AllStac

Privacy Policy

Effective date: February 17, 2026. Last updated: February 17, 2026.

This Privacy Policy explains how AllStac (AllStac, we, our, or us) collects, uses, discloses, and protects personal information when you use our products, websites, and services (collectively, the Service).

1. Information We Collect

We collect information necessary to provide and secure the Service, including:

  • Account and profile details (name, email, role, organization membership).
  • Billing and subscription metadata (plan, invoice/subscription status, payment references from Stripe).
  • Service usage and telemetry data (logs, audit trails, feature interactions, error diagnostics).
  • Content and workflow data you create or upload, including scheduled posts and analytics artifacts.
  • Support and communications data you provide when contacting us.

2. How We Use Information

We process personal information to:

  • Provide, operate, and improve the Service.
  • Authenticate users, enforce permissions, and maintain security controls.
  • Process subscription billing and support account lifecycle events.
  • Monitor reliability, troubleshoot incidents, and prevent abuse.
  • Meet legal, regulatory, and contractual obligations.

3. Legal Bases for Processing

Depending on your jurisdiction, we rely on legal bases that include contractual necessity, legitimate interests (service security and reliability), compliance obligations, and consent where required.

4. Sharing and Subprocessors

We do not sell personal information. We share data only with service providers required to operate the Service (for example, hosting, authentication, monitoring, and payment processing) and only under contractual safeguards.

5. Cookies, Consent, and Tracking

  • We use essential authentication/session cookies required for secure sign-in and session continuity.
  • Auth cookies are hardened with `HttpOnly`, `Secure` (production/HTTPS), and `SameSite=Lax` defaults.
  • We do not use advertising cookies or third-party cross-site marketing trackers in the current production build.
  • Operational telemetry (Sentry) and server-side product analytics events (PostHog) are environment-gated and used for reliability and product improvement.
  • Cookie/consent disclosure verification is documented in docs/policies/cookie-consent-disclosure.md.

6. Data Retention and Deletion

We retain data according to business, security, and compliance requirements, then purge or anonymize data when retention windows expire, unless legal hold applies. Canonical retention controls are documented in docs/policies/data-processing-and-retention-policy.md.

7. Security

We implement layered safeguards including access controls, encryption in transit, encryption at rest where applicable, audit logging, and monitoring workflows designed to detect and respond to suspicious activity.

8. Your Privacy Rights

Subject to local law, you may request access, correction, deletion, export, or restriction of your data. You may also object to certain processing and withdraw consent where processing is based on consent.

9. International Transfers

Where data is transferred across borders, we apply appropriate contractual and technical safeguards intended to protect personal information.

10. Children's Data

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material updates will be posted here with a revised effective date.

12. Contact

Privacy requests and questions can be sent to privacy@allstac.com.