StackV designs and ships production AI systems — custom agents, intelligent workflows,
and growth automation — built around how your business actually runs.
A small team that ships production systems — not slide decks.
Flagship
Custom AI agents that handle real work — sales, support, ops.
Discovery, design, build, and a 30-day runway. We hand you a system, not a prompt.
From €6,400 · 14 days
Web build
Marketing sites & product surfaces that earn the click.
App build
iOS, Android, & web apps — shipped on a fixed runway.
Workflows
n8n & Zapier rebuilds, but actually maintainable.
RAG
Search your knowledge with citations you can trust.
Voice
Inbound voice agents · < 400ms latency.
Growth & strategy
Lead routing, enrichment, and an AI roadmap that doesn't gather dust.
Care plan
Monthly ops & iteration retainer — we stay after launch.
A note from the studio
We don't sell magic. We ship small, ugly,working systems — then make them better, week after week.
~3 wksFrom kickoff to first thing in production
94%Of engagements still running after 6 months
1–2Active client builds we take on at a time
Built in Pune · Shipping globallyQ3 2026 — two slots open
02 / Process
Four weeks from “we should automate that” to live in production.
Week 01
D
Discover
Map workflows, decisions, and the systems involved. Pick the one with the biggest payoff.
Week 02
P
Prototype
A working slice your team can poke at — real data, real edges, real failure modes.
Week 03
B
Build
Hardened, monitored, version-pinned. Auth, logs, evals, and a kill switch on day one.
Week 04
L
Launch
Rollout, training, dashboards — and a 30-day runway in case anything wobbles.
03 / About
A studio out of Pune, building boring AI that actually ships.
We're builders, not slide-decks. StackV started in 2024 after a decade of doing the same thing inside larger product teams: shipping production AI that survives Monday morning, not just demo day.
Every engagement is small, named, and senior. No project managers translating you to engineers. You talk to the people writing the code, and the system you walk away with is yours — repo, runbooks, and all.
38Systems shipped
Across ops, sales, support, and growth.
14dMedian delivery
From kick-off to first production traffic.
92%Client retention
Clients renew into a care plan after launch.
€0Locked-in fees
You own the stack. Cancel any time.
L
Lakshya
Co-founder · Systems
Years building production ML at fintechs. Refuses to ship anything without a kill switch.
P
Piyush
Co-founder · Design
Design lead from two B2B SaaS teams. Cares more about retention than CTR.
T
Tanishq
Head of Growth · Outreach
Ran cold email at two B2B startups. Treats deliverability like a religion, not a setting.
P
Pushpak
Data & Compliance Lead
Built scraping pipelines under strict privacy regimes. Reads data law for fun, blocks shipping without a DPA.
Y
Yash
SDR · Vertical Sales
Closed SMB deals across multiple markets. Speaks operator-fluent, books demos faster than reps draft scripts.
How we work
Three rules we don't break, even on the messy projects.
01 / Boring > clever
If a Postgres table and a cron job will do, we don't reach for an agent.
We use the simplest thing that survives the next on-call. AI is a tool, not the headline.
02 / Ship every week
Something real lands in your account by Friday — every Friday.
No 6-week "discovery" before you see code. Tiny, ugly, working first; pretty and complete after.
03 / Own your stack
The repo, the prompts, the runbook — all yours on day one.
No black boxes, no lock-in, no "call us to make a change." You should be able to fire us cleanly.
04 / Recent work
The folder we open first when a new client asks “have you done this before?”
Atelier LumièreWeb build · Lyon
A boutique furniture maker moved off WordPress and finally started selling online.
Rebuilt their site on a headless stack, added a Stripe checkout with VAT-aware shipping, and let the founder publish new collections in under a minute.
A patient companion app that turned reminder fatigue into a 71% adherence rate.
Cross-platform Expo app with personalized check-ins, push notifications, and a quiet GPT-4o-mini coach that drafts the next nudge based on response history.
The Tier-1 support agent that finally stopped escalating customers on turn three.
