1. Introduction
StackTrax ("we", "us", "our") operates the stacktrax.com website and mobile application. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.
2. Information We Collect
We collect information you provide directly:
- Account information (email address, display name, phone number if provided)
- Protocol and supplement tracking data (compounds, doses, schedules)
- Daily check-in data (mood, energy, sleep, recovery ratings)
- Weight and body composition logs
- Payment information (processed securely via Stripe — we never store card numbers)
- Email address submitted through our educational guide pages (for protocol guides and updates)
We automatically collect:
- Device and browser information (browser type, operating system, screen size)
- Usage analytics (pages visited, features used, navigation paths)
- IP address and approximate location (city/country level)
- Referral and campaign data — including UTM parameters and the source social platform when you arrive via a link in one of our social media bios
- An anonymous visitor ID stored in a first-party cookie and your browser's local storage, used by our analytics provider to recognize repeat visits
3. How We Use Your Information
- Provide, operate, and maintain the StackTrax service
- Process subscriptions and payments
- Send transactional emails (welcome emails, trial reminders, account notifications)
- Send SMS notifications if you provide a phone number and opt in (future feature)
- Improve the app through aggregated, anonymized analytics
- Respond to support requests and feedback
- Detect and prevent fraud or abuse
4. Third-Party Services
We use the following third-party services to operate StackTrax:
- Supabase — database hosting, authentication, and file storage. Your data is stored securely in Supabase's infrastructure with encryption at rest.
- Stripe — payment processing. Stripe handles all payment card information and is PCI DSS Level 1 certified. We only store your Stripe customer ID.
- Resend — transactional email delivery. Receives your email address to deliver account-related emails.
- PostHog — product analytics. PostHog records pageviews, navigation paths, browser and device information, IP address, and UTM/referral parameters. It uses a first-party cookie and browser local storage to assign each visitor an anonymous identifier so it can recognize repeat visits. Data is stored on PostHog's US-based infrastructure. We use this data only to understand how StackTrax is used and to improve the product — never for advertising and never sold or shared with third parties. See PostHog's Privacy Policy for more information. To opt out, email us at support@stacktrax.com or use a browser-level analytics blocker.
- Anthropic — AI language model provider. When you use the Research Assistant or Protocol Builder, your question text and conversation history are sent to Anthropic's API to generate responses. No personal health data, account information, or tracking data is sent — only the text of your query and any relevant research context. See Anthropic's Privacy Policy for more information.
- MediSearch — medical research citation service. When you use the Research Assistant, your question is sent to MediSearch's API to retrieve relevant peer-reviewed studies from PubMed and other medical databases. No personal or account data is sent.
- FatSecret — food and nutrition database. When you search for foods or scan a barcode in the Nutrition feature, your search query or barcode is sent to FatSecret's API to retrieve nutritional information. No personal or account data is sent.
- Vercel — application hosting and deployment.
- Sentry — error monitoring. Collects error reports to help us fix bugs. No personal health data is included in error reports.
Affiliate Links: Our educational guide pages and shop contain affiliate links to third-party vendors. When you click these links and make a purchase, StackTrax may earn a commission at no extra cost to you. We only recommend vendors we trust, but we are not responsible for their products, services, or business practices.
Disclaimer Acceptance Logs: When you access a compound-specific guide page (for example, /guides/bpc-157), we record that you acknowledged our educational-content disclaimer. The record includes a timestamp, the disclaimer version, your account ID (if signed in) or an anonymous device-generated ID (if not), the guide slug you were viewing, and your browser user-agent string. These records are kept as proof of acknowledgment and are not used for marketing.
5. Data Retention
We retain your account data for as long as your account is active. If you delete your account, we will remove your personal data within 30 days, except where we are required to retain it for legal or compliance purposes. Anonymized, aggregated data may be retained indefinitely.
6. Data Security
We implement industry-standard security measures including encryption in transit (TLS), encryption at rest, row-level security policies on our database, and secure authentication practices. However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.
7. Your Rights and Choices
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your account and data
- Export your data in a portable format
- Opt out of analytics tracking
To exercise any of these rights, contact us at support@stacktrax.com.
Opting out of analytics:You can prevent PostHog from tracking your usage by using a browser extension that blocks analytics scripts (uBlock Origin, Privacy Badger, etc.), enabling your browser's built-in tracker protection, or clearing your cookies and local storage for stacktrax.com. You can also email us and we will exclude your account from analytics on the server side.
8. California Privacy Rights (CCPA)
If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information:
- Right to Know — You may request that we disclose what personal information we collect, use, and share about you.
- Right to Delete — You may request deletion of the personal information we have collected from you, subject to certain exceptions.
- Right to Opt-Out of Sale — We do not sell your personal information to third parties. If this changes in the future, we will provide a clear opt-out mechanism.
- Right to Non-Discrimination — We will not discriminate against you for exercising your CCPA rights.
To exercise any of these rights, contact us at support@stacktrax.com. We will respond to verifiable requests within 45 days.
9. Children's Privacy
StackTrax is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. Continued use of the service after changes constitutes acceptance of the updated policy.
