Back to Home

Legal

Privacy Policy

Last updated: December 3, 2025

This Privacy Policy ("Policy") describes how Stacklink Inc. ("Stacklink," "we," "us," or "our") collects, uses, discloses, and protects information when you use our website, platform, and related services (collectively, the "Services").

1. Scope

This Policy applies to:

  • Visitors to our website(s);
  • Users who create an account and use the Services; and
  • Organizations ("Customers") that provision workspaces and connect third-party sources (e.g., Google Drive, Slack).

This Policy does not cover third-party practices (e.g., Google, Slack). Their policies govern their services.

2. Definitions

  • Account Data: Information about users and administrators (e.g., name, email, authentication identifiers, workspace membership, roles).
  • Customer Content: Content and files that a Customer or its users connect to Stacklink (e.g., documents, file metadata, messages) and questions users submit in the Services.
  • Usage Data: Operational and diagnostic information generated by use of the Services (e.g., logs, timestamps, feature usage).
  • Workspace: The tenant environment for an organization inside Stacklink (also referred to as organization/workspace/tenant).
  • Subprocessors: Third parties who process data on our behalf to provide the Services.

3. Controller/Processor Roles

Customer Content: The Customer is typically the "controller" (or "business") and Stacklink acts as a "processor" (or "service provider/contractor") for Customer Content, processing it to provide the Services under the Customer's instructions.

Account Data and Website Data: Stacklink acts as a controller for Account Data and Website Data we process for our own business purposes (e.g., account administration, security, billing, and service communications).

4. Information We Collect

4.1 Account Data

We collect:

  • Name, email address, and authentication identifiers;
  • Workspace membership and role (e.g., admin/member);
  • Basic profile preferences and onboarding state.

4.2 Integration and Connection Data

When a workspace admin connects a third-party service, we collect and store:

  • OAuth tokens/credentials (e.g., access/refresh tokens), scopes, expiry times;
  • External identifiers and configuration needed to run the integration (e.g., Google folder IDs, Slack team/channel IDs, allowlists);
  • Integration status and sync metadata (e.g., last sync time, errors).

4.3 Customer Content (Connected Sources and User Inputs)

Depending on what the Customer enables, we process:

  • Document/file content and metadata from connected sources (e.g., title, URL/link, MIME type, last-modified time, owner info as provided by the source);
  • User questions asked via web UI or messaging integrations (e.g., Slack slash commands);
  • Files uploaded manually (if enabled).

4.4 Derived Data (Indexing Artifacts)

To provide search and Q&A, we may create and store:

  • Parsed text representations of connected content;
  • Chunks (segmented excerpts of content);
  • Embeddings (numeric vector representations of chunks and/or queries);
  • Retrieval logs indicating which sources/chunks were used to answer a question.

4.5 Usage Data and Device/Network Data

We collect:

  • Log data (IP address, timestamps, request identifiers, error logs);
  • Device/browser information (user-agent), approximate location from IP;
  • Feature usage and performance diagnostics.

4.6 Billing Data

If you purchase a paid plan, we may process billing contact and invoice data. Payment card details are typically processed by our payment processor, not stored by Stacklink, except as necessary for billing administration (e.g., last4, brand, and transaction identifiers) depending on the processor's features.

5. How We Collect Information

We collect information:

  • Directly from you (account registration, onboarding forms, support requests, questions asked);
  • From your admin/Customer (workspace provisioning, invites, role assignments);
  • From connected third-party services (via APIs and OAuth authorizations you enable);
  • Automatically (cookies and similar technologies; server logs).

6. How We Use Information

6.1 Provide and Operate the Services

Including to:

  • Authenticate users and manage workspaces;
  • Connect integrations and sync selected sources;
  • Index, retrieve, and present answers with citations to the underlying content;
  • Provide admin controls, access management, and workspace configuration.

6.2 AI Features and Model Processing

When you ask a question, Stacklink typically:

  • Retrieves relevant excerpts from indexed content in your workspace; and
  • Sends the question and retrieved excerpts (and limited associated metadata such as titles/links) to an AI model provider to generate an answer.

We may also send minimal context needed for safety, reliability, and formatting (e.g., instructions to only answer from provided context and to cite sources).

6.3 Security, Abuse Prevention, and Integrity

Including:

  • Preventing unauthorized access, abuse, and fraud;
  • Enforcing access controls and workspace isolation;
  • Monitoring and investigating suspicious activity.

6.4 Service Improvement and Analytics

Including:

  • Debugging, performance tuning, reliability, and improving retrieval quality;
  • Aggregated analytics (e.g., most-asked questions, "no answer" rates).

