macrostack
Legal

Privacy Policy

Last updated: May 24, 2026

This Privacy Policy explains how MacroStack (“MacroStack,” “we,” “us”) collects, uses, shares, and protects personal information when you use macrostackhq.com and our related applications (the “Service”). By using the Service you agree to this Policy. If you do not agree, do not use the Service.

1. Information we collect

We collect the following categories of information:

  • Account data. Name, email address, username, password (hashed by our auth provider), and profile details you provide.
  • Health & fitness data. Body metrics (weight, height, age, sex), goals, meal and food logs, water and supplement intake, fasting windows, cycle data, workout and recovery entries, mood and journal notes, progress photos. You choose what to enter.
  • Payment data. Subscription plan, billing status, and the last 4 digits of your card. Full payment-card details are collected and stored by our payment processor (Stripe); we do not store them on our servers.
  • Content you share. Community posts, comments, reactions, challenges you join, and messages you send through Stack AI chat.
  • Device & usage data. IP address, browser and operating system, device identifiers, pages viewed, features used, referrers, and approximate location derived from IP. Collected automatically through server logs and cookies.
  • Cookies and similar tech. We use cookies and local storage for sign-in sessions, preferences (e.g. theme), basic analytics, and security. You can control cookies through your browser settings.

2. How we use information

  • Provide, maintain, and improve the Service;
  • Calculate macros, generate meal and coaching suggestions, and personalize your dashboard;
  • Process subscriptions, prevent fraud, and provide customer support;
  • Send transactional emails (account, billing, security) and, with your consent, product updates;
  • Monitor performance, debug issues, and protect the Service and our users from abuse;
  • Comply with legal obligations and enforce our Terms.

3. Legal bases (EEA / UK users)

If you are in the European Economic Area or the United Kingdom, we process your personal data under the following GDPR legal bases: contract (to provide the Service you signed up for), legitimate interests (to secure, debug, and improve the Service in ways you would reasonably expect), consent (for optional marketing communications and non-essential cookies), and legal obligation (to comply with tax, accounting, and law-enforcement requirements). You may withdraw consent at any time without affecting the lawfulness of prior processing.

4. AI features and prompts

When you use Stack AI, coaching briefings, or other AI features, your prompts and relevant profile context (such as goals, recent macros, or food logs) are sent to third-party AI model providers to generate a response. We do not sell prompts. Our AI providers may temporarily process prompts for safety monitoring under their own policies but, under our agreements, do not use them to train their public models. Do not enter information you do not want sent to an AI provider.

5. How we share information

We do not sell personal information. We share information only as follows:

  • Service providers (subprocessors). Vendors that run essential parts of the Service under contractual confidentiality and data-protection terms, including:
    • Clerk — authentication and account management;
    • Stripe — payment processing and subscription billing;
    • Vercel — application hosting, edge networking, and request logs;
    • AI model providers (e.g. OpenAI and Anthropic) — generating AI responses from your prompts;
    • Email, error-monitoring, and analytics providers that help us operate and improve the Service.
  • Other users. Content you choose to make public (e.g. community posts, public profile fields, challenge entries) is visible to other users in the contexts the Service exposes it.
  • Legal and safety. When we have a good-faith belief that disclosure is required by law, legal process, or to protect rights, safety, or property.
  • Business transfers. If MacroStack is involved in a merger, acquisition, financing, or sale of assets, personal information may transfer to the acquiring entity, subject to this Policy or a successor policy.

6. International transfers

MacroStack is operated from the United States, and our subprocessors operate globally. By using the Service you understand that your information will be transferred to and processed in the U.S. and other countries that may not have the same data-protection laws as your jurisdiction. Where required (for example, for transfers out of the EEA or UK), we rely on Standard Contractual Clauses or other approved transfer mechanisms.

7. Data retention

We keep your account data for as long as your account is active. If you delete your account, we delete or anonymize your personal information within 30 days, except where we are required to retain it (for example, billing records for tax or accounting). Backups may persist for a short additional period before being overwritten in the normal course of operations. Aggregated or anonymized data that no longer identifies you may be retained indefinitely.

8. Security

We use industry-standard safeguards including TLS in transit, encryption at rest with our hosting and database providers, hashed passwords, scoped access controls, and audit logging. No system is perfectly secure. Use a strong unique password and contact us immediately if you suspect unauthorized access to your account.

9. Your rights

Depending on where you live, you may have the right to:

  • Access the personal information we hold about you and receive a copy in a portable format;
  • Correct inaccurate or incomplete information;
  • Delete your account and associated personal information;
  • Object to or restrict certain processing, and withdraw consent at any time;
  • Opt outof “sharing” or targeted advertising — MacroStack does not sell personal information or use it for cross-context behavioral advertising;
  • Lodge a complaint with your local data-protection authority.

You can exercise most rights directly in Settings, or by emailing hello@macrostackhq.com. We will respond within the time required by applicable law (45 days under CCPA, 30 days under GDPR, extendable where permitted). We will not discriminate against you for exercising a privacy right.

10. California residents (CCPA / CPRA)

California residents have specific rights described above, including the right to know what personal information we collect and how we use it, the right to delete, the right to correct, and the right to opt out of sale or sharing. In the preceding 12 months we have collected the categories of information listed in Section 1, used them for the purposes in Section 2, and disclosed them only to the subprocessors in Section 5. We have not sold personal information and do not knowingly collect or sell personal information of California residents under 16.

11. Children

The Service is not directed to children under 13, and we do not knowingly collect personal information from them. If you believe a child has provided us personal information, contact us and we will delete it. Users between 13 and 18 should use the Service only with the consent of a parent or legal guardian.

12. Changes to this Policy

We may update this Policy from time to time. If we make material changes we will update the “Last updated” date and, where appropriate, notify you by email or in-app notice before the change takes effect.

13. Contact

Questions about this Policy or to exercise your rights, email hello@macrostackhq.com.

See also our Terms of Service.