Welcome to Stacks ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our financial literacy platform at makestacks.io (the "Service").

By using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Service.

1. Information We Collect

1.1 Information You Provide to Us

Account Information:

• Email address
• Password (encrypted and hashed)
• Username (optional)
• Account preferences

Financial Data You Choose to Enter:

• Budget information (income, expenses, savings goals)
• Debt paydown calculations
• Savings projections
• Spending audit data
• Educational progress

1.2 Information Automatically Collected

Usage Data:

• Pages visited
• Features used
• Time spent on Service
• Browser type and version
• Device information
• IP address (anonymized)

Cookies and Tracking:

• Session cookies (required for functionality)
• Analytics cookies (optional, can be disabled)
• We do NOT use third-party advertising cookies

2. How We Use Your Information

We use your information to:

2.1 Provide and Maintain the Service

• Create and manage your account
• Save your budget and financial planning data
• Track your progress and achievements
• Provide personalized recommendations

2.2 Improve Our Service

• Analyze usage patterns to improve features
• Identify and fix technical issues
• Develop new tools and educational content

2.3 Communicate with You

• Send service-related emails (account verification, password resets)
• Notify you of important changes or updates
• Respond to your inquiries and support requests
• Send educational content (if you opt in)

3. Data Storage and Security

3.1 Where Your Data is Stored

Your data is stored securely using:

• Supabase (database hosting) - SOC 2 Type II certified
• Vercel (application hosting) - Enterprise-grade security
• Servers located in the United States

3.2 Security Measures

We implement industry-standard security practices:

• Encryption in Transit: All data transmitted using TLS 1.3 (HTTPS)
• Encryption at Rest: Database encryption using AES-256
• Password Security: Passwords hashed using bcrypt with salt
• Access Controls: Role-based access, principle of least privilege
• Regular Backups: Daily automated backups with 30-day retention
• Security Monitoring: 24/7 automated threat detection

3.3 Data Retention

• Active Accounts: Data retained as long as your account is active
• Inactive Accounts: Data retained for 2 years of inactivity, then deleted
• Deleted Accounts: Data permanently deleted within 30 days of account deletion
• Backups: Backup retention for 30 days for disaster recovery

4. Data Sharing and Disclosure

4.1 We Share Your Information Only In These Limited Cases:

Service Providers:

• Supabase (database hosting)
• Vercel (web hosting)
• Stripe (payment processing for Premium subscriptions)
• Email service providers (transactional emails only)

All service providers are bound by strict data protection agreements.

Legal Requirements:

We may disclose your information if required by law:

• To comply with legal obligations or court orders
• To protect our rights, property, or safety
• To investigate fraud or security issues
• In connection with a merger or acquisition (with notice to you)

4.2 We Do NOT Share Your Information:

• ❌ With advertisers or marketing companies
• ❌ With data brokers or third-party analytics
• ❌ For behavioral advertising purposes
• ❌ With social media platforms (unless you explicitly connect)

5. Affiliate Relationships and Third-Party Links

5.1 Affiliate Partners

Our "Take Action" page contains links to financial service providers (banks, brokerages, etc.). Some of these are affiliate links, meaning we may receive a commission if you sign up through our link at no additional cost to you.

5.2 Third-Party Websites

When you click on external links (including affiliate links), you leave our Service and are subject to the privacy policies of those third-party sites. We are not responsible for the privacy practices of external websites. Each financial institution has its own privacy policy — read their policies before signing up.

6. Your Privacy Rights

6.1 Access and Control

You have the right to:

Access Your Data:

• View all personal information we have about you
• Export your financial data at any time

Correct Your Data:

• Update your email, username, or preferences
• Edit or delete any financial data you've entered

Delete Your Data:

• Delete your account and all associated data
• Request complete data deletion (honored within 30 days)

6.2 How to Exercise Your Rights

In-App:

• Go to Settings → Account → Manage Data
• Go to Settings → Account → Delete Account

By Email:

• Contact us at privacy@makestacks.io
• We will respond within 30 days

6.3 California Privacy Rights (CCPA)

If you are a California resident, you have additional rights:

• Right to know what personal information is collected
• Right to know if personal information is sold or disclosed
• Right to opt-out of the sale of personal information (we don't sell)
• Right to deletion of personal information
• Right to non-discrimination for exercising your rights

California "Do Not Sell My Personal Information": We do not sell your personal information to third parties.

6.4 European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), you have rights under GDPR:

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent

Legal Basis for Processing:

• Your consent (you create an account and enter data)
• Contractual necessity (to provide the Service)
• Legitimate interests (to improve and secure the Service)

International Data Transfers: Your data may be transferred to and processed in the United States. We use standard contractual clauses approved by the European Commission.

7. Children's Privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@makestacks.io, and we will delete it immediately.

Age Requirement: You must be at least 13 years old to use Stacks.

8. Cookies and Tracking Technologies

8.1 Types of Cookies We Use

Essential Cookies (Required):

• Session authentication (keeps you logged in)
• Security tokens
• Preference storage

Analytics Cookies (Optional):

• Anonymous usage statistics
• Feature usage tracking
• Error logging

We Do NOT Use:

• Advertising cookies
• Social media tracking pixels
• Third-party behavioral tracking

8.2 Your Cookie Choices

• Browser Settings: You can block cookies in your browser settings
• Opt-Out: Disable analytics in Settings → Privacy
• Note: Blocking essential cookies may prevent you from using the Service

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last Updated" date at the top
• Sending an email notification for material changes (if you have an account)

Your Continued Use: By continuing to use the Service after changes take effect, you accept the updated Privacy Policy.

Review Regularly: We encourage you to review this Privacy Policy periodically.

10. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

For Data Protection Inquiries:

If you have concerns about how we handle your data, you may also contact your local data protection authority (for EEA residents) or the California Attorney General's Office (for California residents).