1. Introduction

TrackStack ("we", "us", "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using TrackStack, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our Service.

2. Information We Collect

2.1 Information You Provide

• Account Information: Email address, name, password (hashed)
• Billing Information: Processed by Stripe (we don't store credit cards)
• Profile Data: Optional profile picture, company name, role
• Referral Data: Referral codes used during signup, referrer relationships, reward status
• Support Requests: Communications with our support team

2.2 GitHub Integration Data

If you connect your GitHub account, we collect:

• Repository Metadata: Repository names, descriptions, star counts, last activity dates
• Package Manifests: Contents of dependency files (package.json, requirements.txt, Gemfile, etc.)
• Dependency Lists: Names and versions of packages your projects depend on
• GitHub Profile: Username, email, avatar URL (for authentication)

2.3 Information We Collect Automatically

• API Usage Data: Request counts, endpoints called, response times
• Framework Queries: Which frameworks you ask about (e.g., "React", "Next.js")
• Error Logs: API errors, failed requests, stack traces (no sensitive data)
• Device Information: IP address, browser type, operating system
• Cookies: Session cookies for authentication, analytics cookies

2.4 What We DON'T Collect

3. How We Use Your Information

3.1 Service Provision

• Authenticate and authorize your account access
• Sync and analyze your project dependencies via GitHub
• Process API requests and provide framework intelligence
• Generate crowdsourced package recommendations from aggregated data
• Check for security vulnerabilities (CVEs) in your dependencies
• Track usage against your plan limits
• Generate usage reports and analytics in your dashboard
• Track referral relationships and grant rewards when eligible

3.2 Service Improvement

• Analyze which frameworks are most popular to prioritize intelligence updates
• Identify and fix bugs, errors, and performance issues
• Develop new features based on usage patterns
• Improve accuracy of framework recommendations

3.3 Communication

• Send service-related emails (welcome, password reset, billing)
• Notify you of major updates, new features, or breaking changes
• Respond to support requests and technical issues
• Send marketing emails (you can opt out anytime)

3.4 Legal and Security

• Detect and prevent fraud, abuse, and unauthorized access
• Comply with legal obligations and law enforcement requests
• Enforce our Terms of Service
• Protect the rights and safety of TrackStack and its users

4. Data Sharing and Disclosure

4.1 We Share Data With:

• Clerk (Authentication): Email, name, profile data for user authentication and session management.clerk.com/privacy
• GitHub (Integration): OAuth token to access your repositories. We request read-only access to repository metadata and package manifest files.github.com/privacy
• Stripe (Payment Processing): Name, email, billing information for subscription management.stripe.com/privacy
• Vercel (Hosting): Application and database hosting. Data stored in US data centers.vercel.com/privacy
• Upstash (Caching): Temporary session and rate limit data. Redis-compatible serverless database.upstash.com/privacy
• PostHog (Analytics): Privacy-focused product analytics. Usage patterns, feature engagement. IP addresses anonymized.posthog.com/privacy
• OSV.dev (Security): We query this open database to check your dependencies for known vulnerabilities. No personal data shared.osv.dev

4.2 We DON'T Share Data With:

• Data brokers or advertising networks
• Social media platforms (except for auth if you choose to sign in with Google)
• Your employer (TrackStack never shares your data with your employer; workspace data is shared only with members you invite)
• AI training companies or LLM providers

4.3 Legal Disclosure

We may disclose your information if required by law, court order, or government request, or if we believe disclosure is necessary to prevent harm or enforce our Terms.

5. Data Storage and Security

5.1 Where Your Data is Stored

• Primary Database: PostgreSQL hosted on Vercel (US)
• Backups: Encrypted daily backups retained for 30 days
• Logs: Retained for 90 days for debugging and security

5.2 Security Measures

• All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Passwords hashed using bcrypt with salt
• API keys hashed and only partially displayed in dashboard
• Rate limiting to prevent brute-force attacks
• Regular security audits and penetration testing
• Two-factor authentication (2FA) available for paid users

6. Your Privacy Rights

6.1 How to Exercise Your Rights

• Access Data: Email privacy@trackstack.ai with subject "Data Access Request"
• Export Data: Email privacy@trackstack.ai with subject "Data Export Request"
• Delete Account: Settings → Account → Delete Account (or email us)
• Update Info: Edit directly in dashboard or contact support@trackstack.ai
• Opt Out of Marketing: Click "unsubscribe" in any marketing email

We will respond to data requests within 30 days. For EU residents, you have additional rights under GDPR (see section 8).

7. Cookies and Tracking

7.1 Essential Cookies

Required for the Service to function:

• __session: Maintains your login session provided by Clerk (expires after 7 days of inactivity)
• __clerk_db_jwt: Securely stores authentication state

7.2 Analytics Cookies (Optional)

Help us improve the service:

• Page views and navigation patterns
• Feature usage statistics
• Performance metrics (load times, errors)

You can disable analytics cookies in your dashboard settings. Essential cookies cannot be disabled without preventing service functionality.

8. GDPR Compliance (EU Users)

Additional GDPR Rights

• Right to Object: Stop processing of your data for marketing purposes
• Right to Restriction: Limit how we use your data in certain circumstances
• Right to Lodge Complaint: File a complaint with your local data protection authority

For EU-specific requests, contact our Data Protection Officer at dpo@trackstack.ai

9. Children's Privacy

TrackStack is not intended for users under 18. We do not knowingly collect data from children. If you are a parent and believe your child has provided us with personal information, contact us at privacy@trackstack.ai and we will delete it immediately.

10. Data Retention

• Active Accounts: Data retained while your account is active
• Deleted Accounts: Personal data deleted within 30 days (except for billing records required by law)
• Backups: May persist in backups for up to 90 days after deletion
• Usage Logs: Anonymized after 90 days, aggregated statistics retained indefinitely
• Legal Holds: Data may be retained longer if required for legal disputes

11. International Transfers

TrackStack is hosted in the United States. If you access our Service from outside the US, your data will be transferred to, stored, and processed in the US. We ensure adequate protection through:

• Standard Contractual Clauses (SCCs) for EU data transfers
• Encryption in transit and at rest
• Compliance with US-EU Data Privacy Framework (when applicable)

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be notified via:

• Email to your registered address (at least 30 days notice)
• Dashboard notification when you log in
• Updated "Last Updated" date at the top of this page

Continued use of the Service after changes take effect constitutes acceptance of the new policy.

13. Contact Us

For privacy-related questions, concerns, or requests:

We aim to respond to all privacy inquiries within 72 hours.