Privacy Policy

1. Introduction

StackSerp Inc. ("StackSerp", "we", "us", "our") operates the StackSerp platform at stackserp.com. This Privacy Policy explains what personal data we collect, how we use it, with whom we share it, and the choices you have regarding your information. By using StackSerp, you agree to the practices described in this Policy.

2. Information We Collect

2.1 Information you provide directly

• Account data: Name, email address, and password when you register.
• Profile data: Organization name, website URLs, industry/niche, and brand settings you configure.
• Payment data: Billing address and payment method — processed by Stripe. We never store raw card numbers.
• CMS credentials: API keys, application passwords, and access tokens you add for WordPress, Shopify, Ghost, or other integrations. These are stored encrypted at rest.
• Content inputs: Keywords, content briefs, brand guidelines, and custom prompts you enter.
• Support communications: Any messages you send to our support team.

2.2 Information collected automatically

• Usage data: Pages visited, features used, button clicks, and time spent — collected via server logs and optional analytics.
• Device & technical data: IP address, browser type, operating system, and referring URLs.
• Cookies: Session cookies for authentication and optional preference cookies. We do not use third-party advertising cookies.

2.3 AI-generated content

When you generate content through StackSerp, your prompts (keywords, topics, instructions) are sent to third-party AI providers such as Google Gemini. These providers may process this data subject to their own privacy policies. We do not use your content inputs to train our own AI models, and we contractually restrict providers from using your data for their model training where permitted.

3. How We Use Your Information

• To provision, operate, and improve the Service.
• To authenticate your identity and manage your account.
• To process subscription payments and send billing receipts.
• To fulfill integrations — e.g., publishing content to your CMS using the credentials you provide.
• To send transactional emails (password resets, subscription confirmations, job completion notifications).
• To send product updates, feature announcements, and tips (you can opt out at any time).
• To monitor for abuse and enforce our Terms of Service.
• To comply with legal obligations.
• To generate aggregated, anonymized statistics about platform usage (never identifying individual users).

4. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA) or United Kingdom, our legal bases for processing personal data are:

• Contract performance: Processing necessary to provide the Service you subscribed to.
• Legitimate interests: Security monitoring, fraud prevention, and product analytics.
• Legal obligation: Retaining billing records as required by tax laws.
• Consent: Marketing emails and non-essential cookies, where required.

5. Data Sharing and Third Parties

We do not sell your personal data. We share data only with the following categories of parties:

• Payment processing: Stripe Inc. — for billing and subscription management.
• AI providers: Third-party AI services are used for content and image generation. Prompts are sent but not permanently stored beyond the request lifecycle under our agreements.
• Cloud infrastructure: DigitalOcean or equivalent — for hosting the application and database.
• Email delivery: A transactional email provider (e.g., Resend or SendGrid) — for system emails.
• CMS platforms: Your credentials are used to connect to platforms you authorize (WordPress, Shopify, etc.). We only transmit content to those platforms on your explicit instruction.
• Legal disclosure: We may disclose data if required by law, court order, or to protect the rights, property, or safety of StackSerp, its users, or the public.

All sub-processors are listed in our Data Processing Agreement (DPA).

6. Data Security

We implement industry-standard security measures including:

• Encryption of data in transit using TLS 1.2+.
• Encryption of sensitive credentials (CMS API keys, tokens) at rest using AES-256.
• Hashed and salted storage of passwords (bcrypt).
• Regular security audits and dependency updates.
• Access controls limiting who within StackSerp can access production data.

No system is perfectly secure. If you discover a security vulnerability, please disclose it responsibly to security@stackserp.com.

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. If you delete your account, we begin deletion of your personal data within 30 days, except where retention is required by law (e.g., billing records retained for 7 years for tax compliance). Generated content (blog posts, keywords) is deleted alongside your account unless you export it beforehand.

8. Cookies

We use the following types of cookies:

• Essential cookies: Session tokens required for you to stay logged in. Cannot be disabled.
• Preference cookies: Store your UI preferences (e.g., dark/light mode).
• Analytics cookies: Aggregate usage analytics to improve the product. No cross-site tracking.

We do not use advertising or retargeting cookies. You can manage non-essential cookies via your browser settings.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Update inaccurate or incomplete data (most data can be updated directly in your account settings).
• Deletion: Request deletion of your account and associated personal data.
• Portability: Receive your data in a structured, machine-readable format.
• Restriction: Ask us to restrict processing of your data in certain circumstances.
• Objection: Object to processing based on legitimate interests.
• Withdraw consent: Withdraw consent for marketing emails at any time via the unsubscribe link.

To exercise any of these rights, email us at privacy@stackserp.com. We will respond within 30 days. EEA/UK users have the right to lodge a complaint with your local data protection authority.

10. International Data Transfers

StackSerp is operated from the United States. If you access the Service from the EEA, UK, or other regions with data protection laws, your data is transferred to the US and processed there. We rely on Standard Contractual Clauses (SCCs) as the legal mechanism for such transfers where applicable.

11. Children's Privacy

The Service is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us at privacy@stackserp.com and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email and update the "Last updated" date at the top of this page. Continued use of the Service after changes become effective constitutes your acceptance of the revised Policy.