1. Introduction

StackTidy ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our SaaS subscription detection and management service at stacktidy.com (the "Service").

The data controller for the Service is:

Company: Poverud IT
Organization number: 933 572 781
Registered address: Norway

By using our Service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Information You Provide

Account Information: Email address, name, and password when you create an account.
Subscription Data: Information about your SaaS subscriptions that you manually enter or import.
Payment Information: Billing details processed securely through our payment provider (Stripe). We do not store your full card details.
Communications: Information you provide when contacting support or using the AI chat assistant.

2.2 Information Collected Automatically

Usage Data: How you interact with our Service, features used, and actions taken. We maintain an activity log to provide features like team activity feeds.
Device Information: Browser type, operating system, and device identifiers.
Log Data: IP address, access times, and pages viewed.

2.3 Email Import Data

If you choose to forward subscription emails to your unique StackTidy address, or connect your Outlook account, we process emails matching subscription-related keywords such as receipts, invoices, renewals, payments, and trial notifications. Here is what that means in practice:

What we receive: Emails you forward to your unique StackTidy address, or emails matching subscription patterns from a connected Outlook account.
What we process: Email content matching subscription patterns is temporarily sent to our AI provider (OpenAI) to extract subscription details such as the app name, cost, billing cycle, and renewal date.
What we store: Email subject line, sender address, date, and the extracted subscription data. We do not store the email body itself.
What may be included: Because we use keyword-based filtering (e.g., "receipt", "invoice", "payment"), some personal purchase emails (such as Amazon or Apple receipts) may be processed if they match these patterns. We do not target personal correspondence.
Revocable: You can stop forwarding emails or disconnect your Outlook account at any time from Settings, which stops all scanning immediately.

2.4 Bank Statement Data

If you upload a bank statement CSV, we process transaction descriptions to detect recurring subscription charges. We store matched transactions (date, description, amount) as subscription records. The raw bank statement file is not retained after processing.

2.5 AI Chat Data

If you use the AI chat assistant, your messages and the assistant's responses are stored to maintain conversation continuity. Chat history can be viewed in Home and is deleted when you delete your account.

3. How We Use Your Information

We use the information we collect to:

Provide, maintain, and improve our Service
Detect subscriptions from your email using AI-powered parsing
Process transactions and send related information
Send renewal reminders and notifications you have opted into
Provide AI-powered features including overlap detection, chat assistance, and spend analysis
Respond to your comments, questions, and support requests
Detect, prevent, and address technical issues and fraud
Comply with legal obligations

4. Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), we rely on the following legal bases for processing your personal data:

Processing Activity	Legal Basis
Account creation and management	Contractual necessity (Art. 6(1)(b))
Subscription detection from email	Explicit consent (Art. 6(1)(a)) — given when connecting email
AI processing (OpenAI) for email parsing	Explicit consent (Art. 6(1)(a))
AI chat assistant	Contractual necessity (Art. 6(1)(b))
Renewal reminders and notifications	Legitimate interest (Art. 6(1)(f))
Payment processing	Contractual necessity (Art. 6(1)(b))
Analytics cookies (PostHog)	Consent (Art. 6(1)(a)) — via cookie banner
Security and fraud prevention	Legitimate interest (Art. 6(1)(f))
Legal compliance	Legal obligation (Art. 6(1)(c))

Where we rely on legitimate interest, we have conducted a balancing test to ensure your rights and freedoms are not overridden. You may object to processing based on legitimate interest at any time by contacting us.

5. Data Sharing and Disclosure

We do not sell your personal information. We share your information with the following categories of service providers to operate the Service:

AI Processing (OpenAI): Email content and transaction data are sent to OpenAI for subscription detection, overlap analysis, and chat functionality. OpenAI processes this data according to their API data usage policy.
Database Hosting (Supabase): Your account data, subscriptions, and related records are stored in Supabase-hosted databases.
Application Hosting (Vercel): The Service is hosted on Vercel's infrastructure.
Payment Processing (Stripe): Billing and payment information is handled by Stripe.
Transactional Email (Resend): Email notifications and reminders are delivered via Resend.
Rate Limiting (Upstash): Request metadata is processed by Upstash for abuse prevention.
Team Members: With other members of your organization if you use our team features.
Legal Requirements: If required by law or to protect our rights, safety, or property.
Business Transfers: In connection with a merger, acquisition, or sale of assets.

A complete and up-to-date list of sub-processors is maintained at /subprocessors. We will notify you of any changes to our sub-processor list, giving you the opportunity to object before a new sub-processor begins processing your data.

6. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

Encryption of data in transit (TLS/SSL)
Application-level encryption (AES-256-GCM) for OAuth credentials and access tokens
Infrastructure-level encryption at rest provided by our database and hosting providers
Access controls and authentication requirements
Secure data centers with industry-standard protections

However, no method of transmission over the Internet is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

7. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you services. If you delete your account, we will delete or anonymize your personal information within 30 days, except where retention is required for legal or legitimate business purposes. Specific retention periods are as follows:

Account data: Duration of account + 30 days after deletion
Subscription records: Duration of account
Email import metadata (subject, sender, date): Duration of account
Email body content: Not stored — processed in memory only
Chat history: Duration of account
Activity logs: 90 days rolling
Server logs: 30 days
Backup data: 30 days after deletion
Payment records: As required by law (typically 7 years for tax purposes)

8. Your Rights

Depending on your location, you may have the following rights:

Access: Request a copy of your personal data
Correction: Request correction of inaccurate data
Deletion: Request deletion of your data
Portability: Request your data in a portable format
Objection: Object to certain processing of your data
Withdrawal: Withdraw consent where processing is based on consent

To exercise these rights, contact us at legal@stacktidy.com. You can also export your data or delete your account directly from Settings.

For business customers, we offer a Data Processing Agreement (DPA). Contact legal@stacktidy.com or visit /dpa for details.

9. Cookies and Tracking

We use essential cookies required for authentication and core functionality. These cookies maintain your login session and preferences. They cannot be disabled while using the Service.

We do not currently use analytics or advertising cookies. If we introduce analytics in the future, we will update this policy and, for users in the EU/EEA, obtain consent via a cookie banner before setting any non-essential cookies.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your own, including the United States. We ensure appropriate safeguards are in place for all international transfers in compliance with GDPR Article 46:

EU-US Data Privacy Framework: Where applicable, we rely on the EU-US Data Privacy Framework for transfers to certified US-based providers.
Standard Contractual Clauses (SCCs): For transfers to US-based sub-processors not covered by the Data Privacy Framework, we have entered into Standard Contractual Clauses approved by the European Commission. This applies to our sub-processors including OpenAI, Vercel, Supabase (hosted on AWS us-east-1), Resend, and Upstash.
Stripe: Stripe offers EU data residency, and payment data is processed within the EU where possible. For any transfers outside the EU, Stripe relies on SCCs and the Data Privacy Framework.

You may request a copy of the relevant transfer safeguards by contacting legal@stacktidy.com.

11. Children's Privacy

Our Service is not directed to individuals under 16. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date. Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy, please contact us at:

Email: legal@stacktidy.com