Effective date: 05/20/26 · Last updated: 05/20/26 · Version: 1.0

StackSense Privacy Policy

StackSense is still in beta; these policies are subject to change as the product evolves. This page explains what data we collect, why we collect it, who we share it with, how long we keep it, and what rights you have. If anything is unclear, email us at privacy@stacksense.ca.

1. Who we are

StackSense is a personal health tracking application. You use it to log supplements, peptides, dose schedules, symptoms, and body composition for your own personal use.

StackSense is operated by Jad Gouiza, Quebec, Canada. We are the data controller for the purposes of GDPR, PIPEDA, and Quebec Law 25. The Privacy Officer for StackSense is Jad Gouiza, reachable at privacy@stacksense.ca.

Once StackSense Inc. is registered, this section will be updated to name the corporation as the controller.

2. What StackSense is not

StackSense is not a medical device. It is not a clinical decision-support system. It is not a diagnostic tool. It does not provide medical advice. It does not recommend doses. It does not replace your doctor.

Everything StackSense shows you is for informational and educational purposes only. You are responsible for your own health decisions.

3. What data we collect

Account data

Health and tracking data (special category data under GDPR Article 9)

Usage and technical data

Billing data

We do not collect: your real name unless you provide it voluntarily, your phone number, your home address, your government ID, biometrics, your contacts, your location beyond IP-derived country.

4. Why we collect this data (legal basis under GDPR Article 6 and Article 9)

DataLegal basis (Article 6)Special category basis (Article 9, if applicable)
Account email and passwordPerformance of contract (Article 6(1)(b))n/a
Health logs (supplements, symptoms, body comp)Performance of contract (Article 6(1)(b))Explicit consent (Article 9(2)(a))
Usage analyticsLegitimate interest (Article 6(1)(f))n/a
Marketing emailsConsent (Article 6(1)(a))n/a
Crash and error logsLegitimate interest (Article 6(1)(f))n/a
BillingLegal obligation and contract (Article 6(1)(b) and 6(1)(c))n/a

Health data processing happens only because you explicitly consent at signup with a separate checkbox. You can withdraw consent at any time by deleting your account. Withdrawing consent does not undo processing that already happened.

5. Who we share data with

We share data with the third parties below. Each has signed a Data Processing Agreement with us. Each is contractually required to protect your data and only use it to provide their service to us.

VendorWhat they do for usWhere they process dataDPA in place
SupabaseDatabase and authentication backendUnited StatesYes
VercelWeb hosting and edge deliveryUnited StatesYes
StripePayment processingUnited States and worldwideYes
AnthropicAI-powered research feature (only for non-personal, generic compound information)United StatesYes
PostHog or PlausibleAnonymized product analyticsEUYes
SentryCrash and error monitoring (optional, opt-in)United StatesYes

We do not sell your data. We do not share your data with advertisers. We do not share your data with data brokers. We do not let third parties scrape it.

We will share data with law enforcement only if compelled by a valid legal order from a Canadian court or a foreign court whose order is recognized in Canada. If we receive such an order, we will notify you unless legally prohibited from doing so.

6. International data transfers

StackSense is operated from Quebec, Canada. Some vendors above process data in the United States. We rely on the following legal mechanisms for international transfers:

If you want a copy of the SCCs or our Transfer Impact Assessment, email privacy@stacksense.ca.

7. How long we keep your data

Data typeRetention period
Account data while activeWhile your account exists
Health logs while activeWhile your account exists
Health data after account deletionPermanently deleted within 90 days
Account data after deletionSoft-deleted immediately, hard-deleted within 90 days
Billing and payment records7 years (Canadian tax law and Quebec consumer protection law require this)
Analytics events90 days
Crash logs90 days
Server logs (IP, user agent)30 days
BackupsUp to 6 months on a rolling basis. Backups are encrypted at rest and we cannot selectively delete from them without rebuilding the backup. Deletions from backups happen via the normal rotation cycle.

After 90 days from account deletion, your health logs are gone forever. We cannot restore them. Export your data before deleting your account if you want to keep a copy.

8. Your rights

You have the following rights over your data. Exercise any of them by emailing privacy@stacksense.ca or using the in-app data rights panel at Profile → Your Data.

