Stack0

Privacy Policy

Last updated: February 9, 2026

This Privacy Policy describes how Stack0 Inc. ("Stack0", "we", "us", or "our") collects, uses, and protects information when you use our website at stack0.dev, our dashboard at app.stack0.dev, and our APIs (collectively, the "Service").

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Name, email address, and password (or OAuth identity via GitHub, Google, etc.)
  • Organization name and team member information
  • Profile details you choose to provide

1.2 Payment Information

Billing address and payment method details are collected and processed by our payment provider, Stripe. We do not store full credit card numbers, CVVs, or bank account details on our servers. We retain Stripe customer IDs, subscription status, invoicing history, and the last four digits of your payment method for display purposes.

1.3 Your Content

Data you upload, send, or process through our APIs, including:

  • Email API: Recipient addresses, subject lines, email bodies, attachments, and delivery metadata (open/click tracking events)
  • CDN & Storage: Files you upload (images, documents, videos, etc.) and associated metadata
  • AI Extraction: URLs you submit for extraction and the resulting structured data returned in API responses
  • Screenshots: URLs you submit for capture and the resulting images
  • AI Workflows: Workflow definitions, input data, intermediate step results, and output data
  • Integrations: OAuth tokens, API credentials, and data exchanged with third-party services on your behalf
  • Video: Video files you upload and transcoded derivatives (HLS segments, multiple bitrates)

1.4 Usage Data

We automatically collect:

  • API call logs: endpoint, method, response code, latency, timestamp, and request size
  • Dashboard activity: pages viewed, features used, and actions taken
  • Error logs and debugging information
  • Resource consumption: storage used, bandwidth consumed, emails sent, API calls made

1.5 Device and Access Information

When you access the dashboard or website, we collect:

  • IP address and approximate geolocation (country/region level)
  • Browser type, version, and operating system
  • Referring URL and pages visited on our site
  • Device type (desktop, mobile, tablet)

2. How We Use Your Information

  • Provide the Service: Process API calls, deliver emails, serve files, run workflows, execute extractions, render screenshots, transcode and stream video, and connect to third-party integrations
  • Billing and payments: Calculate usage, generate invoices, process charges, and send billing-related communications
  • Service operations: Monitor performance, detect errors, prevent abuse, enforce rate limits, and maintain infrastructure security
  • Communications: Send service-related notifications including outage alerts, security advisories, policy updates, and usage threshold warnings
  • Support: Respond to support requests and troubleshoot issues using API logs and account information
  • Product improvement: Analyze aggregated, anonymized usage patterns to improve features, performance, and reliability
  • Security: Detect and prevent fraud, abuse, unauthorized access, and other security threats
  • Legal compliance: Comply with legal obligations, enforce our Terms of Service, and protect our rights

3. How We Process Your Content

We process Your Content solely to provide the Service as described in our Terms of Service. Specifically:

  • We do not access, read, analyze, or use Your Content for advertising, profiling, or any purpose unrelated to providing the Service
  • We do not train AI or machine learning models on Your Content
  • We do not sell Your Content to third parties
  • Email content is transmitted to recipients and retained in logs based on your plan's retention period
  • Files stored on CDN are cached at edge locations to improve delivery performance
  • Extraction and screenshot results are returned in the API response and not stored by us unless you upload them to your CDN storage
  • AI Workflow data may be passed to third-party AI providers (OpenAI, Anthropic, etc.) as necessary to execute your workflow. These providers have their own data processing terms.
  • Integration credentials are encrypted at rest using AES-256 and used only to execute API calls you initiate

4. How We Share Your Information

We do not sell your personal information. We may share information with:

4.1 Service Providers (Sub-processors)

Third parties that help us operate the Service:

  • Amazon Web Services (AWS): Cloud infrastructure, compute, storage (S3), and content delivery
  • Stripe: Payment processing and billing
  • PostHog: Product analytics (anonymized usage data)
  • AI providers (OpenAI, Anthropic): AI model inference for Workflows and Extraction, only when you use these features

All sub-processors are bound by data processing agreements. We maintain a current list of sub-processors and will notify you of material changes.

4.2 Third-Party Integrations

When you connect third-party services (Salesforce, HubSpot, Slack, Google Drive, etc.) through our Integrations API, data is exchanged directly with those services according to the API calls you configure. We act as a conduit and do not retain integration data beyond what is needed for logging and debugging.

4.3 Legal Requirements

We may disclose information when required by law, subpoena, court order, or government request. Where permitted, we will notify you before disclosing your information. We may also disclose information to protect our rights, prevent fraud, or ensure the safety of our users.

