Last updated: 2026-05-08 Effective date: 2026-04-19
This Privacy Policy explains how STACK'S ("Stack's", "we", "us", or "our") collects, uses, and protects your personal data when you use the Stack's platform, available at tradestacks.app (the "Service").
We comply with the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data.
1. Data Controller
The data controller responsible for your personal data is:
STACK'S Registered office: Belgique — Thuin, Hainaut Belgian enterprise number (BCE): 1012.200.443 Contact: legal@tradestacks.app
2. Data We Collect
2.1 Account data
When you register, we collect:
- Email address
- Username / display name
- Hashed password (if using email/password authentication)
- Profile information you choose to provide (bio, avatar, preferences)
2.2 Authentication data
Depending on your chosen authentication method:
- Email/password: email address and password (hashed, never stored in plaintext)
- Google OAuth: email address, name, profile picture, and Google account ID
- Web3 wallet (MetaMask, WalletConnect): your public wallet address
Your public wallet address is inherently public on the blockchain. We treat it as personal data and associate it only with your Stack's account for authentication purposes.
2.3 Content you publish
All content you create on the platform, including:
- Trading plans (entry price, stop-loss, take-profit, risk-reward, asset, notes)
- Posts, comments, and messages in communities
- Community memberships and interactions
Important: trading plans are immutable by design. Once published, a plan cannot be edited or deleted — only versioned. This is a core architectural feature of the Service. See our Terms of Service for details.
2.4 Technical data (automatically collected)
- IP address
- Browser type and version
- Device type and operating system
- Session timestamps
- Pages visited and interactions within the Service
- Referrer URL
2.5 Analytics data
When you give consent, we use Firebase Analytics (Google) and PostHog (PostHog, Inc.) to measure how the Service is used — for example page views, in-app events such as successful sign-in, and (with PostHog) error reporting to help us fix issues. This helps us improve the product. These tools are enabled only after you opt in (cookie banner or account settings).
2.6 Cookies and similar technologies
See Section 10 — Cookies.
3. Legal Bases for Processing
Under GDPR Article 6, we process your data on the following legal bases:
| Processing activity | Legal basis |
|---|---|
| Account creation and authentication | Performance of a contract (Art. 6(1)(b)) |
| Publishing and storing your content | Performance of a contract (Art. 6(1)(b)) |
| Service operation and security | Legitimate interest (Art. 6(1)(f)) |
| Analytics (Firebase Analytics, PostHog) | Consent (Art. 6(1)(a)) |
| Transactional emails (authentication, password reset) | Performance of a contract (Art. 6(1)(b)) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
You can withdraw your consent for analytics at any time via the cookie banner or your account settings.
4. How We Use Your Data
We use your personal data to:
- Create and maintain your account
- Authenticate you and secure your session
- Display your published content to other users as part of the Service
- Calculate and display leaderboard rankings based on your trading plan outcomes
- Send transactional emails (account verification, password reset, security alerts)
- Monitor and improve Service performance
- Detect, prevent, and address fraud, abuse, or security issues
- Comply with legal obligations
We do not sell your personal data. We do not use your data for advertising or profiling beyond what is strictly necessary to operate the Service.
5. Who We Share Your Data With
5.1 Sub-processors
We rely on the following third-party service providers (sub-processors) to operate the Service:
| Provider | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Google (Firebase Auth, Firestore, Firebase Analytics) | Authentication, database, product analytics (with consent) | EU / US | Standard Contractual Clauses (SCCs) |
| PostHog, Inc. (PostHog) | Product analytics and error reporting (with consent) | EU / US (per project configuration) | Standard Contractual Clauses (SCCs) |
| Render | Application hosting and background workers | US | Standard Contractual Clauses (SCCs) |
| Cloudflare | DNS and domain registration | US | Standard Contractual Clauses (SCCs) |
| CoinGecko | Market price data (no personal data sent) | Worldwide | Not applicable |
When personal data is transferred outside the European Economic Area (EEA), we rely on the European Commission's Standard Contractual Clauses to ensure an adequate level of protection.
5.2 Public content
Content you publish (trading plans, posts, comments, username, avatar) is visible to other users of the Service according to your privacy settings (public or private communities). Public content may be indexed by search engines.
5.3 Legal requests
We may disclose your data if required by law, court order, or a valid request from a Belgian or EU authority.
6. Data Retention
| Data type | Retention period |
|---|---|
| Account data | Until account deletion + 30 days (backup retention) |
| Published trading plans and posts | Retained indefinitely (immutable by design) — see below |
| Authentication logs | 12 months |
| Analytics data (Firebase Analytics, PostHog) | 12 months |
| Error logs | 90 days |
| Transactional email logs | 12 months |
Note on immutable content: trading plans are a core architectural feature of the Service and are retained indefinitely to preserve the integrity of track records. If you delete your account, your published plans and posts will be anonymized (your username replaced with a generic identifier) but the content itself will remain visible.
7. Your Rights Under GDPR
You have the following rights regarding your personal data:
- Right of access (Art. 15) — request a copy of the data we hold about you
- Right to rectification (Art. 16) — correct inaccurate data
- Right to erasure (Art. 17) — request account deletion (subject to the immutability note in Section 6)
- Right to restriction (Art. 18) — limit processing in certain cases
- Right to data portability (Art. 20) — receive your data in a machine-readable format
- Right to object (Art. 21) — object to processing based on legitimate interest
- Right to withdraw consent (Art. 7) — withdraw consent for analytics at any time
- Right to lodge a complaint with the Belgian Data Protection Authority (APD/GBA) at autoriteprotectiondonnees.be
To exercise any of these rights, contact us at legal@tradestacks.app. We will respond within 30 days.
8. Data Security
We implement appropriate technical and organizational measures to protect your data, including:
- Encryption in transit (TLS 1.2+)
- Encryption at rest (Firestore native encryption)
- Password hashing (Firebase Auth native implementation)
- Access controls and principle of least privilege on infrastructure
- Regular security reviews of dependencies and infrastructure
Despite our efforts, no system is 100% secure. In the event of a data breach affecting your personal data, we will notify you and the Belgian Data Protection Authority within 72 hours as required by GDPR Article 33.
9. Children's Privacy
The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from someone under 18, we will delete it promptly.
10. Cookies and Similar Technologies
We use cookies and similar technologies for:
| Type | Purpose | Requires consent? |
|---|---|---|
| Strictly necessary | Authentication, session management, security | No |
| Analytics (Firebase Analytics, PostHog) | Understand usage, improve the Service, error reporting | Yes |
| Preferences | Remember your settings (theme, language) | No |
You can manage your consent at any time through the cookie banner or your account settings. You can also block cookies via your browser settings, but some parts of the Service may not function correctly.
11. International Users
The Service is currently operated from Belgium and is accessible worldwide during the invite-only alpha. By using the Service, users outside the EEA acknowledge that their data will be processed in the EEA in accordance with EU law.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will:
- Update the "Last updated" date at the top
- Notify registered users by email for material changes
- Post the updated policy on this page
Continued use of the Service after changes constitutes acceptance of the updated policy.
13. Contact
For any questions about this Privacy Policy or your personal data:
STACK'S Belgique — Thuin, Hainaut Email: legal@tradestacks.app BCE: 1012.200.443