This Privacy Policy is provided for transparency and compliance purposes. It is not legal advice. If you need legal advice about your own data processing, consult a qualified lawyer in your jurisdiction.
Privacy Policy
Last updated: 2026-05-08 Effective date: 2026-05-08
This Privacy Policy explains how Stacks and Flows (“we”, “us”, “our”) collects, uses, shares, and protects information about visitors to stacksandflows.com and any subdomains we operate.
We have written this policy to be compatible with:
- The EU General Data Protection Regulation (GDPR) and the UK GDPR
- The California Consumer Privacy Act (CCPA / CPRA)
- Common-sense international privacy norms
Where local law gives you stronger rights than this policy, local law applies.
1. Information we collect
1.1 Information you give us
- Email address 鈥?when you subscribe to our newsletter, contact us, or submit a copyright takedown notice.
- Email content 鈥?the body of any message you send us.
1.2 Information collected automatically
When you visit stacksandflows.com, our hosting provider and our analytics tool see:
- IP address 鈥?used transiently for routing and abuse prevention. We do not store IP addresses in our analytics product.
- User agent (browser, OS, device class).
- Pages visited, referrer, and time on page.
- Country (derived from IP, no city or finer granularity).
We do not use cookies for analytics. We use Plausible Analytics, a privacy-first analytics service that does not set cookies and does not use any personal data to identify visitors. See plausible.io/data-policy.
1.3 Information we do not collect
- We do not run advertising trackers (Facebook Pixel, Google Ads, TikTok Pixel, etc.).
- We do not fingerprint your device.
- We do not sell your personal information.
2. How we use information
We use information for these purposes only:
| Purpose | Lawful basis (GDPR) |
|---|---|
| Operating and securing the site | Legitimate interest |
| Responding to your inquiries | Contract / legitimate interest |
| Sending newsletters you subscribed to | Consent |
| Detecting abuse and fraud | Legitimate interest |
| Complying with law (e.g., DMCA, court orders) | Legal obligation |
We do not engage in any automated decision-making or profiling that produces legal or similarly significant effects.
3. Third parties who process data on our behalf
We rely on a small number of vendors. Each is bound by their own privacy terms and, where applicable, a Data Processing Agreement under GDPR Article 28.
| Vendor | What they see | Privacy link |
|---|---|---|
| Cloudflare (hosting / DNS / Pages) | IP, request logs, basic device info | cloudflare.com/privacypolicy |
| Plausible Analytics | Aggregated visit data; no cookies, no PII | plausible.io/privacy |
| Buttondown (newsletter) | Email address, subscribe time, open / click events | buttondown.com/privacy |
| GitHub (source hosting) | Not applicable to site visitors | docs.github.com/site-policy/privacy-policies |
When you click an affiliate link, the affiliate vendor (e.g., n8n, Make, Zapier, Pipedream, HeyGen, Synthesia) sets its own tracking identifier in your browser to attribute a possible signup back to us. Each affiliate vendor’s privacy policy applies to that data, and we do not receive your personal information from them 鈥?only aggregated attribution events.
4. Cookies
- Plausible Analytics: no cookies, no consent banner needed.
- Newsletter form: a small first-party cookie may be set by our forms processor to remember that you already subscribed (so we don’t ask twice).
- Affiliate links: clicking an affiliate link causes the vendor to set its own attribution cookie on its own domain. We do not control or read those cookies.
You can clear all cookies in your browser settings at any time. Doing so will not break the site.
5. Your rights
5.1 GDPR / UK GDPR (EU, UK, EEA, Switzerland)
You have the right to:
- Access 鈥?get a copy of personal data we hold about you.
- Rectification 鈥?fix inaccurate data.
- Erasure (“right to be forgotten”).
- Restriction of processing.
- Data portability 鈥?receive your data in a structured, machine-readable format.
- Object to processing based on legitimate interest.
- Withdraw consent at any time (e.g., unsubscribe from the newsletter).
5.2 CCPA / CPRA (California)
You have the right to:
- Know what personal information we collect about you.
- Delete personal information we hold about you.
- Opt out of the sale or sharing of personal information. We do neither, but you can confirm in writing.
- Non-discrimination for exercising these rights.
To exercise any of these rights, email [email protected]. We will respond within 30 days.
You also have the right to lodge a complaint with your local data protection authority.
6. Data retention
| Category | Retention |
|---|---|
| Plausible analytics aggregates | Up to 14 months |
| Newsletter subscribers | Until you unsubscribe + 30 days for backups |
| Email correspondence | Up to 24 months from last reply |
| Server / Cloudflare logs | Up to 30 days (Cloudflare default) |
7. International transfers
Our hosting and processing providers (Cloudflare, Buttondown, Plausible) operate in the United States and Europe. Where personal data is transferred outside the EU / UK, the transfer relies on Standard Contractual Clauses or the relevant adequacy decision.
8. Children
stacksandflows.com is not directed at children under 13 (US) or 16 (EU / UK). We do not knowingly collect personal data from minors. If you believe a child has submitted personal data to us, email [email protected] and we will delete it.
9. Security
We use TLS for all connections, store secrets in environment variables (not in source code), and require multi-factor authentication on every operational account. We do not claim our security is perfect 鈥?no one’s is. If you discover a vulnerability, please email [email protected] with the subject line “security”.
10. Data Protection Officer (DPO)
We are not currently required to designate a Data Protection Officer under GDPR Article 37. For all data-protection matters, the responsible contact is:
- Role: Privacy Contact
- Email: [email protected]
If we appoint a formal DPO in the future, this section will be updated.
11. Changes to this policy
We may update this policy. Material changes will be flagged on the homepage for at least 14 days, and the Last updated date at the top of this page will change.
12. Contact
- Privacy and data requests: [email protected]
- Postal contact: available on request via the email above.
Last updated: 2026-05-08
Last updated: 2026-05-08