4.4 Business Transfers

In connection with a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, your information may be transferred. We will notify you via email and/or a prominent notice on our website of any change in ownership or use of your personal information.

5. Data Retention

  • Account information: Retained for as long as your account is active, plus 30 days after account deletion
  • API logs: Retained based on your plan's data retention period (7 days for free plans, 30-90 days for paid plans)
  • CDN files: Stored until you delete them or your account is terminated
  • Email delivery logs: Retained for up to 30 days, or longer based on your plan
  • Video content: Stored until you delete it or your account is terminated
  • Payment records: Retained for 7 years as required for tax and accounting purposes
  • Security and abuse logs: Retained for up to 12 months

Upon account termination, Your Content is deleted within 30 days. Backups containing your data are purged within 90 days. You may request data export or deletion at any time by contacting hello@stack0.dev.

6. Data Security

We implement security measures including:

  • Encryption in transit via TLS 1.2+ for all API calls and dashboard access
  • Encryption at rest using AES-256 for stored data, files, and credentials
  • API keys are hashed and never stored or displayed in full after creation
  • Integration OAuth tokens and API credentials are encrypted with per-organization keys
  • Role-based access controls within organizations
  • Network isolation and firewall rules for infrastructure components
  • Regular security audits and dependency vulnerability scanning
  • Logging and monitoring of access to production systems

No method of transmission or storage is 100% secure. If we become aware of a security breach affecting your data, we will notify you in accordance with applicable law and our incident response procedures.

7. Cookies and Tracking

7.1 Essential Cookies

Our dashboard at app.stack0.dev uses essential cookies for authentication, session management, and CSRF protection. These cookies are strictly necessary and cannot be disabled.

7.2 Analytics

We use PostHog for product analytics on our dashboard and website. This helps us understand how the Service is used and identify areas for improvement. Analytics data is aggregated and does not include Your Content.

7.3 What We Do Not Do

  • We do not use third-party advertising cookies or tracking pixels
  • We do not sell data to ad networks or data brokers
  • We do not participate in cross-site tracking
  • We do not use fingerprinting techniques

8. International Data Transfers

Our Service is primarily hosted on AWS in the United States (us-east-1). CDN files are distributed to edge locations globally for performance. If you access the Service from outside the United States, your data will be transferred to and processed in the US.

For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. Our sub-processors maintain appropriate safeguards for international data transfers.

9. Your Rights

9.1 All Users

Regardless of location, you can:

  • Access and update your account information from the dashboard
  • Delete your account and associated data
  • Export your data (API logs, files, configuration) before account deletion
  • Revoke API keys at any time
  • Disconnect third-party integrations

9.2 European Economic Area, UK, and Switzerland (GDPR)

If you are located in the EEA, UK, or Switzerland, you additionally have the right to:

  • Access a copy of your personal data in a structured, machine-readable format
  • Rectify inaccurate personal data
  • Request erasure ("right to be forgotten")
  • Restrict or object to certain processing
  • Data portability
  • Withdraw consent where processing is based on consent
  • Lodge a complaint with your local data protection authority

Our legal bases for processing are: (a) performance of a contract (providing the Service); (b) legitimate interests (security, fraud prevention, product improvement); and (c) compliance with legal obligations.

9.3 California (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how it is used
  • Request deletion of your personal information
  • Opt out of the sale or sharing of personal information (we do not sell personal information)
  • Non-discrimination for exercising your privacy rights

In the past 12 months, we have collected the categories of information described in Section 1 for the purposes described in Section 2. We have not sold personal information.

9.4 Exercising Your Rights

To exercise any of these rights, contact us at hello@stack0.dev. We will respond within 30 days (or sooner where required by law). We may need to verify your identity before processing your request.

10. Data Processing Agreement

If you process personal data of your own users through the Service (e.g., sending emails to your customers, storing their files), we act as a data processor on your behalf. You are the data controller. Our Terms of Service and this Privacy Policy constitute our data processing agreement for purposes of GDPR Article 28. Enterprise customers may request a separate, signed DPA by contacting hello@stack0.dev.

11. Children

The Service is designed for developers and businesses and is not intended for children under 16 (or under 13 in the US). We do not knowingly collect personal information from children. If we learn that we have collected information from a child, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at hello@stack0.dev.

12. Third-Party Links

Our website and documentation may contain links to third-party websites. We are not responsible for the privacy practices of third-party websites. We encourage you to review the privacy policies of any third-party services you connect through our Integrations API.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes at least 30 days in advance via email or through a notice in the dashboard. The "Last updated" date at the top of this page will reflect the most recent revision. Continued use of the Service after changes take effect constitutes acceptance.

14. Contact

Questions about this Privacy Policy or our data practices? Contact us at: