Privacy Policy

Effective date: April 20, 2026 · Last updated: April 24, 2026

1. Who we are

Stacktower is operated by Matthias Huels, a sole proprietor doing business as “Stacktower” (“Stacktower”, “we”, “us”, or “our”). We are the data controller for personal data processed through our dependency-visualization platform at app.stacktower.io, the stacktower CLI, and related services (together, the “Service”).

Postal address: PO Box 20096, Brooklyn, New York 11201, United States.
Privacy contact: privacy@stacktower.io

We have no establishment in the EEA or the UK. If you are in the EEA, UK, or Switzerland and wish to raise a privacy matter, please write to privacy@stacktower.io; we will respond within the time-frames required by applicable data-protection law.

2. What we collect

2.1 Account & authentication data

When you sign in with GitHub we receive from GitHub, and store, the following fields from your GitHub profile:

  • GitHub numeric user ID, login (username), display name, and avatar URL
  • Primary email address, as disclosed to us by GitHub
  • GitHub organization memberships — only read for customers on a plan that exposes team features; otherwise only the “user” scope is requested
  • The OAuth access token issued by GitHub. The token is kept inside your server-side session record (keyed to the __Host-session cookie) and is never returned to the browser or written to a long-term data store outside that session

2.2 Content you submit

  • Package names, languages, and version identifiers you analyze
  • Repository references (owner/name/commit) you submit, and — for GitHub repositories you connect — the manifest and lockfile contents we read through the GitHub API
  • Manifest and lockfile contents you paste or upload directly, for example package.json, package-lock.json, Cargo.toml, Cargo.lock, pyproject.toml, poetry.lock, uv.lock, requirements.txt, go.mod, and Gemfile
  • Prompts and tool inputs you submit to the AI “Investigator” feature
  • Library bookmarks, favorites, and API-key names / scopes you create

We read the metadata of your manifests (package names, versions, declared licenses) in order to build the dependency graph. We do not ingest the source code of your repositories.

2.3 Billing data

If you subscribe to a paid plan, our payment processor (Stripe) collects your payment instrument, billing address, and tax information directly. We receive from Stripe only a customer identifier, subscription status, billing-cycle metadata, and the last four digits of your card — never the full card number.

2.4 Automatically collected data

  • IP address (used for rate-limiting, security, and abuse detection)
  • User-agent string and coarse device / browser information
  • Request logs: HTTP method, path, status code, latency, and our own request ID — retained for up to 30 days for debugging and security
  • Page views and feature-usage events, only if you have accepted the analytics cookie (see §5)

3. Why we collect it & legal bases (GDPR Art. 6)

PurposeData categoriesLegal basis
Provide the Service (auth, rendering, storage)§2.1, §2.2Performance of a contract (Art. 6(1)(b))
Billing & invoicing§2.3Performance of a contract (Art. 6(1)(b)); legal obligation for tax records (Art. 6(1)(c))
Security, abuse prevention, rate-limiting§2.4 (logs, IP)Legitimate interests (Art. 6(1)(f))
Transactional email (security alerts, billing)§2.1Performance of a contract (Art. 6(1)(b))
Product analytics (page views, feature usage)§2.4Consent (Art. 6(1)(a) / ePrivacy)

You can withdraw consent for analytics at any time via the cookie banner. Withdrawing consent does not affect processing carried out before the withdrawal.

4. Who we share it with (sub-processors)

We do not sell or rent personal data. We share data only with the following service providers, each bound by a contract that restricts use to providing the service to us:

ProviderPurposeLocation
GitHub, Inc.OAuth sign-in, optional repo access with scopes you grantUnited States
Stripe, Inc.Payment processing, invoicing, taxUnited States
Anthropic, PBCPowers the AI “Investigator” feature (Claude). Inputs and outputs for this feature are transmitted to Anthropic under an API agreement that prohibits using inputs to train models.United States
Resend (Plus Five Five, Inc.)Transactional email deliveryUnited States
OvertrackingProduct analytics — loaded only after you accept analytics cookiesEuropean Union
Railway Corp.Cloud infrastructure (application hosting, managed MongoDB database, object storage for rendered visualizations)United States

We may also disclose data (a) to comply with law or valid legal process, (b) to protect our rights or the safety of users, or (c) in connection with a merger, acquisition, or insolvency — in which case we will notify you before your data becomes subject to a new privacy policy.

5. Cookies & tracking

5.1 Strictly necessary

We set one first-party session cookie, __Host-session, with HttpOnly, Secure, SameSite=Strict, and a maximum age of 24 hours. It is strictly necessary to authenticate you and cannot be disabled while using the Service.

