StackVault ← Back to home

Privacy Policy

Last updated: June 25, 2026

1. Who We Are

StackVault ("we", "us", "our") is operated by Nexmend. This policy explains what data we collect, how we use it, and your rights under GDPR and applicable privacy laws.

Contact: [email protected]

2. Data We Collect

  • Account data: name, email address, hashed password
  • Workspace data: team name, client names/emails, asset details, renewal dates, prices you enter
  • Usage data: pages visited, actions taken (stored in activity logs)
  • Payment data: we do not store card numbers — payments are processed by LemonSqueezy. We store the order ID only.
  • Technical data: IP address (for rate limiting), browser type via logs

3. How We Use Your Data

  • To provide and operate the Service
  • To send renewal reminder emails you have configured
  • To send weekly digest emails (if enabled)
  • To verify your email address
  • To process Pro plan payments via LemonSqueezy
  • To prevent spam and abuse (rate limiting)
  • To comply with legal obligations

Legal basis (GDPR Art. 6): contractual necessity (Art. 6(1)(b)) for core features; legitimate interest (Art. 6(1)(f)) for security.

4. Data Sharing

We do not sell your data. We share data only with:

  • LemonSqueezy — payment processing (Pro plan). Their privacy policy applies.
  • Email service provider — for sending transactional emails (renewal reminders, verification). Only your email address is shared.
  • Infrastructure providers — hosting and database services. Data is processed under data processing agreements.

5. Cookies

We use strictly necessary cookies only:

  • Session cookie — keeps you logged in (expires when browser closes or after 2 hours of inactivity)
  • CSRF token — security, prevents cross-site request forgery
  • Theme preference — stores your dark/light mode choice in localStorage (not a cookie)

We do not use tracking, analytics, or advertising cookies.

6. Data Retention

We retain your data for as long as your account is active. When you delete your account, all personal data and workspace content is deleted within 30 days. Activity logs are purged after 90 days regardless.

7. Your Rights (GDPR)

Under GDPR, you have the right to:

  • Access — download all your data via Billing → Export my data
  • Rectification — update your name/email in Profile settings
  • Erasure — delete your account from Billing → Delete my account
  • Portability — your export is provided in JSON format
  • Object — contact us to object to specific processing
  • Withdraw consent — where processing is based on consent, you may withdraw at any time

To exercise any right, email [email protected]. We will respond within 30 days.

8. Security

We protect your data using HTTPS encryption in transit, bcrypt password hashing, CSRF protection, rate limiting on authentication, and signed URLs for one-click renewals. No system is 100% secure — please report vulnerabilities to our email above.

9. Children

The Service is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has registered, contact us immediately.

10. Changes to This Policy

We may update this policy. We will notify users of material changes by email and update the "Last updated" date above. Continued use constitutes acceptance.