Plan → act → verify loop with typed tool calls, sentiment-aware escalation, and a 14k-ticket replay harness so every change ships behind a regression score.
Three systems, three different fires. All of them shipped.
Case 01B2B SaaS · Support5 weeks · Fixed scope
Why most agent demos don't survive contact with a real inbox.
A support agent that aced demos kept escalating real tickets the moment threads got long, attachments showed up, or a customer got frustrated mid-conversation. Production resolution rate sat at 38%. The team was a month away from killing the project.
● Live in production~4,200 tickets / week
Where it was failing
The agent ran a single "read email → write reply" loop. The instant a thread had three turns, a PDF, or a passive-aggressive line, it would hallucinate a refund policy or punt with a generic apology — neither of which the support lead would accept.
What we did
Replaced the one-shot loop with an explicit plan → act → verify cycle, every tool call typed and retryable.
Added a sentiment + complexity classifier on the inbound message, escalating high-risk threads on turn one instead of turn three.
Built an offline replay harness from 14k historical tickets so every change ships behind a regression score, not a vibe.
How we cut a sales team's lead triage from 2 hours to 9 minutes.
Two SDRs spent the first two hours of every morning enriching, scoring, and routing the previous day's inbound leads. By the time the good ones got assigned, half had already booked a demo with a competitor.
● Live in production~600 leads / week
What was broken
Lead routing was a Notion checklist. Scoring was a spreadsheet last touched in 2023. The latency between "form submitted" and "owner assigned" averaged 17 hours — most of it overnight, the rest spent on copy-paste.
What we did
Enriched every new lead with Clearbit + Apollo at form-submit time, not the next morning.
Replaced the rules-based scorer with a small LLM tiebreaker that explains why each lead got its grade — so reps trusted it.
Routed assignments to owner Slack DMs with one-click accept or "send back", and logged the rejection reason as training signal.
Outcome
9 minTriage time (was 2 hours)
+34%Reply rate first-hour outbound
€0Added headcount SDRs moved to discovery
17h → 4mForm-submit to owner-assigned
StackClearbitApollon8nGPT-4o-miniSlackHubSpot
Case 03Internal tooling · Open sourceOngoing · Care plan
A boring evaluation harness that catches model drift in CI.
Every model bump — 3.5 to 4o, 4o to 4o-mini — silently broke two to five of our production prompts. We'd discover it from a customer ticket three days later. So we stopped trusting vibes and put the prompts on a CI suite, like any other piece of code.
● Open source240 evals / 12 systems
The pattern we kept hitting
Prompts lived in code, but their behavior was untested. A model upgrade was a leap of faith — even reverts had no easy way to confirm "back to normal." Eval files lived in someone's Notion. We wanted boring, not clever.
What we did
YAML fixtures sit next to the prompt they test — same folder, same PR, same review.
GitHub Actions runs the suite on every PR against both pinned and latest model, and reports the diff.
A Slack notifier posts a regression summary with concrete failing examples — no "13% drop", just the three prompts that flipped.
Tell us. We read every message — and the good ones make it into the next iteration of this site within the week.
Legal
Effective date: 10 June 2026 · Last updated: 10 June 2026
This Privacy Policy explains how [STACKV LEGAL ENTITY NAME — e.g. “Lakshya [Surname], trading as StackV” until a company is registered], of [REGISTERED ADDRESS, Pune, Maharashtra, India] ("StackV", "we", "us") handles personal data when you visit stackv.online, contact us, or do business with us. It is written to meet the EU/UK General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection (FADP/nDSG), India's Digital Personal Data Protection Act, 2023 (DPDP Act), and, where applicable, US state privacy laws.
1. Two roles we play
Controller. For our website, marketing, sales, invoicing, and business relationships, StackV decides how and why personal data is used — we are the data controller (GDPR) / data fiduciary (DPDP Act). This Policy covers that processing.
Processor. When we build or operate systems for clients and handle personal data inside their projects (e.g. their leads, their customers' tickets), we act only on the client's documented instructions as a data processor. That processing is governed by our Data Processing Agreement with the client, not this Policy. If your data appears in a client's system we operate, the client is the controller — please direct requests to them; we will assist them in responding.
