Privacy Policy
Last updated: 27 April 2026 Effective: 27 April 2026
This Privacy Policy explains what data Stack Atlas (the "Service", accessed at stackatlas.app and operated by Daniel Spatari, "we", "us", "our") collects, why, how we use it, who we share it with, and what rights you have over it.
If you do not agree with this Privacy Policy, do not use the Service.
1. Who We Are
Stack Atlas is operated by Daniel Spatari, an independent operator based in Chișinău, Moldova. Contact: hello@stackatlas.app.
For privacy-specific inquiries (data access, deletion, GDPR/CCPA requests), use the same email and put "Privacy" in the subject line.
2. What We Collect
2.1 Picker submissions
When you complete the picker, we store:
- The seven business-shape dimensions you select (business type, phase, delivery shape, ticket point, team size, growth channel).
- The free-text "niche" you describe (a short string).
- The recommendation result generated for you (which tool was suggested per category).
- The timestamp of submission.
- A flag indicating whether you were signed in at the time.
If you submit anonymously, the row is not linked to any account. If you sign in later from the same result page, the row is linked to your account so you can see your past submissions.
2.2 Account data
If you sign in:
- Magic link: we store your email address and create a
Userrecord linked to that email. No password is ever set or stored. - Google OAuth: we receive your email, name (if you've set one on your Google profile), and Google account ID. We do not receive your Google password, contacts, calendar, or any other Google data.
We never store passwords; authentication is done via short-lived tokens and HttpOnly session cookies.
2.3 Cookies and session data
We set one cookie:
stack-atlas_session— a session token, HttpOnly, SameSite=Lax, expires after 30 days of inactivity. Used to keep you signed in. This is a strictly necessary cookie; the Service cannot function without it.
Magic-link tokens are stored server-side, not in cookies. They expire after 15 minutes and can only be used once.
We do not currently set analytics, advertising, fingerprinting, or third-party tracking cookies.
2.4 Server logs
Our hosting provider (Vercel) and database provider (Neon) maintain server-side logs that include:
- IP addresses (for routing and abuse mitigation).
- User-agent strings.
- Request timestamps and paths.
- Error traces.
These logs are retained per the providers' policies (typically 7-30 days). We may access them for debugging, security investigation, and abuse mitigation.
2.5 What we do NOT collect
- We do not buy data from third-party data brokers.
- We do not run advertising or marketing pixels.
- We do not collect biometric or health data.
- We do not collect children's data; the Service is for users 18 and over.
3. How We Use Your Data
We use what we collect to:
- Run the Service: generate your stack recommendation, render your result page, keep you signed in.
- Aggregate peer statistics: the picker submissions you and others make are aggregated, anonymized, and used to show "what N similar coaches chose" on result pages. This aggregation does not identify you personally.
- Communicate with you: send magic links to your email, send transactional confirmations (e.g., account deletion), respond to support requests.
- Improve the Service: analyze submission patterns to refine the recommender, identify low-coverage shapes, and prioritize new tools.
- Secure the Service: detect abuse, rate-limit malicious traffic, investigate incidents.
- Comply with law: respond to legal requests where required.
We do not use your data for advertising, profiling, or automated decision-making that produces legal or similarly significant effects on you.
4. Lawful Bases (GDPR)
If you are in the European Economic Area, United Kingdom, or Switzerland, our lawful bases for processing are:
- Contract performance: to deliver the Service you've requested (picker submissions, sign-in, recommendations).
- Legitimate interests: to operate, secure, and improve the Service. Where we rely on this, you have the right to object.
- Consent: for any processing that requires your explicit opt-in (e.g., future newsletter sign-ups). You can withdraw consent at any time.
- Legal obligation: to comply with applicable law.