Where feasible, we use aggregated or de-identified data for analytics and do not attempt to re-identify de-identified data except where required to comply with law or protect security.

6.5 Communications

We use contact information to:

  • Send service-related messages (e.g., onboarding, security alerts, policy updates, billing notices);
  • Respond to support requests.

6.6 Legal Compliance

Including complying with legal obligations and enforcing our agreements.

7. Legal Bases (EEA/UK)

If you are in the EEA/UK, our legal bases include:

  • Performance of a contract (providing the Services);
  • Legitimate interests (security, fraud prevention, service improvement, communications);
  • Consent (where required, e.g., certain cookies/marketing emails);
  • Legal obligation (compliance and record-keeping).

8. Data Sharing and Disclosure

We do not sell personal information.

We may disclose information as follows:

8.1 To Subprocessors/Service Providers

We use subprocessors to provide hosting, databases, authentication, AI inference/embeddings, monitoring, email delivery, and support tooling. They process information under contractual restrictions consistent with their role.

8.2 To Connected Platforms at Your Direction

We exchange data with services you connect (e.g., Google Drive/Docs APIs, Slack APIs) to authenticate, sync, and respond.

8.3 Within Your Workspace

Admins and authorized users may access workspace data as configured (roles, settings, logs) consistent with the Customer's controls.

8.4 For Legal, Safety, and Compliance Reasons

We may disclose information to comply with law, legal process, or lawful requests, or to protect rights, safety, and security.

8.5 Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction.

9. Google Workspace / Google APIs (Limited Use)

If you connect Google Workspace services, Stacklink's use of information received from Google APIs will comply with the Google API Services User Data Policy, including Limited Use requirements.

No generalized AI training from Google Workspace API data: Stacklink does not use data obtained from Google Workspace APIs to develop, improve, or train generalized AI and/or ML models.

(If we ever introduce optional per-workspace fine-tuning or customization using Customer Content, it will be described explicitly and controlled by the Customer's settings and agreements.)

10. Cookies and Similar Technologies

We use cookies and similar technologies to:

  • Maintain sessions and authenticate users;
  • Provide core site functionality;
  • Measure reliability and performance.

Where required by law, non-essential cookies will be used only with consent and can be managed through cookie settings or your browser settings.

11. Data Retention

We retain information only as long as needed for the purposes described in this Policy, including:

  • Account Data: retained while the account/workspace is active and as needed for legitimate business purposes (e.g., security logs, dispute resolution).
  • Customer Content indexing artifacts (chunks/embeddings): retained while the source remains connected and active, and removed within a reasonable period after disconnection/deletion unless retention is required for security/legal purposes.
  • Questions/answers and retrieval logs: retained for a limited period for reliability, security, and admin analytics, configurable by the Customer where available.
  • Backups: may persist for a limited time after deletion due to backup cycles.

Customers may request deletion of workspace data subject to contractual and legal constraints.

12. Security

We implement administrative, technical, and organizational safeguards designed to protect information, including:

  • Access controls and least-privilege practices;
  • Encryption in transit (TLS) and, where supported by our infrastructure, encryption at rest;
  • Workspace isolation and authorization checks;
  • Monitoring and incident response processes.

No system can be guaranteed perfectly secure; security measures are designed to reduce risk and are continuously improved.

13. International Transfers

We and our subprocessors may process data in countries other than your own. Where required, we implement appropriate safeguards for cross-border transfers (e.g., Standard Contractual Clauses and supplementary measures) consistent with applicable law.

14. Your Rights and Choices

14.1 EEA/UK Rights

Depending on the circumstances, you may have rights to:

  • Access, rectification, deletion, restriction, portability, and objection;
  • Withdraw consent where processing is based on consent;
  • Lodge a complaint with a supervisory authority.

If your account is managed by a Customer: requests relating to Customer Content may need to be directed to the Customer (controller). Stacklink will assist Customers in fulfilling such requests consistent with applicable agreements.

14.2 US State Privacy Rights

Depending on your state, you may have rights such as access, deletion, correction, and opt-out of certain disclosures for targeted advertising. Stacklink does not sell personal information.

14.3 Marketing Emails

You can opt out of marketing emails using the unsubscribe link in those emails. Transactional/service messages may still be sent (e.g., security/billing notices).

15. Children's Privacy

The Services are not intended for children under 13 (or under 16 where applicable). We do not knowingly collect personal information from children in those age ranges.

16. Changes to This Policy

We may update this Policy. If changes are material, we will provide notice through the Services and/or by email to workspace admins or account owners. The "Last updated" date indicates when the latest version is effective.