Privacy Policy

Last updated: 06/01/2026

This Privacy Policy explains how NoStackAI (“NoStackAI”, “we”, “us”, or “our”) collects, uses, discloses, and safeguards personal information when you visit nostackai.com, create an account, or use the NoStackAI platform and related services (collectively, the “Services”). By using the Services you agree to the practices described here.

1. Scope & our roles

The Services let you build and run configuration-driven applications, APIs, and AI agents on per-customer isolated infrastructure. This policy covers two kinds of data:

Account & site data — information about you as a NoStackAI user or website visitor. Here we act as the controller.
Customer Content — the data, end-user records, and configuration you store and process within your isolated workspace (“stack”). Here we act as a processor on your behalf, and our handling is governed by your agreement with us (including any Data Processing Addendum). You are the controller of Customer Content and responsible for the personal information it contains.

2. Information we collect

Information you provide

Account & profile: name, email, organization name, role, and credentials when you register or are invited to an organization.
Billing: plan selection and billing contact details. Card/payment details are handled by our payment processor — we do not store full card numbers.
Communications: messages you send via the contact form, support requests, and survey or demo responses (including any company name you provide).
Customer Content: data models, entities, connectors, prompts, and records you create, upload, or process within your workspace.

Information we collect automatically

Usage & device data: log data, IP address, browser/device type, pages viewed, feature usage, API call metadata, and timestamps.
Cookies & similar technologies: used for authentication, preferences, and limited analytics (see Cookies).

3. How we use information

Provide, operate, secure, and maintain the Services and your workspace.
Authenticate users, enforce access controls, and isolate tenant data.
Process subscriptions, billing, and plan changes.
Respond to inquiries and provide customer support.
Monitor performance, debug, prevent abuse and fraud, and enforce our terms and usage limits.
Send service, security, and (where permitted) product communications. You can opt out of marketing messages at any time.
Comply with legal obligations and protect our and others’ rights.

We process Customer Content solely to provide the Services per your instructions and configuration. We do not use Customer Content to advertise to you, and we do not use it to train foundation models.

4. AI features & subprocessors

The Services include AI capabilities (for example, agentic workflows and generated outputs). To deliver these, prompts and the content you submit to an AI feature may be processed by third-party AI providers and cloud infrastructure providers acting as our subprocessors (for example, large-language-model and cloud hosting providers such as Amazon Web Services and Anthropic). We contract with subprocessors to process data only on our instructions and to maintain appropriate safeguards. We do not permit AI subprocessors to use your Customer Content to train their general models. A current list of subprocessors is available on request.

Service providers / subprocessors: hosting, AI processing, payments, email delivery, error monitoring, and analytics — bound by confidentiality and data-protection obligations.
Within your organization: administrators and members of your organization may access account and workspace data according to the roles you assign.
Legal & safety: when required by law, regulation, legal process, or to protect the rights, property, or safety of NoStackAI, our users, or the public.
Business transfers: in connection with a merger, acquisition, financing, or sale of assets, subject to this policy.

We do not sell personal information, and we do not “share” it for cross-context behavioral advertising as those terms are defined under applicable U.S. state privacy laws.

6. Data retention & deletion

We retain account data for as long as your account is active and as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. Customer Content is retained per your configuration and your agreement with us; you can delete Customer Content from your workspace, and you may request export or deletion of your account data. Free workspaces may be suspended after a period of inactivity and later removed as described in our Terms of Service. Backups are purged on a rolling schedule.

7. Security

Tenant isolation: per-customer isolation so your application data is not commingled across tenants.
Encryption: encryption in transit (TLS) and at rest, including field-level encryption for sensitive fields, with keys managed in a managed key service.
Access controls: role-based access, least-privilege practices, and write-only secret fields that are never returned in API responses.

No method of transmission or storage is 100% secure, but we work to protect your information using administrative, technical, and organizational safeguards appropriate to the risk.

8. International data transfers

We may process and store information in countries other than where you reside. Where required, we rely on appropriate transfer mechanisms (such as Standard Contractual Clauses) to protect personal information transferred internationally. You can choose a hosting region for your workspace where that option is available.

9. Your rights & choices

Depending on your location, you may have rights to access, correct, delete, port, or restrict the processing of your personal information, and to object to certain processing or withdraw consent. These include rights under the GDPR/UK GDPR and U.S. state laws such as the CCPA/CPRA.

To exercise rights over your account data, contact us at the address below.
For Customer Content, requests from your end users should be directed to the relevant organization (the controller); we will assist that organization as its processor.
We will not discriminate against you for exercising your privacy rights.

10. Cookies & analytics

We use strictly necessary cookies for authentication and core functionality, and limited analytics to understand and improve the Services. You can control cookies through your browser settings; disabling some cookies may affect functionality.

11. Children’s privacy

The Services are intended for businesses and are not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. We will post the revised version with a new “Last updated” date and, where appropriate, provide additional notice. Your continued use of the Services after changes take effect constitutes acceptance.

13. Contact us

Questions or requests about this policy or your personal information? Contact us at privacy@nostackai.com or via our contact page. Postal address: [Company legal name and address]. If you are in the EEA/UK, you may also contact your local data protection authority.

This page is provided for general information and does not constitute legal advice.