Privacy Notice

This draft Privacy Notice explains how Stackup (“we”, “us”) processes personal data when you use the Stackup website and product. Stackup is the data controller for the purposes of the UK GDPR and the Data Protection Act 2018.

1. Who we are

Stackup is a trading name of [Company Name Ltd], registered in England and Wales (company no. [TBD]), with its registered office at [Address]. Our Data Protection contact is privacy@stackup.app. You can complain to the Information Commissioner’s Office (ico.org.uk) at any time, though we’d appreciate the chance to fix things first.

2. Data we collect

Account data (email, hashed password, 2FA secret), Open Banking data retrieved with your consent via TrueLayer (transactions, balances, merchant identifiers — never card numbers), and product analytics (page views, feature usage). We do not collect special-category data.

3. Why we process it

Lawful bases: (a) performance of contract — to deliver the Stackup service; (b) legitimate interests — to detect fraud, debug the product, and improve detection quality; (c) consent — for optional marketing emails and non-essential cookies; (d) legal obligation — for accounting and tax records.

4. AI processing

Transaction metadata is sent to Anthropic’s Claude API to categorise spending and draft recommendations. We send only merchant-level summaries, never your name, email, or bank identifiers. Anthropic processes this on our behalf as a sub- processor under a data processing agreement; we do not allow them to train models on your data.

5. Sharing

We share data with named sub-processors only: TrueLayer (Open Banking), Supabase (database hosting, EU region), Vercel (web hosting), Anthropic (AI categorisation), Resend (transactional email), Stripe (payments), Sentry (error tracking, PII-scrubbed), and PostHog EU (analytics). The current list lives at /legal/sub-processors.

6. International transfers

Where data leaves the UK/EEA we rely on the UK International Data Transfer Agreement or the EU Standard Contractual Clauses, with additional safeguards documented in our Transfer Impact Assessment.

7. Retention

Account data: while your account is active, plus 6 years for accounting purposes. Open Banking data: refreshed every 24 hours; historical transactions retained 24 months unless you delete your account earlier. Backups purge within 30 days of deletion.

8. Your rights

Under UK GDPR you have rights of access, rectification, erasure, portability, restriction, objection, and the right not to be subject to solely automated decisions with legal effects. Stackup recommendations are not solely automated — you decide whether to act. Use Settings → Data & Privacy to export or delete your data.

9. Security

Hosted in EU regions. TLS 1.2+ in transit, AES-256 at rest, secrets in encrypted KMS. 2FA required for bank-connection actions. Annual third-party penetration test. Incident response targets: detect within 24 hours, notify the ICO within 72 hours where required.

10. Cookies

See our Cookie Policy at /legal/cookies.

11. Changes

Material changes are emailed to you at least 14 days before they take effect. Continued use after that date counts as acceptance.