Privacy Policy
Effective: 1 January 2026. We treat your data the way we’d want ours treated — with respect, transparency, and the minimum collection necessary to run the service. This policy explains everything we collect, why we collect it, where it goes, and how you can control it.
1. Who we are
Stackivo (the “Service”) is an independently operated product based in Indore, India. We act as the data fiduciaryunder India’s Digital Personal Data Protection Act, 2023 (DPDP Act) for all personal data you provide through the Service.
Questions or requests? Email [email protected].
2. What we collect
Account data
- Name, email address, and password (stored as a bcrypt hash — we never see your plain-text password).
- Profile photo, if you choose to upload one.
- Business information you provide during onboarding or settings: business name, legal entity type, address, GSTIN, phone, and website.
Operational / business data
- Everything you create inside Stackivo: clients, projects, invoices, contracts, time entries, welcome documents, and files (logos, signatures, attachments).
- Payment and subscription records: Razorpay payment IDs, subscription IDs, plan history, and billing amounts. We do not store card numbers or UPI VPAs — those are handled entirely by Razorpay.
- Client portal activity: messages sent and received, files shared, and timestamps.
AI workflow inputs
- When you use the Ask AI feature, the text you type (your prompt) is sent to Groq’s API to generate a structured response. This includes the descriptions you write for invoices, contracts, welcome documents, clients, and projects.
- We minimise what is sent: only the text you enter in the AI chat and the workspace context you explicitly select (client name, project name) are forwarded.
- Stackivo does notuse your AI prompts or the content of your workspace to train any AI model. Groq’s API is used for inference only.
Telemetry and logs
- IP address, user agent, and access timestamps — retained for 90 days for security and abuse prevention.
- Product usage events (e.g. which features are used, pages visited, button clicks) — collected via PostHogwith personal identifiers stripped. These events respect your browser’s Do Not Track signal.
- Session recordings and heatmaps via Microsoft Clarity to understand how users interact with the interface. Clarity automatically masks text input fields so your invoice and client data is not captured in recordings.
- Error reports via Sentry — scrubbed of credentials and sensitive field values before transmission.
Cookies and local storage
- Strictly necessary: Authentication session cookies (HTTP-only, Secure) set by Supabase. These are required for you to stay logged in and cannot be opted out of while using the Service.
- Analytics: PostHog and Microsoft Clarity use cookies to distinguish sessions. PostHog respects Do Not Track. You can opt out of Clarity via browser settings or a privacy-respecting browser extension.
- Support: your support conversations are stored first-party within Stackivo and linked to your account.
- We do not place any third-party advertising or retargeting cookies.
3. How we use your data
- To operate the Service: authenticate you, store your workspace data, generate invoices and contracts, process payments, and deliver transactional emails.
- To power AI workflows: forward your AI chat prompts to Groq’s API to generate invoice drafts, contract drafts, welcome document drafts, client records, and project records on your behalf.
- To process payments and subscriptions: pass transaction data to Razorpay (our PCI-compliant payment processor).
- To send transactional email: invoice delivery, payment receipts, contract signature requests, security alerts, and password resets — via Brevo.
- To improve the product: aggregated, anonymised analytics help us understand which features are used and where users encounter friction.
- To prevent fraud and ensure security: monitor login attempts, detect suspicious activity, and enforce rate limits.
- To meet legal obligations: retain GST invoice records as required by Indian tax law.
We do not sell your data. We do not use your data to train AI models. We do not use your data for advertising.
4. Third-party sub-processors
We share data with the following service providers, each under a data processing agreement, and only to the extent necessary to deliver the Service:
- Supabase (Frankfurt, Germany) — PostgreSQL database and authentication. All business data lives here.
- Cloudflare R2 (EU region) — object storage for files you upload: logos, contract attachments, portal files, signed PDFs.
- Razorpay(India) — payment processing and subscription management. Governed by Razorpay’s own privacy policy and PCI-DSS compliance.
- Brevo (EU) — transactional email delivery. Your name and email are shared with Brevo only to send emails on your behalf.
- Groq (USA) — AI inference API used by the Ask AI feature. Your AI prompts and the workspace context you select are sent to Groq. No training on your data.
