Privacy Policy

Last updated: January 19, 2026

The Short Version

We collect almost nothing. Your notes, tasks, and calendar are encrypted on your device — we never see them. We only have your email and payment info (via Stripe). We don't sell data, show ads, or track you.

1. Information We Collect

Information You Provide

  • Email address: When you create an account, we collect your email address for account management and communication.
  • Payment information: Processed by Stripe. We receive confirmation of payment but never see your card details.
  • Support communications: If you contact us, we keep the correspondence to help resolve issues.

Information We Never Receive

  • Your content: Notes, tasks, calendar events — encrypted on your device, we never see them.
  • Your password: Used locally to derive encryption keys, never transmitted to us.
  • Your encryption keys: Generated locally from your password, never leave your device.

2. How We Use Information

We use the limited information we have to:

  • Manage your account and license
  • Process payments via Stripe
  • Send important product updates (you can opt out)
  • Respond to support requests
  • Improve our service (using aggregated, anonymous data only)

3. Information Sharing

We share your information only in these limited circumstances:

  • Stripe: Processes payments. Subject to Stripe's Privacy Policy.
  • Legal requirements: If required by law, though we can only provide what we have (email, license info — not your content).

We never sell your data. We never share it with advertisers. We never use it to train AI models.

4. Data Retention

  • Account data: Retained while your account is active. Anonymized immediately upon account deletion.
  • Payment records: Retained as required for tax and legal purposes (typically 7 years).
  • Support communications: Retained for 2 years after last contact.
  • Your content: We don't have it. It's on your devices.

5. Your Rights

You have the right to:

  • Access: Request a copy of data we have about you.
  • Correction: Update your account information.
  • Deletion: Delete your account and associated data.
  • Export: Export your content from the app in standard formats.
  • Objection: We don't send marketing communications and never will. We only send transactional emails (account verification, password resets, purchase confirmations).

To exercise these rights, contact us.

6. Data Security

Your content is encrypted with ChaCha20-Poly1305 on your device before it goes anywhere. Keys are derived using Argon2id from your password, which never leaves your device. Even if our systems were compromised, attackers would get only email addresses and encrypted blobs they can't decrypt.

7. International Transfers

Our minimal infrastructure may process data in the United States and European Union. Because we have almost no data and your content is encrypted, there's minimal privacy risk from data transfers.

8. Children's Privacy

PrivStack is not intended for children under 13. We do not knowingly collect information from children under 13.

9. Changes to This Policy

We may update this policy occasionally. We'll notify you of significant changes via email or in-app notification. Continued use after changes constitutes acceptance.

10. Contact Us

Questions about this policy? Contact us.