Data Processing

This document describes how STACK BRANDS processes personal data in connection with its operations and third-party integrations. It is intended to provide transparency to users, partners, and regulatory bodies regarding our data processing activities.

For full details on how we collect and use data, see our Privacy Policy.

STACK BRANDS acts as the data controller for personal data processed through our platform and website. As data controller, we determine the purposes and means of processing personal data.

Contact: info@stack-brands.com

• Identity and contact data: names and email addresses of authorized team members.
• Authentication data: session tokens and OAuth credentials for platform access.
• Usage and technical data: server logs, IP addresses, device information, and navigation data.
• API-derived data: data received from third-party platforms (Pinterest, TikTok, Meta, Google) via authorized API connections, including account data, content data, and performance metrics.

• Legitimate interests (Art. 6(1)(f) GDPR): operating and securing internal infrastructure.
• Contractual necessity (Art. 6(1)(b) GDPR): providing platform access to authorized team members.
• Legal obligation (Art. 6(1)(c) GDPR): compliance with applicable laws.

We engage the following sub-processors to support our operations:

• Google LLC: OAuth authentication and Google Workspace services.
• Supabase Inc.: database hosting and authentication infrastructure (EU region).
• Vercel Inc.: platform hosting and content delivery.
• Google Cloud Platform: compute infrastructure for automated operations.

All sub-processors are bound by data processing agreements and are required to implement appropriate technical and organizational security measures.

Where data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission, or reliance on adequacy decisions where applicable.

• Server logs: maximum 90 days.
• Authentication session data: duration of active session, maximum 30 days.
• API-derived data: retained only as long as operationally necessary, typically not exceeding 12 months.

Individuals whose data we process have the right to access, rectify, erase, restrict, or port their data, and to object to processing. To exercise these rights, contact us at info@stack-brands.com. We will respond within 30 days.