This Privacy Policy explains how unstackd.io (“we,” “us,” “Operator”) collects and processes personal data through Stacktube (the “Service”). For users in the European Economic Area and the United Kingdom, unstackd.io is the “controller” of your personal data under the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the UK GDPR. For California residents, we are the “business” under the California Consumer Privacy Act as amended by the CPRA (“CCPA”). You can reach our privacy contact at drowsynaru@gmail.com.
We collect the following categories of personal data:
We process personal data for the following purposes, relying on the legal bases indicated:
We do not use your personal data, analyses, or content for automated decision-making or profiling that produces legal or similarly significant effects.
We retain your account and usage data for as long as your account is active. When you delete your account, we erase all personal data and analysis records tied to your account within 30 days of the request, except where retention is required by law (for example, tax records or anti-fraud logs required by Paddle). Access logs are retained for up to 90 days for security purposes.
We do not sell your personal data. We share personal data with the following processors strictly to operate the Service:
| Processor | Country | Purpose | Transfer Safeguard |
|---|---|---|---|
| Supabase Inc. | United States | Authentication and database | Standard Contractual Clauses (EU/UK); SOC 2 Type II |
| Google LLC | United States | Gemini API (video analysis) | Standard Contractual Clauses (EU/UK); Data Processing Agreement |
| Anthropic PBC | United States | Claude API (note generation) | Standard Contractual Clauses (EU/UK); TLS in transit |
| Paddle.com Market Ltd. | United Kingdom | Payment (Merchant of Record) | UK adequacy (EU); PCI DSS |
| Resend Inc. | United States | Transactional email delivery | Standard Contractual Clauses (EU/UK); SPF/DKIM |
| Railway Corp. | United States | Application hosting | Standard Contractual Clauses (EU/UK); TLS |
Where personal data of EU/EEA or UK residents is transferred to a country that has not been recognized as providing adequate protection, we rely on the European Commission’s Standard Contractual Clauses (2021/914) and, for the UK, the UK International Data Transfer Addendum or IDTA, with appropriate supplementary measures. You may request a copy of the transfer safeguards by contacting us.
If you are in the EU/EEA or the UK (GDPR / UK GDPR), you have the right to: (a) access your personal data, (b) rectify inaccurate data, (c) erase your data (“right to be forgotten”), (d) restrict processing, (e) data portability, (f) object to processing based on legitimate interests, and (g) withdraw consent at any time where processing is based on consent. You also have the right to lodge a complaint with your local Data Protection Authority (DPA) or the UK Information Commissioner’s Office (ICO).
If you are a California resident (CCPA / CPRA), you have the right to: (a) know what personal information we collect and how it is used and disclosed, (b) access and receive a copy of your personal information, (c) correct inaccurate personal information, (d) delete your personal information, (e) limit use and disclosure of sensitive personal information, (f) opt out of the “sale” or “sharing” of personal information, and (g) non-discrimination for exercising your rights. We do not “sell” or “share” personal information as those terms are defined under the CCPA, and we do not use or disclose sensitive personal information for purposes that require a right-to-limit notice. You may submit a verifiable consumer request by emailing drowsynaru@gmail.com; we may need to verify your identity before responding.
We respond to verified requests within 30 days (GDPR/UK GDPR) or 45 days (CCPA), with one extension permitted where the request is complex. To exercise any of the rights above, email drowsynaru@gmail.com. An authorized agent may submit requests on your behalf with written authorization.
We use a minimal set of cookies:
sb-access-token, sb-refresh-token) keep you signed in. These cannot be disabled; blocking them breaks login.G-XSS2LYYVJP) is loaded to measure aggregate traffic. Where required by law we will show a consent banner before loading analytics; you can also block analytics in your browser.We do not use advertising cookies or third-party marketing trackers.
We apply reasonable and appropriate technical and organizational measures to protect personal data, including: HTTPS/TLS in transit, AES-256-GCM encryption at rest for OAuth tokens and BYOK keys, Supabase Row-Level Security (RLS) for cross-user isolation, password hashing via Supabase Auth, least-privilege access to production systems, and logging with anomaly review. No method of transmission or storage is perfectly secure; if a breach affecting your personal data occurs, we will notify you and the relevant authorities within the timeframes required by law (72 hours for GDPR and UK GDPR notifications to supervisory authorities).
The Service is not directed to children under the age of 13 (or 16 in the EU/EEA / UK, where applicable). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, email drowsynaru@gmail.com and we will delete it.
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or via an in-product notice before the change takes effect. Your continued use of the Service after the effective date of a change constitutes acceptance of the updated policy.
For privacy questions, data subject requests, or any concern about how we handle your personal data, contact us at drowsynaru@gmail.com. We do not currently have an EU or UK representative; if we appoint one in the future, their details will be listed here.
Effective date: April 22, 2026