RightWhat it meansResponse time
AccessGet a copy of what we hold about you30 days
CorrectionFix anything that's inaccurate30 days
DeletionWipe your account and all health data (subject to the retention exceptions above)30 days
PortabilityDownload your data in a structured format (CSV)30 days, on demand via Export button
ObjectStop processing for analytics or marketing30 days
RestrictionPause processing while we resolve a dispute30 days
Withdraw consentPull back consent for health data processing or marketingImmediately on receipt
ComplainFile a complaint with your privacy regulatorSee section 13

We will not retaliate against you for exercising your rights. We will not charge you for the first request in a 12-month period. For repeated or excessive requests, we may charge a reasonable fee or refuse, but we will tell you why.

9. Cookies and tracking

We use only the cookies necessary to make StackSense work, plus optional analytics cookies you can decline.

Cookie typePurposeRequiredHow to disable
Session cookieKeep you logged inYes, app does not work without itLog out
Auth refresh tokenKeep your session aliveYesLog out
Analytics (PostHog/Plausible)Anonymous product usageNoCookie banner toggle, or browser do-not-track

We do not use advertising cookies. We do not use third-party tracking pixels (no Meta pixel, no Google Ads, no TikTok pixel, nothing). If we ever add any, we will update this policy and ask you for consent.

10. Data security

We do not store your data on our personal devices. We never email health data over unencrypted email. We never share health data on Slack or other chat systems.

If there is a data breach, we will notify you within 72 hours under GDPR, within 5 business days under Quebec Law 25, and as required by PIPEDA, CCPA, and Washington MHMDA.

11. Children

StackSense is intended for adults 18 and older. We do not knowingly collect data from anyone under 18. If you are under 18, do not use StackSense.

If you are a parent or guardian and believe your child has signed up, email privacy@stacksense.ca and we will delete the account and all associated data.

12. Changes to this policy

We may update this policy from time to time. When we make material changes, we will:

Non-material changes (clarifications, formatting fixes, vendor URL updates) take effect immediately and do not trigger email notice.

13. How to contact us and complain

Routine privacy questions, rights requests, complaints: privacy@stacksense.ca

Legal notices, regulator inquiries: legal@stacksense.ca

If we don't resolve your complaint, escalate to your regulator:

RegionRegulatorContact
Canada (federal)Office of the Privacy Commissioner of Canadahttps://www.priv.gc.ca, 1-800-282-1376
QuebecCommission d'accès à l'information du Québechttps://www.cai.gouv.qc.ca
European UnionYour national supervisory authorityhttps://edpb.europa.eu/about-edpb/about-edpb/members_en
United KingdomInformation Commissioner's Officehttps://ico.org.uk
CaliforniaCalifornia Attorney Generalhttps://oag.ca.gov/privacy
Washington StateWashington Attorney Generalhttps://www.atg.wa.gov

Jurisdiction-specific sections

The sections below apply to users in specific jurisdictions in addition to the general policy above.

A. Quebec Law 25 (Loi sur la protection des renseignements personnels dans le secteur privé)

This section applies to all users whose personal information is collected or used in Quebec.

Designated Privacy Officer: Jad Gouiza, privacy@stacksense.ca. The Privacy Officer is responsible for compliance with this law and for responding to your rights requests.

Consent: We obtain your express, free, informed, and specific consent for processing your health data at signup. You can withdraw it at any time.

Privacy Impact Assessment: A PIA covering this processing is on file. Available to regulators on request.

Cross-border transfers: Some of your data is processed by service providers in the United States. We have assessed that the contractual, organizational, and technical measures in place provide protection equivalent to what Quebec law requires.

Automated decision-making: StackSense does not make decisions about you based solely on automated processing. Our AI research features generate information, not decisions about you.

Breach notification: If a confidentiality incident creates a real risk of serious harm to you, we will notify you and the Commission d'accès à l'information within 5 business days.

Right to data portability: You can request a copy of your data in a structured, commonly used technological format.

B. European Union and EEA - GDPR

This section applies to users in the EU and EEA.

We are a non-EU controller offering services to EU residents. We process your data under the legal bases listed in section 4.

