Privacy

Last updated: 2026-05-06

This page describes what data STACK collects, how it's used, and how to exercise your rights. STACK is operated from Stockholm, Sweden, with infrastructure in the EU (Frankfurt). EU / UK / EEA visitors are covered by GDPR + ePrivacy. US visitors are covered by CCPA / CPRA where applicable. We apply the stricter standard wherever there's overlap.

Data we collect

Account data (when you sign up)

  • Email address (magic-link auth — no passwords stored)
  • Operator profile: tier, billing status, team membership
  • API keys, agent IDs, passport metadata you create using the platform

Identity claims (only when you opt in)

  • Layer 2 identity verification (BankID, Stripe Identity, etc.) is opt-in and used only when you explicitly run a verification flow. PII is encrypted at rest with AWS KMS, never stored in JWTs, never shared.

Anonymous analytics (cookies + cookieless)

  • Page URL, referrer, browser/OS/device type, country (and city when available), pageview timestamps.
  • Anonymous interaction events: clicks on landing-page CTAs, navigation between docs pages.
  • No PII in analytics: we don't link analytics events to your account, email, or any personal identifier. IP addresses are anonymized by the analytics providers before storage.

Operational logs

  • Every API request you make is recorded in a tamper-evident audit log with cryptographic chaining (this is part of the product, not analytics). Retention is tier-based: 7 days (Free), 30 (Developer), 90 (Studio), 365 (Enterprise).
  • Error reporting (Sentry, EU region): exception stack traces, request paths, sanitised request payloads. No raw credentials, no full PII bodies.

Why we collect it

  • Account data: to provide the service you signed up for (Art. 6(1)(b) GDPR — performance of contract).
  • Identity claims: only when you opt in for an L2 verification (Art. 6(1)(a) GDPR — consent; PII processed under Art. 9 with explicit consent).
  • Analytics: to understand how STACK is used and improve the product (Art. 6(1)(f) GDPR — legitimate interests, balanced against your privacy via cookieless defaults in EU/UK/EEA and IP anonymisation everywhere).
  • Audit logs: security and accountability — both for you (your agents' activity) and us (regulatory compliance, incident response).

Cookies and similar technologies

STACK uses one anonymous analytics cookie when you accept it. We do not use advertising cookies, marketing pixels, or cross-site trackers.

EU / UK / EEA visitors

We default to memory-only mode (no persistent storage) until you click Accept on the cookie banner. Decline keeps tracking off entirely for that browser. Your choice persists in your browser's localStorage so you're not asked again. To change your choice, clear site data for getstack.run in your browser and we'll show the banner again.

US / Rest of World visitors

Anonymous analytics is on by default, in line with your jurisdiction's opt-out (rather than opt-in) standard (CCPA, PIPEDA, etc.). To opt out, set localStorage.stack_internal_user = '1' in your browser console (this disables analytics for your browser entirely) — or email us and we'll help.

The technical mechanism is identical in both regions; only the default differs. There's no advertising data leaving STACK for any visitor under any setting.

Subprocessors

  • Fly.io (Stockholm, EU): hosting infrastructure for API, dashboard, MCP server.
  • Cloudflare (global): DNS, CDN, basic web analytics (cookieless).
  • PostHog Cloud EU (Frankfurt): product analytics. EU-hosted; data does not leave the EU.
  • Stripe (Ireland for EU customers, Delaware for US): payment processing.
  • Resend (US): magic-link emails. Recipient email + link only; no behavioural data.
  • Twilio (US): SMS notifications when configured by you.
  • Sentry (Frankfurt EU region): error reporting. Sanitised stack traces.
  • OpenRouter (US): LLM routing for AI-powered detectors. Inputs are detector prompts + ephemeral payload snippets, no PII.
  • Cloudflare Turnstile + Stripe Identity: identity-claim providers, used only when you run an L2 verification flow.

All subprocessors are bound by data-processing agreements and (where applicable) Standard Contractual Clauses for cross-border transfers.

Your rights

EU / UK (GDPR)

  • Access — request a copy of personal data we hold about you (Art. 15)
  • Rectification — correct inaccurate data (Art. 16)
  • Erasure — delete your data, subject to retention obligations (Art. 17)
  • Restriction — restrict processing under specific circumstances (Art. 18)
  • Portability — receive your data in machine-readable format (Art. 20)
  • Objection — object to processing under legitimate interests (Art. 21)
  • Withdraw consent — for any processing where consent was the lawful basis (Art. 7(3))
  • Lodge a complaint — with your EU/UK/EEA data protection authority. Sweden: Integritetsskyddsmyndigheten (imy.se).

US (CCPA / CPRA — California residents)

  • Right to know what personal information we collect about you and why
  • Right to delete personal information we hold
  • Right to correct inaccurate personal information
  • Right to opt out of the sale or sharing of personal information. STACK does not sell or share personal information for cross-context behavioural advertising.
  • Right to limit use of sensitive personal information
  • Right to non-discrimination for exercising any of these rights

Other US states (Colorado, Virginia, Connecticut, Utah, Texas, etc.) have similar rights — we honour them on the same terms.

How to exercise your rights

Email hello@getstack.run with your request. We respond within 30 days (GDPR) or 45 days (CCPA). For account-data deletion, you can also delete your operator account from /account — this triggers immediate hard-delete of personal data, with audit-log retention as required by law.

Data retention

  • Account data: until you delete your account.
  • Audit logs: tier-based (7 / 30 / 90 / 365 days); deleted with account.
  • Analytics events: 1 year (PostHog default), no link to your account.
  • Backups: 30 days rolling, then deleted.
  • Magic-link tokens: 15 minutes, single-use.

International transfers

Primary infrastructure is in the EU (Frankfurt). Some subprocessors (Resend, Twilio, OpenRouter) are US-based; transfers are governed by Standard Contractual Clauses. Identity-claim PII never leaves the EU (encrypted at rest with AWS KMS in eu-north-1).

Security

  • All data in transit: TLS 1.2+
  • Credentials at rest: AWS KMS envelope encryption (eu-north-1)
  • Passport tokens: EdDSA signed, sub-60-second revocation propagation
  • PII never embedded in JWTs — opaque claim references only
  • Audit log: append-only, hash-chained, tamper-evident

Children

STACK is a developer infrastructure product not directed at children. We do not knowingly collect personal data from anyone under 16 (EU/UK/EEA) or 13 (US, per COPPA). If you believe a child has provided us with personal data, contact hello@getstack.run and we'll delete it.

Automated decision-making

STACK does not engage in automated decision-making or profiling that produces legal or similarly significant effects on you. The behavioural detectors (prompt-injection, scope-drift, etc.) operate on agent activity, not on the human operator's personal data, and their output is signals for your own review — never automated denial of service, account closure, or pricing decisions.

Updates

When this policy changes materially, we'll update the date at the top and notify active operators by email at least 14 days before changes take effect. Minor edits (typos, link updates) happen without notice. We review this policy at least annually.

Contact

Privacy questions, complaints, or rights requests: hello@getstack.run. We're the data controller for the personal data described above. Postal address available on request.

stack | Privacy