5.2 Analytics (consent required)

With your consent, we load Overtracking to record page views and feature usage. Overtracking is loaded only after you click “Accept analytics” in the cookie banner. You can revoke consent at any time by reopening the banner or by clearing the stacktower_cookie_consent entry in your browser’s local storage.

We honour the Global Privacy Control (GPC) signal sent by your browser as an opt-out of analytics.

5.3 Do Not Track

Because there is no industry consensus on DNT, we do not respond differently to the DNT header. We do respond to GPC as described above.

6. International transfers

Our primary infrastructure is located in the United States. When we transfer personal data from the EEA, UK, or Switzerland to the United States or other countries without an adequacy decision, we rely on the EU Commission’s Standard Contractual Clauses (2021/914) and — where applicable — the UK International Data Transfer Addendum or the Swiss SCC addendum, together with supplementary measures (TLS in transit, encryption at rest). You can request a copy of the SCCs in force with any specific sub-processor by emailing privacy@stacktower.io.

7. How long we keep it

  • Session records & OAuth tokens: up to 24 hours from last use.
  • Account profile: retained while your account exists; deleted within 30 days of account deletion (subject to backup rotation, which finishes within 60 days).
  • Visualizations & rendered artifacts: retained until you delete them or your account, subject to plan storage limits. Cached public renders may persist indefinitely.
  • Request logs: up to 30 days.
  • Audit logs (admin, billing events): up to 12 months.
  • Billing records & invoices: retained for up to 10 years as required by US and EU tax law, regardless of account deletion.
  • API keys: stored as SHA-256 hashes; the raw key is shown only once at creation. Revoked keys are soft-deleted after 30 days.

8. Security

  • TLS 1.2+ for all data in transit
  • Session cookies use the __Host- prefix with HttpOnly, Secure, and SameSite=Strict
  • API keys are stored only as SHA-256 hashes
  • HTTP security headers (CSP, HSTS, X-Frame-Options, Referrer-Policy) are enforced
  • Rate-limiting and bot detection on all authenticated routes
  • Backups encrypted at rest; access-logs reviewed for anomalous activity

No system is perfectly secure. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and the competent supervisory authority within 72 hours as required by GDPR Art. 33 and applicable US state law.

9. Your rights

9.1 EEA, UK, Switzerland (GDPR / UK GDPR / FADP)

  • Access a copy of the personal data we hold about you
  • Rectify inaccurate data (most profile data is synced from GitHub — update it there)
  • Erase your account and associated personal data
  • Restrict or object to processing carried out on the basis of legitimate interests
  • Receive your data in a portable machine-readable format
  • Withdraw consent to analytics at any time
  • Lodge a complaint with your local supervisory authority. If you are in the EEA or UK, the relevant authority is the one for your country of residence or place of work; a directory is available at edpb.europa.eu/members.

9.2 California (CCPA / CPRA)

California residents have the right to know, delete, correct, limit the use of sensitive personal information, and not face discrimination for exercising these rights. We do not “sell” personal information and we do not “share” personal information for cross-context behavioral advertising, as those terms are defined by the CPRA. To exercise your rights, email privacy@stacktower.io. We will verify your request using your authenticated session or by email challenge.

9.3 How to exercise your rights

Most rights can be exercised directly in the Service: Settings → Profile (view), Settings → Delete Account (erase). For data export, rectification outside GitHub, or any other request, email privacy@stacktower.io. We respond to verified requests within 30 days.

10. Automated decisions & AI

The AI “Investigator” feature uses large-language-model inference (Anthropic’s Claude) to generate summaries and suggestions. Its output is an aid, not authoritative advice; you remain responsible for how you act on it. We do not make any legal, financial, or employment-related automated decisions about you. Your inputs to the Investigator are sent to Anthropic under an API agreement that prohibits using those inputs to train models.

11. Children

The Service is not directed to children. We do not knowingly collect personal data from anyone under 16 in the EEA / UK, or under 13 in the United States. If you believe a child has provided us with personal data, contact privacy@stacktower.io and we will delete it.

12. Changes to this Policy

We may update this Policy from time to time. For material changes we will give reasonable advance notice (at least 14 days) by email or through the Service. The “Last updated” date at the top indicates the most recent revision.

13. Contact

Matthias Huels, d/b/a Stacktower
PO Box 20096, Brooklyn, NY 11201, United States
privacy@stacktower.io

Terms of Service·Back to Stacktower

Cookie Preferences

We use essential cookies for authentication. We also use analytics cookies to understand how you use Stacktower and improve the experience. Read our Privacy Policy.