Privacy Policy
Effective Date: January 31, 2026
StackAI ("Company," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our synthetic data generation platform and API (the "Service").
We are based in Ontario, Canada and operate under Canadian privacy laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA). We also comply with applicable international privacy laws, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
By using the Service, you consent to the practices described in this Privacy Policy.
1. Information We Collect
1.1 Information You Provide
- Account Information: Email address, name, password (hashed), and organization name
- Payment Information: Billing details processed through Stripe (we do not store full card numbers)
- Job Configurations: Domain specifications, constraints, and parameters you provide for data generation
- Communications: Support requests, feedback, and correspondence with us
1.2 Information Collected Automatically
- Usage Data: API requests, job IDs, timestamps, record counts, and schema types
- Technical Data: IP address, browser type, device information, and operating system
- Log Data: Server logs including access times, errors, and API endpoints accessed
1.3 Information We Do Not Collect
- We do not collect sensitive personal data (racial origin, political opinions, religious beliefs, health data, etc.)
- We do not use tracking cookies or third-party analytics that follow you across websites
- Generated Data under Private License is not accessed, analyzed, or used by us
2. How We Use Your Information
We use collected information for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide and operate the Service | Contract performance |
| Process payments and manage subscriptions | Contract performance |
| Send service notifications (job completion, account updates) | Contract performance |
| Respond to support requests | Contract performance |
| Prevent fraud and enforce our Terms | Legitimate interest |
| Improve and develop the Service | Legitimate interest |
| Send marketing communications (with consent) | Consent |
| Comply with legal obligations | Legal obligation |
3. How We Share Your Information
We do not sell your personal information. We may share information in the following circumstances:
3.1 Service Providers
We use trusted third-party service providers who process data on our behalf:
- Amazon Web Services (AWS): Cloud hosting and storage (Canada region)
- Stripe: Payment processing
- OpenAI / Anthropic: AI model providers for data generation
These providers are contractually obligated to protect your information and use it only for the services they provide to us.
3.2 AI Model Provider Data Handling
When you submit generation requests, the following data is sent to AI model providers:
- Domain specification and constraints you provide
- Generation parameters (schema type, count, formatting)
Important: We do not send your personal information, account details, or identifying information to AI providers. Prompts are constructed from your generation parameters only. AI providers process requests under their enterprise data processing agreements, which prohibit using your data to train their models.
3.2 Legal Requirements
We may disclose information if required by law or in response to valid legal processes, such as court orders or government requests.
3.3 Business Transfers
In connection with a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.
3.4 With Your Consent
We may share information with your explicit consent for purposes not covered by this Policy.
4. International Data Transfers
Our primary infrastructure is located in Canada (AWS ca-central-1). However, some data processing may occur in the United States through our service providers (Stripe, OpenAI, Anthropic).
For EU/EEA Users: When we transfer data outside the EU/EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.
Canada has been recognized by the European Commission as providing adequate data protection, which facilitates lawful transfers of personal data from the EU to Canada.
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Until account deletion + 30 days |
| Generated Data (Private License) | 90 days (configurable) |
| Generated Data (Platform Cache) | Up to 2 years |
| Generated Data (Marketplace) | Until removed from marketplace |
| Job metadata (IDs, counts, timestamps) | 3 years for audit purposes |
| Payment records | 7 years (legal requirement) |
| Server logs | 90 days |
6. Your Privacy Rights
Depending on your location, you may have the following rights:
6.1 All Users (PIPEDA)
- Access: Request a copy of your personal information
- Correction: Request correction of inaccurate information
- Withdrawal of Consent: Withdraw consent for optional processing
6.2 EU/EEA Users (GDPR)
In addition to the above, you have the right to:
- Erasure: Request deletion of your personal data ("right to be forgotten")
- Portability: Receive your data in a structured, machine-readable format
- Restriction: Request restriction of processing in certain circumstances
- Objection: Object to processing based on legitimate interests
- Lodge a Complaint: File a complaint with your local data protection authority
6.3 California Users (CCPA)
California residents have the right to:
- Know: What personal information we collect and how it's used
- Delete: Request deletion of your personal information
- Non-Discrimination: Not be discriminated against for exercising your rights
- Opt-Out of Sale: We do not sell personal information, so this right does not apply
To exercise your rights, contact us at privacy@stackai.app. We will respond within 30 days (or sooner if required by law).
7. Security Measures
We implement industry-standard security measures to protect your information:
- Encryption in Transit: All data transmitted via TLS 1.2+
- Encryption at Rest: Stored data encrypted using AES-256
- Access Controls: Role-based access with principle of least privilege
- Password Security: Passwords hashed using bcrypt with salt
- API Key Security: Keys hashed; only prefixes stored for identification
- Infrastructure Security: AWS security best practices, WAF, DDoS protection
- Monitoring: Security logging and anomaly detection
While we strive to protect your information, no system is completely secure. In the event of a data breach affecting your personal information, we will notify you in accordance with applicable law.
8. Cookies and Tracking Technologies
We use minimal cookies necessary for the Service to function:
| Cookie | Purpose | Type |
|---|---|---|
| Session token | Authentication and session management | Essential |
| CSRF token | Security protection against cross-site attacks | Essential |
We do not use:
- Third-party tracking cookies
- Advertising cookies
- Social media tracking pixels
- Cross-site analytics that follow you elsewhere
9. Children's Privacy
The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately at privacy@stackai.app, and we will delete it.
10. Third-Party Links
The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any information.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated Policy on our website with a new effective date
- Sending an email notification to registered users
- Displaying a notice in the Service
Your continued use of the Service after changes become effective constitutes acceptance of the updated Policy.
12. Contact Us
For privacy-related questions, requests, or complaints, contact us at:
For EU Users: If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.
For Canadian Users: You may also contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.