- PostHog (EU) — product analytics. Anonymised usage events only.
- Microsoft Clarity(USA) — session recording and heatmaps. Input fields are masked. Governed by Microsoft’s privacy policy.
- Sentry (EU) — error and performance monitoring. Credentials and sensitive values are scrubbed before transmission.
- Cloudflare (global) — DNS and inbound email routing for
[email protected]. Support conversations themselves are stored first-party in Stackivo, not by a third-party help-desk. - Vercel(USA) — hosting and edge network. Request logs are retained per Vercel’s policy.
5. International data transfers
Several of our sub-processors process data outside India (notably Supabase in Germany, Cloudflare R2 in the EU, Groq and Microsoft Clarity in the USA, and Vercel globally). We rely on standard contractual clauses or equivalent transfer mechanisms where required. We choose processors with strong data protection practices and are satisfied they adequately protect your data.
6. Data retention
- Account and operational data: retained while your account is active.
- On account deletion: when you request deletion your account is immediately locked and scheduled for permanent erasure after a 30-day recovery window, during which you can cancel by signing back in. After the window, your personal and business data — profile, clients, projects, invoices, contracts, time entries, portals, uploaded files, support history, and AI history — is permanently and irreversibly deleted from our database, and your uploaded files are removed from object storage. This cannot be undone.
- Platform billing records: records of the subscription payments you made to Stackivo are retained for the period required by Indian tax law, with personal identifiers removed (anonymised), as these are Stackivo’s own financial records. We recommend exporting any invoices or contracts you need for your own records before deleting your account.
- Server and access logs: 90 days.
- Support conversations: retained for 2 years within Stackivo to assist with follow-up.
- AI prompt logs: Stackivo does not store your AI prompt text beyond the current session. Groq’s own retention policy governs API request logs on their side.
7. Your rights
Under the DPDP Act and general principles of data protection, you have the right to:
- Access: know what data we hold about you.
- Correction: update inaccurate or incomplete data (most of this you can do yourself in Settings).
- Erasure: request deletion of your account and all associated data (subject to legal retention obligations for GST records).
- Portability: export your data as JSON from Settings → Data & export in the dashboard.
- Objection / restriction: object to specific processing activities by emailing us.
- Withdraw consent: where processing is based on consent (e.g. optional analytics), you can withdraw it by adjusting your browser settings or contacting us.
To exercise any right, email us at:
- [email protected] — we respond within 30 days.
- Or delete your account directly from Settings → Account → Delete account.
You may also lodge a complaint with the Indian Data Protection Board if you are unsatisfied with our response.
8. Security
- All data in transit is encrypted with TLS 1.2 or higher. Data at rest is encrypted at the database and storage layer.
- Workspace data is isolated using Supabase Row Level Security (RLS) — users can only access their own data.
- Passwords are hashed with bcrypt; sessions use secure, HTTP-only cookies.
- Two-factor authentication (TOTP) is available in account settings and strongly recommended.
- We monitor for security events and alert on suspicious activity such as multiple failed login attempts.
- In the event of a confirmed data breach, we will notify affected users within 72 hours of becoming aware, in accordance with the DPDP Act.
9. Children
Stackivo is not intended for users under 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has registered, please contact us at [email protected] and we will delete the account promptly.
10. Changes to this policy
We may update this policy when we add new features or sub-processors, or when laws change. Material changes will be announced via email or in-product notice at least 14 days before they take effect. The effective date at the top of this page always reflects the latest version. Continued use of Stackivo after the effective date constitutes acceptance of the updated policy.
11. Contact
For privacy-related questions, data requests, or complaints:
- Email: [email protected]
- General contact: stackivo.me/contact
- Address: Stackivo, Indore, Madhya Pradesh, India
12. Grievance Officer
In accordance with the Information Technology Act, 2000, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the grievance-redressal requirements of the DPDP Act, 2023, you can escalate unresolved concerns to our designated Grievance Officer:
- Grievance Officer — Stackivo, Indore, Madhya Pradesh, India
- Email: [email protected]
- We acknowledge grievances within 48 hours and aim to resolve them within 15 days of receipt.
If you remain unsatisfied after our response, you may complain to the Data Protection Board of India once constituted under the DPDP Act.