Privacy Policy

StackSpeed is operated as a sole trader. Our contact address for data-related enquiries is hello@stackspeed.dev.

We are the data controller for personal data collected through this service.

Account information (via OAuth):

• Email address
• Name or display name (if provided by your OAuth provider)
• Profile avatar URL (if provided by your OAuth provider)
• OAuth provider identifier (e.g., your GitHub or Google user ID)

We support sign-in via Google, GitHub, Microsoft (Azure AD / Outlook), and Meta. We do not store your OAuth access tokens beyond the session. Authentication is managed exclusively by Supabase Auth.

Usage data:

• Plugin stacks you build in the simulator (saved stacks, for paid users)
• Pages visited, features used, and actions performed within the application
• Browser type, operating system, and approximate geographic region (via IP address)
• Referring URLs and session duration

Payment information:

Payments are processed by Stripe, Inc. We never receive or store your full card number, CVV, or bank account details. Stripe handles all payment card data under PCI DSS compliance. We receive only a Stripe customer ID and subscription status from Stripe.

Communications:

• Emails you send to hello@stackspeed.dev
• Support or feedback submissions via any in-product form

Cookies and similar technologies:

We use cookies for authentication session management, analytics, and preferences. See our Cookie Policy for full details.

We use personal data for the following purposes:

• Providing the service: authenticating you, saving your stacks, and delivering the features you use.
• Analytics: understanding how the product is used so we can improve it. Analytics are collected via Google Analytics 4 through Google Tag Manager. We do not use this data for advertising.
• Billing and subscriptions: processing payments, managing your subscription tier, and sending invoices or billing notifications via Stripe.
• Communications: responding to support requests or questions you send us.
• Security: detecting and preventing fraud, abuse, and unauthorised access.
• Legal compliance: meeting our legal obligations under applicable law.

We do not use your personal data for advertising, nor do we sell it to any third party.

For users in the European Economic Area (EEA) and the United Kingdom, we process your data on the following legal bases:

• Contract performance (Art. 6(1)(b) GDPR): processing necessary to deliver the service you signed up for — account management, stack saving, and billing.
• Legitimate interests (Art. 6(1)(f) GDPR): analytics and product improvement, security monitoring, and fraud prevention, where these interests are not overridden by your rights.
• Consent (Art. 6(1)(a) GDPR): analytics cookies, where applicable. You may withdraw consent at any time via your browser settings or by contacting us.
• Legal obligation (Art. 6(1)(c) GDPR): where we are required to retain or disclose data by law.

We share data with the following third-party service providers only to the extent necessary to deliver the service:

• Supabase, Inc. — database and authentication infrastructure. Your account data and saved stacks are stored in Supabase's PostgreSQL database. Supabase may process data in the US and EU. Supabase Privacy Policy
• Stripe, Inc. — payment processing. Stripe processes billing information under their own privacy policy and PCI DSS compliance. Stripe Privacy Policy
• Vercel, Inc. — hosting and content delivery. Your requests are routed through Vercel's infrastructure, which may process IP addresses and request metadata. Vercel operates data centres in the US and EU. Vercel Privacy Policy
• Google LLC — analytics via Google Analytics 4, deployed through Google Tag Manager. Analytics data (page views, session data, device/browser info) is transmitted to Google's servers. IP anonymisation is enabled. Google Privacy Policy
• OAuth providers — Google, GitHub (Microsoft), Microsoft Azure AD, and Meta, for authentication only. We receive only the identity information listed in Section 2.

We do not share your data with any other third parties except as required by law or to protect the rights, property, or safety of StackSpeed, our users, or the public.

StackSpeed is based in the United Kingdom. Our service providers (Supabase, Stripe, Vercel, Google) may process data in the United States and other countries. Where we transfer personal data outside the UK or EEA, we rely on Standard Contractual Clauses (SCCs) or equivalent adequacy mechanisms as required by applicable data protection law.

We retain your personal data for as long as your account is active or as needed to provide the service.

• Account data: retained for the lifetime of your account. Deleted within 30 days of account closure upon request.
• Usage and analytics data: aggregated analytics data retained for up to 26 months (Google Analytics default). Raw logs are retained for up to 90 days.
• Payment records: retained for 7 years for legal and tax compliance purposes, even after account closure.
• Support correspondence: retained for 2 years after resolution.

You may request deletion of your account and associated data at any time by contacting hello@stackspeed.dev.

We take reasonable technical and organisational measures to protect your personal data, including:

• Row-level security (RLS) enforced at the database layer via Supabase
• HTTPS encryption for all data in transit
• No storage of passwords — authentication handled exclusively via OAuth or Supabase Auth
• No storage of payment card data — all handled by Stripe
• Access to production data limited to authorised personnel only

No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

If you are located in the United Kingdom or European Economic Area, you have the following rights under data protection law:

• Right of access: you can request a copy of the personal data we hold about you.
• Right to rectification: you can request correction of inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”): you can request deletion of your personal data, subject to legal retention obligations.
• Right to data portability: you can request your data in a structured, machine-readable format.
• Right to object: you can object to processing based on legitimate interests, including analytics.
• Right to restrict processing: you can request we limit how we use your data in certain circumstances.
• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, email hello@stackspeed.dev. We will respond within 30 days. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to know: you have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties we share it with.
• Right to delete: you have the right to request deletion of personal information we have collected, subject to certain exceptions.
• Right to opt out of sale: we do not sell your personal information. You do not need to opt out.
• Right to non-discrimination: we will not discriminate against you for exercising any CCPA rights.

To exercise your CCPA rights, contact us at hello@stackspeed.dev.

StackSpeed is not directed to children under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at hello@stackspeed.dev and we will delete it promptly.

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page. For significant changes, we may notify you by email or via an in-product notice. Continued use of the service after changes constitutes your acceptance of the updated policy.

For any questions, requests, or complaints regarding this Privacy Policy or our data practices, please contact: