support inquiries from the local's primary contacts
- To detect and prevent abuse, fraud, and policy violations
- To comply with legal obligations and to support the local's DFR obligations
What We Do Not Do
- We do not train models on the local's corpus or on member questions. The language models Steward uses are pre-trained; your corpus is retrieved against, not learned from.
- We do not call third-party inference APIs. No OpenAI, Anthropic, Google, Cohere, or other hosted LLM vendor sees member questions or your corpus. The model runs on infrastructure we (or you) operate directly.
- We do not aggregate questions or topics across locals. A trend that shows up in one local's queue is not summarized into a cross-tenant analytics product.
- We do not sell, license, trade, or rent personal information.
- We do not run advertising trackers, behavioral analytics, or cross-site fingerprinting on the marketing site or in-product.
Data Sharing (Subprocessors)
We share information only with the service providers required to deliver Steward, each subject to appropriate data-protection agreements:
- Amazon Web Services (AWS) — compute, database, object storage, secrets management, audit log storage.
- Cloudflare — DNS for the product domain. Hosting for our marketing site only; not in the in-product data path.
- Postmark — sending transactional emails (sign-in links, digest emails). No marketing email is sent through Postmark.
The current list of subprocessors lives at /subprocessors and is updated when it changes.
We may disclose information when required by law, to enforce our Terms of Service, to cooperate with a local's DFR-related inquiry, or to protect the rights, property, or safety of Horizon Analytic Studios, the local, the local's members, or others.
Per-Local Isolation
Each local gets its own Postgres database, its own object-storage prefix with its own IAM scope, and its own application instance. Locals do not share a database. The cross-tenant attack surface in application code is, by design, empty. See Security & DFR posture for the technical detail.
Data Security
We implement reasonable technical and organizational measures to protect information: encryption in transit (TLS 1.2+), encryption at rest, secrets stored in AWS SSM Parameter Store with managed-KMS encryption, password hashes computed with Argon2id, scoped per-tenant IAM roles, and the principle of least privilege for internal access. Horizon administrative access is out-of-band and audited at the infrastructure layer — there is no in-product superadmin role.
Data Retention
- Account data — retained while the local's deployment is active; deleted on deployment termination.
- Audit log of member-facing answers — retained for the life of the local's deployment by default, configurable per local in the deployment agreement.
- Matter uploads (rep workspace documents) — retained for the life of the thread that owns them, plus a tenant-configurable maximum-age cap.
- Server logs — 90 days for support and abuse-prevention, then purged.
Specific retention windows are agreed with the local before deployment and reviewed by union counsel.
Your Rights
Depending on your jurisdiction, you may have the right to access, correct, port, or delete personal information about you. Rep accounts can be managed from the rep workspace. Members should contact their local's primary representative; the local controls member data access per the deployment agreement. For inquiries Horizon must handle directly, contact privacy@use-steward.com.
Children's Privacy
Steward is operated for union members and their representatives. It is not directed to children, and we do not knowingly collect information from anyone under 13.
International Data Transfers
Steward is operated from the United States (AWS us-east-2 by default). By using the service from outside the U.S., you consent to information being transferred to and processed in the U.S. A local that requires data residency outside the U.S. should raise that during deployment scoping; self-host is available as an option in those cases.
Changes to This Policy
We may update this Privacy Policy from time to time. Material changes are communicated to the local's primary contact at least 30 days before they take effect and reflected in the "Last updated" date above.
Contact
For privacy-specific questions: privacy@use-steward.com. For everything else: /talk-to-us.