How we handle your data.

Stack collects the minimum data it needs to do its job. We do not sell your data. We do not share it with advertisers. If you don't link a bank account, we don't see your bank. Below is the long version. We tried to make it readable.

Where this document is in its lifecycle

This is the v1.0 · Closed Beta version of Stack's Privacy Policy. Material changes will be communicated to all users by email at least 14 days before they take effect. The next planned revision is at public launch in Q3 2026, when Stack opens to general signups.

The short version

Stack uses your financial data to track your spending, calculate your rewards, run the Optimizer, and answer your questions through Max. That's the whole list of what we do with it.

We do not sell your data. We do not share it with advertisers. We do not let third-party trackers run on Stack to harvest behavior. We do not use your transaction data to train models that get sold or shared.

If anything below is unclear, email privacy@usestack.app.

What we collect

When you join the waitlist

Your email address, the date and time you signed up, and your beta-interest preference (whether you opted into expanded beta testing). We use this to send the waitlist email series and, when launch happens, to invite you to the public trial.

When you create a Stack account

Account info. Email address and full name (required at signup). Phone number and annual income range (both optional, collected in Settings after signup; income range is captured as a band such as "$50–100k," not an exact figure). If you sign in with Apple or Google, we receive your email address and a unique identifier from that provider.
Authentication. Your password is hashed before storage. We never see your plaintext password.

When you use Stack

Cards you add. Card name, network (Visa, Mastercard, Amex, Discover), and any custom labels you give them. We do not store full credit card numbers.
Transactions. Either entered manually or fetched through Plaid if you choose to link a bank account. Transaction amount, merchant name, date, category, and which card was used.
Conversation history. Your messages to Max, our AI assistant, so we can maintain conversation context and improve responses.
Usage data. Which features you use, when, and basic device information (operating system, app version) to help us debug issues and prioritize improvements.

When you subscribe

Stripe handles your payment. We receive a unique customer ID and your subscription status from Stripe. We do not store your credit card number. Stripe is the system of record for your payment information; Stack receives only what we need to confirm an active subscription.

Plaid integration

If you choose to link a bank account, Plaid Inc. handles the secure connection between Stack and your bank. Plaid receives your bank login credentials directly. Those credentials do not pass through Stack's servers. Plaid then provides Stack with bank account balances, transaction history, and account types from the accounts you explicitly connect.

Plaid is the same connection layer used by Venmo, Robinhood, Coinbase, and most major fintech apps in the US. You can use Stack fully without ever linking a bank. Manual transaction entry is supported for everything that requires transaction data.

How we use it

Your data powers Stack's core features:

Showing your spending, balances, and net worth
Recommending which card to use for each purchase (the Optimizer)
Personalizing budget recommendations and Missed Rewards calculations
Powering Max's responses to your questions
Tracking your bonus category caps so we can alert you before you max one out
Sending product updates and service emails
Managing your subscription and processing refunds when you request them

That's the complete list. We do not sell your data. We do not share it with advertisers. We do not let third-party trackers run on Stack to harvest behavior for ad networks. We do not use your transaction data to train AI models that get sold or shared with anyone else. We do not have an "and our partners" clause.

Third parties we work with

Stack relies on a small set of third-party service providers to deliver the product. Each operates under a standard data processing agreement with Stack and has their own privacy policy that governs their handling of your data.

Plaid

Connects to your bank accounts (only if you choose to link one) to fetch transactions and balances. Plaid's own privacy policy governs the bank connection itself.

OpenAI

Powers Max, our conversational AI assistant. Your Max conversations are processed by OpenAI to generate responses. Under our agreement, OpenAI does not use Stack user data to train their general models.

Supabase

Hosts our database and authentication infrastructure. Your account data and transaction records live in Supabase-managed PostgreSQL with row-level security and encryption at rest.

Stripe

Processes subscription payments. Stripe holds your payment information; Stack receives only customer ID and subscription status.

Resend

Sends product emails (waitlist updates, trial reminders, refund confirmations, transactional notifications).

Cloudflare

Provides hosting, DNS, and email routing for the usestack.app website and waitlist infrastructure. Standard CDN-level processing.

Plausible

Privacy-respecting website analytics. Does not use cookies. Does not identify individual users. Tracks aggregate visit and conversion data only.

We do not engage advertising platforms. No Meta Pixel, no Google Ads, no programmatic networks, no behavioral tracking pixels. The list above is the full set of third parties that touch your data.

Your rights

You can:

Access your data. Most of it is visible throughout the Stack app. For a complete data export, email privacy@usestack.app. We respond within 30 days, typically much faster.
Delete your account. Settings → Account → Delete account. This permanently removes your data on the timeline described below.
Update your information. Settings → Account.
Revoke bank-link access. Settings → Connected Accounts → Disconnect. We immediately stop receiving new transactions from that bank.
Withdraw email consent. Every email we send has an unsubscribe link. Transactional emails (refund confirmations, security notices) cannot be unsubscribed from while you have an active account.

If you're a California resident

You have specific rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know what we collect, the right to delete, the right to correct, and the right to limit use of sensitive personal information. Email privacy@usestack.app to exercise any of these rights. We respond within 45 days as required by law.

If you're in the EU, UK, or EEA

You have specific rights under the General Data Protection Regulation (GDPR) and UK GDPR, including the rights to access, rectification, erasure, restriction of processing, data portability, and objection to processing. Email privacy@usestack.app to exercise any of these rights. We respond within 30 days as required by law.

Data retention

When you delete your account

Profile data is removed immediately.
Plaid connections are revoked immediately, ending all new transaction syncing.
Transaction history, goals, and Max conversation history are deleted within 30 days.
Backup copies are purged within 90 days.
Limited records may be retained longer where legally required (tax records, fraud prevention, dispute resolution). These are retained only as long as legally required and never used for any other purpose.

If you stop using Stack without deleting

Your data remains until you delete the account. We may send periodic re-engagement emails (which you can unsubscribe from) but we do not actively process your transaction data while your account is inactive.

Security

We protect your data with:

HTTPS encryption for all data in transit between your device and Stack's servers.
Encryption at rest at the database storage layer (managed by Supabase).
Hashed passwords. We never store your plaintext password.
Plaid-managed credentials. Your bank login credentials never touch Stack's servers.
Regular security reviews of our infrastructure, dependencies, and access controls.

No system is perfectly secure, and we will not claim otherwise. If we ever experience a data security incident that affects your account, we commit to notifying you within 72 hours of confirming the incident, with the information we have at that time and what we're doing to address it.

Security researchers who discover vulnerabilities should email security@usestack.app. We respond within 48 hours and do not pursue legal action against good-faith security research.

Cookies and tracking

The usestack.app website uses Plausible for analytics, which does not use cookies and does not identify individual users. We do not run advertising trackers. We do not have a cookie banner because we do not need one. The Stack app does not use third-party trackers.

Children

Stack is not designed for users under 18 and we do not knowingly collect data from minors. If you believe a minor has provided data to Stack, email privacy@usestack.app and we will delete it.

Changes to this policy

If we update this policy, we'll notify all users by email at least 14 days before material changes take effect, and post the updated version with a new "Last updated" date and version number. Non-material changes (clarifications, formatting, typo fixes) may be made without separate notice.

Contact

Questions about privacy? Email privacy@usestack.app. A real person reads what you send, and a real person writes back.

For data access, deletion, correction, or other rights requests, please include the email address associated with your Stack account so we can verify your identity.

Stack Money, Inc.
A Delaware C-Corporation