Privacy Policy

DownStack ("we," "our," or "us") operates the website at downstack.app (the "Service"). This Privacy Policy explains how we collect, use, share, and protect your information when you use the Service.

By accessing or using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.

1. Information We Collect

Information you provide

• Account information: Email address and authentication data when you create an account (directly or via Google/Facebook sign-in)
• Payment information: Processed securely by Stripe. We do not store credit card numbers.
• Contact information: Name, email, and message content when you use our contact form
• Featured writer submissions: Email, Substack URL, and display name if you opt into the featured writers showcase

Information collected automatically

• Usage data: Conversion counts, feature usage, pages visited, time spent on site, click patterns, and referral sources
• Technical data: Browser type, device type, operating system, IP address, and approximate location for security, performance, and analytics purposes
• Cookies and tracking technologies: Information collected via cookies, pixels, tags, and similar technologies as described in Section 6 below

Information we do NOT collect

• Your content: Your markdown text is processed entirely in your browser. We do not read, store, analyze, or transmit your article content. The only data sent to our servers is rendered table images for hosting.

2. How We Use Your Information

We use the information we collect for the following purposes:

• To provide, maintain, and improve the Service
• To process payments and manage subscriptions
• To communicate with you about your account, the Service, and support requests
• To send you marketing communications, product updates, newsletters, and promotional offers (you may opt out at any time)
• To personalize your experience and recommend features or content
• To analyze usage trends and improve our product, marketing, and business strategies
• To create and manage advertising audiences on third-party platforms (such as Google, Meta, LinkedIn, and X/Twitter)
• To serve targeted and retargeted advertisements to you across third-party platforms and websites
• To measure the effectiveness of our marketing campaigns and advertising
• To share anonymized or aggregated data with business partners for analytics, co-marketing, and joint promotional initiatives
• To detect and prevent fraud, abuse, and unauthorized access
• To comply with legal obligations

3. Data Sharing and Partners

We may share your information with the following categories of recipients:

• Service providers: Companies that help us operate the Service, including hosting (Cloudflare), authentication (Supabase), payment processing (Stripe), and email delivery services
• Advertising and analytics partners: We share data with platforms such as Google Ads, Meta/Facebook, X/Twitter, and LinkedIn for advertising, remarketing, and audience creation. This may include hashed email addresses, usage data, or information collected via tracking pixels and cookies.
• Business partners: We may share anonymized or aggregated data with business partners for co-marketing, market research, and joint promotional initiatives
• Legal and safety: We may disclose information when required by law, legal process, or government request, or to protect the rights, property, or safety of DownStack, our users, or the public
• Business transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred as a business asset

We do not sell your personal information to data brokers. We may share personal information with advertising partners as described above for targeted advertising purposes.

4. Data Storage and Security

Your data is stored and processed using the following services:

• Supabase: User authentication and account data (hosted on AWS)
• Cloudflare R2: Hosted table images (globally distributed)
• Cloudflare KV: Subscription and featured writers metadata
• Stripe: Payment processing (PCI DSS compliant)

We implement appropriate technical and organizational measures to protect your data, including encryption in transit and at rest. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

5. Third-Party Services

We use the following third-party services that may collect or process your data:

• Supabase — Authentication and database (Privacy Policy)
• Cloudflare — Hosting, CDN, and image storage (Privacy Policy)
• Stripe — Payment processing (Privacy Policy)
• Google Analytics / Google Tag Manager — Website analytics and tag management (Privacy Policy)
• Google Ads — Advertising and remarketing (Privacy Policy)
• Meta (Facebook/Instagram) — Advertising pixel and audience creation (Privacy Policy)
• X (Twitter) — Advertising pixel and conversion tracking (Privacy Policy)
• LinkedIn — Insight Tag and advertising (Privacy Policy)
• Google Fonts — Font delivery (Privacy Policy)

These third-party services may collect information about your online activities over time and across different websites. We encourage you to review their respective privacy policies.

6. Cookies and Tracking Technologies

We use cookies, pixels, and similar tracking technologies to collect information and improve the Service. These include:

Essential cookies

Required for the Service to function. These include authentication session cookies (Supabase) and security tokens. You cannot opt out of essential cookies.

Analytics cookies

Help us understand how visitors interact with the Service. We use Google Analytics and similar tools to track page views, conversion events, session duration, and usage patterns.

Marketing and advertising cookies

Used to deliver relevant advertisements and measure campaign effectiveness. These include pixels and tags from Google Ads, Meta (Facebook), X (Twitter), and LinkedIn. These technologies may track your activity across websites to build interest-based advertising profiles and deliver retargeted ads.

Preference cookies

Store your preferences and settings, such as free tier conversion counts (via local storage) and UI preferences.

You can manage cookie preferences through your browser settings. Most browsers allow you to refuse or delete cookies. Disabling certain cookies may affect the functionality of the Service. For more information about opting out of interest-based advertising, visit aboutads.info or youronlinechoices.com.

7. Data Retention

• Account data: Retained as long as your account is active. Deleted upon account deletion request.
• Hosted images: Pro tier images are retained indefinitely. Free tier images may be deleted after 30 days.
• Contact form submissions: Retained for up to 2 years.
• Payment records: Retained as required by applicable tax and financial regulations.
• Analytics and advertising data: Retained in accordance with our third-party partners' retention policies.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate personal data
• Deletion: Request deletion of your personal data
• Portability: Request transfer of your data to another service
• Objection: Object to processing of your personal data for marketing or profiling purposes
• Opt-out of targeted advertising: Request that we stop sharing your data with advertising partners for targeted advertising purposes
• Withdraw consent: Where we rely on consent, you may withdraw it at any time

To exercise any of these rights, contact us at hello@downstack.app. We will respond within 30 days.

9. GDPR Compliance (EU/EEA Users)

If you are in the European Economic Area, we process your personal data under the following legal bases:

• Contract performance: To provide the Service, process payments, and manage your account
• Legitimate interest: For security, fraud prevention, service improvement, analytics, and direct marketing to existing customers
• Consent: For marketing emails, advertising cookies, and sharing data with advertising partners. You may withdraw consent at any time.

EU/EEA users have additional rights including the right to lodge a complaint with a supervisory authority. For data-related requests, contact us at hello@downstack.app.

10. CCPA Compliance (California Users)

If you are a California resident under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), you have the following rights:

• Right to know: You may request that we disclose the categories and specific pieces of personal information we have collected about you
• Right to delete: You may request that we delete your personal information
• Right to opt out of sale/sharing: We do not sell personal information to data brokers. We may share personal information with advertising partners for cross-context behavioral advertising (targeted advertising). You may opt out of this sharing by contacting us.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise your rights, contact us at hello@downstack.app.

11. Children's Privacy

The Service is not directed to children under 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The updated policy will be effective upon posting to this page. We encourage you to review this Privacy Policy periodically.

13. Contact

For privacy-related inquiries, contact us at:

• Email: hello@downstack.app
• Contact form: downstack.app/contact