5. Who We Share Data With
We share data only with the third-party processors required to operate the Service:
| Provider | What they receive | Why |
|---|---|---|
| Vercel | Hosting, edge functions, server logs | Runs the Service |
| Neon | All persisted application data | Database hosting |
| Resend | Your email address, magic link content | Sends magic-link emails |
| OAuth flow data (only if you choose Google sign-in) | Authenticates you |
Each of these providers is contractually bound to protect your data and process it only for the stated purpose. Data may be processed outside your country (Vercel and Neon route through US infrastructure; Google is global). Where required, we rely on appropriate transfer mechanisms (e.g., Standard Contractual Clauses for EU-to-US transfers).
We do not sell your personal data and we do not share it with advertisers, marketers, or data brokers.
We may disclose data in response to a valid legal request (subpoena, court order) or to protect the rights, property, or safety of users or the public.
6. Data Retention
| Data | Retention |
|---|---|
| User account | Indefinite, until you request deletion |
| Picker submissions | Indefinite (feeds peer statistics); anonymized from your account on deletion |
| Magic-link tokens | 15 minutes, single-use, deleted on use |
| Session tokens | 30 days of inactivity, then deleted |
| Server logs | Per provider policy (typically 7-30 days) |
When you request account deletion, we delete your User record and unlink any submissions you made (the submissions remain in aggregate form, but are no longer associated with your identity).
7. Your Rights
7.1 GDPR rights (EEA, UK, Switzerland)
You have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate or incomplete data.
- Erase your data ("right to be forgotten"), subject to limits where we must retain data for legal or aggregated-statistics purposes.
- Restrict processing in certain circumstances.
- Port your data in a structured, machine-readable format.
- Object to processing based on legitimate interests.
- Withdraw consent for any consent-based processing.
- Lodge a complaint with your local supervisory authority (e.g., ICO in the UK, CNIL in France, Garante in Italy).
To exercise any of the above, email hello@stackatlas.app with "Privacy" in the subject line. We will respond within 30 days.
7.2 CCPA/CPRA rights (California residents)
You have the right to:
- Know what personal information we collect, use, disclose, and (if applicable) sell.
- Delete your personal information, subject to legal exceptions.
- Correct inaccurate personal information.
- Opt out of the sale or sharing of your personal information. We do not sell or share personal information for cross-context behavioral advertising, so there is nothing to opt out of, but the right exists.
- Non-discrimination for exercising any of the above.
To exercise any of the above, email hello@stackatlas.app.
7.3 Other jurisdictions
If you are outside the EEA, UK, Switzerland, or California, you may still have data-protection rights under local law. Contact us and we will assess your request in good faith.
8. International Data Transfers
The Service is operated from Moldova, hosted on Vercel and Neon (US-based infrastructure), and uses Resend (US-based) and Google (global). Your data may therefore be transferred to and processed in countries outside your own, including the United States.
For transfers from the EEA, UK, or Switzerland to a country without an adequacy decision, we rely on Standard Contractual Clauses or another approved transfer mechanism with each provider.
9. Security
We protect your data with reasonable technical and organizational measures, including:
- HTTPS encryption in transit for all traffic.
- Encryption at rest at the database layer (managed by Neon).
- HttpOnly, SameSite session cookies (prevents most XSS and CSRF token theft).
- Single-use, short-lived magic-link tokens (15 minutes).
- Role-based access in the admin panel.
- No password storage (passwordless auth eliminates a class of breach).
No system is perfectly secure. If we become aware of a breach affecting your data, we will notify the relevant supervisory authority within 72 hours where required, and notify affected users without undue delay.
10. Children
The Service is intended for users 18 and over. We do not knowingly collect data from children under 13 (US, COPPA) or under 16 (where applicable in the EU). If you believe we have inadvertently collected data from a child, contact us and we will delete it.
11. Do Not Track
Some browsers send a "Do Not Track" (DNT) signal. We do not currently run third-party tracking, so DNT has no practical effect on the Service. If we add analytics in the future, we will respect DNT signals.
12. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent version. Material changes will be communicated via the Service or by email if you have an account. Continued use after the effective date means you accept the update.
13. Contact
For any privacy-related question, request, or complaint:
- Email: hello@stackatlas.app (subject line: "Privacy")
- Operator: Daniel Spatari, Chișinău, Moldova
We respond within 30 days, often sooner.