Effective date: 10 June 2026 · Last updated: 10 June 2026
This Privacy Policy explains how [STACKV LEGAL ENTITY NAME — e.g. “Lakshya [Surname], trading as StackV” until a company is registered], of [REGISTERED ADDRESS, Pune, Maharashtra, India] ("StackV", "we", "us") handles personal data when you visit stackv.online, contact us, or do business with us. It is written to meet the EU/UK General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection (FADP/nDSG), India's Digital Personal Data Protection Act, 2023 (DPDP Act), and, where applicable, US state privacy laws.
1. Two roles we play
Controller. For our website, marketing, sales, invoicing, and business relationships, StackV decides how and why personal data is used — we are the data controller (GDPR) / data fiduciary (DPDP Act). This Policy covers that processing.
Processor. When we build or operate systems for clients and handle personal data inside their projects (e.g. their leads, their customers' tickets), we act only on the client's documented instructions as a data processor. That processing is governed by our Data Processing Agreement with the client, not this Policy. If your data appears in a client's system we operate, the client is the controller — please direct requests to them; we will assist them in responding.
2. Data we collect as controller
Contact and inquiry data: name, business email, company, role, and the content of messages you send via email or our feedback form.
Contract and billing data: names of signatories, billing addresses, tax IDs, payment records (payment-card data is handled by our payment provider, not stored by us).
Project communications: emails, call notes, shared documents, and credentials you provide for an engagement.
Technical data: if and when analytics are enabled on our site, IP address, device/browser type, pages viewed, and referrer — see our Cookie Policy. Our website currently operates without analytics or marketing cookies; if that changes, the Cookie Policy and consent banner will reflect it before any such cookies are set.
Public business data: information you have made public (e.g. on your company website or LinkedIn) that we use for legitimate B2B outreach and due diligence.
We do not knowingly collect data of children under 18 and our services are not directed at them. We do not collect special-category (sensitive) data and ask that you not send it to us.
3. Why we use it and our legal bases (GDPR Art. 6)
To respond to inquiries and provide the Services — performance of a contract or pre-contractual steps (Art. 6(1)(b)); DPDP: consent or legitimate uses for employment/contract purposes.
B2B marketing, portfolio, improving our services, securing our systems, and establishing or defending legal claims — our legitimate interests (Art. 6(1)(f)), balanced against your rights. You can object at any time.
Analytics or marketing cookies, and email marketing where consent is required — your consent (Art. 6(1)(a)), withdrawable at any time.
4. Sharing and recipients
We do not sell personal data. We share it only with: (a) service providers (sub-processors) who help us run the business — hosting, email, cloud databases, AI model providers, analytics if enabled, payment processors, and accounting — under contracts that restrict their use of the data; (b) professional advisers (lawyers, accountants) under confidentiality; (c) authorities where required by law; and (d) a successor entity if the StackV business is incorporated, restructured, or transferred, in which case this Policy continues to apply. A current list of our main providers is in Annex 2 of our DPA, available on request.
5. International transfers
StackV operates from India. India is not the subject of an EU or Swiss adequacy decision. Where we receive personal data from the EEA, UK, or Switzerland as a controller or processor, we protect transfers using the European Commission's Standard Contractual Clauses (and the Swiss FDPIC-recognised adaptations), plus supplementary technical measures such as encryption in transit and at rest. You may request a copy of the relevant safeguards at the contact below.
6. Retention
We keep personal data only as long as needed: inquiry data up to 24 months after last contact; contract and project records for the engagement plus the limitation period for legal claims; invoicing and tax records for the period required by Indian law (generally 8 years); client-project personal data per the client's instructions and our DPA (deleted or returned at the end of the engagement). We then delete or irreversibly anonymise it.
7. Your rights
EEA/UK/Swiss residents: access, rectification, erasure, restriction, portability, objection (including to direct marketing, which we will always honour), and withdrawal of consent without affecting prior processing. You may complain to your local supervisory authority or, in Switzerland, the FDPIC.
India (DPDP Act): access, correction and erasure, grievance redressal, and nomination. Grievance Officer: [NAME], reachable at stackv@stackv.online. You may escalate unresolved grievances to the Data Protection Board of India.
US state residents: where state law applies, rights to know, delete, correct, and opt out of “sale”/“sharing” (we do neither).
To exercise any right, email stackv@stackv.online. We respond within the legally required period (one month under GDPR, extendable as permitted) and may verify your identity first. Exercising rights is free of charge unless requests are manifestly unfounded or excessive.
8. Security
We apply technical and organisational measures appropriate to the risk: encryption in transit (TLS) and at rest, least-privilege access controls, MFA on production systems, secrets management, logging, vendor due diligence, and environment separation. Details are in our Security & Compliance Overview. No system is perfectly secure; if a breach is likely to result in risk to you, we will notify the competent authority and affected persons as required by law.
9. Automated decision-making
We do not make decisions about you producing legal or similarly significant effects based solely on automated processing. AI systems we build for clients operate under the client's control and responsibility.
10. EU/UK representative
If and to the extent Article 27 GDPR requires StackV to appoint a representative in the EU or UK, the representative's details will be listed here: [EU REPRESENTATIVE — appoint if you regularly offer services to or monitor individuals in the EU; to be confirmed with counsel].
11. Changes and contact
We may update this Policy; the latest version with its effective date is always at stackv.online. Material changes will be flagged on the site. Contact for all privacy matters: stackv@stackv.online, or by post to [REGISTERED ADDRESS, Pune, Maharashtra, India].