Your rights under GDPR:

EU representative: Once our EU user base reaches material scale, we will appoint a representative in the EU under Article 27. Until then, we rely on the de-minimis exception for occasional and small-scale processing. Contact us directly at privacy@stacksense.ca.

International transfers: Some data is transferred to the United States. We rely on Standard Contractual Clauses (Commission Implementing Decision 2021/914). Copies available on request.

Data Protection Officer (DPO): We are not required to appoint a DPO under Article 37. Our Privacy Officer (Jad Gouiza) handles equivalent responsibilities.

C. United Kingdom - UK GDPR and Data Protection Act 2018

This section applies to UK users.

The rights and obligations under UK GDPR mirror those under EU GDPR. Substitute "Information Commissioner's Office (ICO)" for the EU supervisory authority. Substitute the UK International Data Transfer Agreement for the EU SCCs where transfers go to the US.

UK representative: Same de-minimis approach as EU until material scale is reached.

D. California - CCPA and CPRA

This section applies to California residents.

Categories of personal information collected: Identifiers (email), commercial information (subscription history), internet activity (usage data), sensory data (none), geolocation (only IP-derived country), professional information (none), inferences (none), sensitive personal information (health data, with your consent).

Categories of sources: You, your device, our payment processor (Stripe).

Business purposes for collection: Providing the StackSense service, billing, security, analytics, customer support.

Categories of third parties data is disclosed to: Service providers listed in section 5.

Do we sell or share personal information? No. We do not sell your personal information. We do not share it for cross-context behavioral advertising. We have never done so.

Sensitive personal information: We collect health data only with your consent and only for providing the StackSense service. We do not use it for inferring characteristics about you. You have the right under CPRA to limit our use of sensitive personal information. To exercise this right, email privacy@stacksense.ca.

Your CCPA rights:

How to exercise: Email privacy@stacksense.ca. We will verify your identity by sending a confirmation email to the address on your account.

Authorized agents: You may designate an agent in writing.

Response time: 45 days, extendable by 45 more days with notice to you.

E. Washington State - My Health My Data Act (MHMDA)

This section applies to consumers in Washington State and to data collected from Washington consumers.

Consumer health data we collect: The supplement, peptide, symptom, body composition, and protocol data you choose to enter in StackSense.

Categories of sources: You.

Purposes of processing: To provide the StackSense tracking service to you.

Categories of third parties with whom we share consumer health data: The service providers listed in section 5 (Supabase, Vercel, Stripe, Anthropic, PostHog/Plausible, Sentry). These are processors acting on our instructions.

We do not:

Your MHMDA rights:

To exercise: Email privacy@stacksense.ca. Response within 45 days.

Geofencing: We do not use geofencing around healthcare facilities.

F. Other US states (Connecticut, Nevada, Colorado, Virginia, Texas)

If you are a resident of a US state with a comprehensive privacy law, the rights in section 8 apply to you. The Washington MHMDA section above covers the strictest US health data treatment. The CCPA section above covers the strictest US comprehensive privacy treatment. You get the benefit of both.

If you want jurisdiction-specific clarity, email privacy@stacksense.ca.

G. Canada (PIPEDA)

This section applies to Canadian users outside Quebec.

We comply with PIPEDA's 10 fair information principles:

  1. Accountability (Privacy Officer Jad Gouiza)
  2. Identifying purposes (this policy)
  3. Consent (signup checkboxes and granular toggles)
  4. Limiting collection (only what we need)
  5. Limiting use, disclosure, retention (section 7)
  6. Accuracy (you can correct via your account)
  7. Safeguards (section 10)
  8. Openness (this policy is public)
  9. Individual access (section 8)
  10. Challenging compliance (complaint procedure in section 13)

Breach reporting: Where a breach creates a real risk of significant harm, we will notify affected individuals and the Office of the Privacy Commissioner of Canada as soon as feasible.

H. Quebec, in French

Cette politique de confidentialité est rédigée en anglais. Une version française est disponible à l'adresse stacksense.ca/politique-confidentialite. En cas de divergence entre les versions, la version française prévaudra pour les utilisateurs résidant au Québec. Pour toute question, écrire à privacy@stacksense.ca.

End of Privacy Policy. Version 1.0. Last updated 05/20/26