Stackon
Sign up
§ 01Privacy

Privacy policy.

This policy covers stackon.ai, the Stackon web dashboard, the Mobile companion app, and the Stackon MCP server and CLI. We try to write it in plain English. If something doesn’t answer your question, email privacy@stackon.ai.

Effective 2026-05-11

What we collect

When you create an account we collect your name, email, and any avatar / profile fields you choose to add. If you sign in with GitHub we receive your account email and OAuth user ID from GitHub — nothing else.

When you use the product we store everything you create on the workspace you create it in: traces, spans, agent runs, missions, canvases, evals, knowledge sources, comments, postmortems, audit log entries, budgets, and the LLM inputs / outputs captured in spans. Span content may include code, file paths, repository names, and any other context you pass to an agent. We treat this as your data — it stays scoped to your team.

If you pair the Mobile app we store a device identifier, the device’s push token from Apple Push Notification service or Firebase Cloud Messaging, the platform (iOS / Android), and the last time the device contacted us. We do not collect location, contacts, microphone, camera, or any other on-device sensor data.

How we use it

To run the product you signed up for: authenticate you, sync your traces and missions, send push notifications when an approval is queued or a budget is breached, send transactional email (sign-in links, team invites, waitlist confirmation), and bill you when paid plans are active.

To debug and improve the product: we keep server logs of API requests for up to 30 days. Logs include timestamps, IP address, user-agent, request path, response status, and an opaque request ID. Logs are scoped to operational use — we don’t mine them for analytics.

Who we share it with

We use a small number of sub-processors to operate the service. We share only the data that each sub-processor needs to do its job.

  • SupabaseHosts our Postgres database, authentication, real-time events, and file storage. All workspace data lives here.
  • VercelHosts the web dashboard and the public API.
  • AnthropicPowers agent runs, evals, postmortems, and adversarial sweeps. The prompts and tool outputs you generate are sent to Anthropic to produce model responses. If you use Bring-Your-Own-Key, your requests bypass our account entirely.
  • OpenAIGenerates embeddings for Knowledge, transcribes audio for the Voice cloud fallback, and renders marketing imagery. We do not send your span content to OpenAI for analysis.
  • ResendSends transactional email — magic links, team invites, waitlist confirmations.
  • ExpoRoutes push notifications to Apple Push Notification service and Firebase Cloud Messaging. Push payloads contain identifiers only — never message bodies.
  • GitHubOAuth identity provider. We receive only your account email and GitHub user ID.
  • StripeFuture. Will process payments when paid plans launch. Card numbers never touch our servers.

Security

All connections are TLS. Row-level security in Postgres enforces team-scoping at the database layer. Bring-Your-Own-Key model credentials and webhook signing secrets are encrypted at rest with AES-256-GCM using a master key that the application server holds. We do not retain decrypted secrets in any log, cache, or backup.

Found a security issue? Email security@stackon.ai. We respond within one business day and credit responsible disclosure.

Your rights

You can export your workspace data, request deletion of your account, or opt out of non-essential email by replying to any team email or writing to privacy@stackon.ai. Deletion is processed within 30 days and removes your account, profile, and any traces / canvases / data you own. Aggregated billing records may be retained for tax and audit purposes.

If you are in the EU, UK, or California you have additional rights under GDPR / UK GDPR / CCPA — access, correction, portability, restriction of processing, and objection. We honor all of these. Same address.

Children

Stackon is not intended for children under 13 (or 16 in the EU). We do not knowingly collect data from anyone in that range. If we learn we have, we delete it.

Changes

When we materially change this policy we update the “Effective” date at the top and email anyone with an active account. Continued use after a change means you accept the new policy.

Contact

privacy@stackon.ai — privacy questions, deletion requests, GDPR / CCPA requests.
security@stackon.ai — responsible disclosure.