DRAFT — pending legal review

Privacy Policy

Last updated: 2026-05-03

1. Who we are

HandStack ("HandStack", "we", "our") runs a platform where event hosts collect pledges from supporters. This policy explains what personal information we collect, how we use it, and the choices you have.

2. What we collect

When you create an account or use HandStack, we collect:

Account info: email, display name, avatar, optional phone and zip code
Profile info you choose to share: bio, interests, preferred distance, local business status
Event and pledge activity: events you create or attend, pledge amounts, messages within the platform
Payment data: card information is collected directly by Stripe and never touches our servers. We store Stripe customer and payment identifiers to associate charges with your account.
Technical data: IP address, browser, device info, and error telemetry via Sentry to keep the service running.

3. How we use your data

To run the service (authenticate you, process pledges, notify hosts).
To send transactional emails (pledge confirmations, event reminders, settlement notifications).
To send occasional product updates with a one-click unsubscribe in every email.
To prevent abuse, moderate content, and enforce our Terms of Service.
To comply with legal obligations (tax reporting via Stripe).

4. Who we share with (subprocessors)

Supabase — database, authentication, file storage (United States)
Stripe — payment processing and host payouts. Stripe's use of your data is governed by the Stripe Privacy Policy. Stripe issues 1099-K tax forms to hosts directly.
Resend — transactional email delivery
Sentry — error monitoring (with PII scrubbing on server)
Vercel — web hosting

We do not sell your personal information. We do not share it with advertisers.

5. Your rights

You can export all your data at any time from your profile settings ("Download my data"). You can delete your account from the same screen — we anonymize your profile and retain only what we are legally required to keep (payment records for tax purposes).

If you are in the European Union, the United Kingdom, or California, you have additional rights under GDPR/UK-GDPR/CCPA including access, correction, deletion, and objection. Email privacy@handstack.app to exercise them.

6. Data retention

Account & profile: until you delete your account
Payment records: 7 years (IRS and dispute resolution)
Messages: up to 2 years after the related event completes
Notifications: 90 days
Error logs: 30 days (Sentry retention)

7. Children

HandStack accounts are only for adults aged 18 and over. We do not knowingly create accounts for or collect personal information directly from anyone under 18. Hosts may price events per-child, but no child account is created — a parent or guardian holds the account and may share a child's age range when required by tiered pricing or to match an event's minimum age. We do not knowingly collect a child's name, contact information, or other personally identifying details.

If you believe a minor has registered an account, email privacy@handstack.app and we will remove the account.

8. Security

We use industry-standard transport encryption and row-level authorization at the database layer. No online service is perfectly secure; email us at security@handstack.app if you believe your account was compromised.

9. Changes

We will post updated versions of this policy on this page and update the "Last updated" date. For material changes we will also notify you by email.