Privacy
What Amber is
Amber is a hosted, append-only SQL database service built to be handed to AI agents: through Amber, an agent can read and write freely but cannot irreversibly delete or overwrite data — permanent removal requires a human’s approval. Amber is operated by Stackwell Labs LLC, a company registered in Wyoming, USA.
Data we hold
- Your database contents. Whatever you and your agents write into your Amber databases. You decide what that is; we store it on your behalf and do not read, mine, or use it for anything other than operating the service. Each tenant database is a separate file on encrypted storage (AWS EFS, encryption at rest) — there is no cross-tenant addressing.
- Append-only version history. By design, every version of every row is retained: edits and deletes are reversible, and old versions remain until they are permanently removed through the human-approved purge path. This retention is the product, not a side effect.
- Access-token hashes. The scoped bearer tokens that gate each database are stored only as SHA-256 hashes — we cannot recover a raw token after it is minted and shown to you once.
- Purge and approval records. Purge requests, their decisions (approved or rejected), and when they were settled — the audit trail of permanent removals. Databases configured for Granite-mode approval have their decisions recorded in Granite, another Stackwell Labs service, under your Granite account.
- Control records. Per-database metadata: a database identifier, its approval mode, and an owner identifier (for Granite mode, a pseudonymous subject identifier — not your email address or name).
- Service logs. Operational logs (AWS CloudWatch) kept for 30 days.
- Correspondence. If you email us — for example to request early access — we hold that correspondence, including your email address.
There is no tracking, no analytics, and no advertising on this site or in the service. We do not sell or share your data. One disclosure for completeness: these web pages load fonts from Google Fonts, which means your browser makes a request to Google’s servers when viewing them.
Why we hold it
- To store and serve your databases — that is the service.
- To keep the append-only guarantee: reversible history plus an auditable, human-approved path for permanent removal.
- To keep the service secure and prevent abuse (token scoping, rate limits).
Sub-processors
- Amazon Web Services — hosting, storage, and backups, in the
us-east-1(N. Virginia, USA) region. - Google Fonts — font delivery for these web pages only; no service data is sent to Google.
Where your data lives
Amber stores and processes data in the United States. If you use Amber from a jurisdiction with data-transfer rules (such as the EEA or UK), your data is sent to and processed in the US, and is protected as described in this policy.
Retention
Your data is kept for as long as your database exists, including its full version history — that retention is the guarantee Amber provides. Data leaves Amber in two ways: a human-approved purge (which removes specific rows or tables and their history), or deletion of the whole database (which removes its file, its history, and its tokens). Two practical caveats: daily encrypted backups are kept for 35 days, so purged or deleted data can persist in backups for up to 35 days after removal; and service logs are kept for 30 days.
Your rights
Amber is in early access and tenants are provisioned by hand, so data-subject requests are handled the same way: email aws-amber@stackwell.tech and we will export your databases to you (access and portability) or delete them (erasure). Note that your own agent and operator tokens already give you full read access to everything Amber holds in your databases, and the purge path is the built-in erasure mechanism for individual rows and tables. If you are in the EEA or UK, you may also lodge a complaint with your supervisory authority.
Children
Amber is not directed to children under 13 — or the higher minimum age your jurisdiction sets for consenting to online services — and we do not knowingly collect data from them.
If something goes wrong
If a breach affects your data, we will notify you without undue delay and, where required, the supervisory authority.
Changes
If this policy changes, we will update it here and revise the effective date above.