2. Data we collect as controller
Contact and inquiry data: name, business email, company, role, and the content of messages you send via email or our feedback form.
Contract and billing data: names of signatories, billing addresses, tax IDs, payment records (payment-card data is handled by our payment provider, not stored by us).
Project communications: emails, call notes, shared documents, and credentials you provide for an engagement.
Technical data: if and when analytics are enabled on our site, IP address, device/browser type, pages viewed, and referrer — see our Cookie Policy. Our website currently operates without analytics or marketing cookies; if that changes, the Cookie Policy and consent banner will reflect it before any such cookies are set.
Public business data: information you have made public (e.g. on your company website or LinkedIn) that we use for legitimate B2B outreach and due diligence.
We do not knowingly collect data of children under 18 and our services are not directed at them. We do not collect special-category (sensitive) data and ask that you not send it to us.
3. Why we use it and our legal bases (GDPR Art. 6)
To respond to inquiries and provide the Services — performance of a contract or pre-contractual steps (Art. 6(1)(b)); DPDP: consent or legitimate uses for employment/contract purposes.
B2B marketing, portfolio, improving our services, securing our systems, and establishing or defending legal claims — our legitimate interests (Art. 6(1)(f)), balanced against your rights. You can object at any time.
Analytics or marketing cookies, and email marketing where consent is required — your consent (Art. 6(1)(a)), withdrawable at any time.
4. Sharing and recipients
We do not sell personal data. We share it only with: (a) service providers (sub-processors) who help us run the business — hosting, email, cloud databases, AI model providers, analytics if enabled, payment processors, and accounting — under contracts that restrict their use of the data; (b) professional advisers (lawyers, accountants) under confidentiality; (c) authorities where required by law; and (d) a successor entity if the StackV business is incorporated, restructured, or transferred, in which case this Policy continues to apply. A current list of our main providers is in Annex 2 of our DPA, available on request.
5. International transfers
StackV operates from India. India is not the subject of an EU or Swiss adequacy decision. Where we receive personal data from the EEA, UK, or Switzerland as a controller or processor, we protect transfers using the European Commission's Standard Contractual Clauses (and the Swiss FDPIC-recognised adaptations), plus supplementary technical measures such as encryption in transit and at rest. You may request a copy of the relevant safeguards at the contact below.
6. Retention
We keep personal data only as long as needed: inquiry data up to 24 months after last contact; contract and project records for the engagement plus the limitation period for legal claims; invoicing and tax records for the period required by Indian law (generally 8 years); client-project personal data per the client's instructions and our DPA (deleted or returned at the end of the engagement). We then delete or irreversibly anonymise it.
7. Your rights
EEA/UK/Swiss residents: access, rectification, erasure, restriction, portability, objection (including to direct marketing, which we will always honour), and withdrawal of consent without affecting prior processing. You may complain to your local supervisory authority or, in Switzerland, the FDPIC.
India (DPDP Act): access, correction and erasure, grievance redressal, and nomination. Grievance Officer: [NAME], reachable at stackv@stackv.online. You may escalate unresolved grievances to the Data Protection Board of India.
US state residents: where state law applies, rights to know, delete, correct, and opt out of “sale”/“sharing” (we do neither).
To exercise any right, email stackv@stackv.online. We respond within the legally required period (one month under GDPR, extendable as permitted) and may verify your identity first. Exercising rights is free of charge unless requests are manifestly unfounded or excessive.
8. Security
We apply technical and organisational measures appropriate to the risk: encryption in transit (TLS) and at rest, least-privilege access controls, MFA on production systems, secrets management, logging, vendor due diligence, and environment separation. Details are in our Security & Compliance Overview. No system is perfectly secure; if a breach is likely to result in risk to you, we will notify the competent authority and affected persons as required by law.
9. Automated decision-making
We do not make decisions about you producing legal or similarly significant effects based solely on automated processing. AI systems we build for clients operate under the client's control and responsibility.
10. EU/UK representative
If and to the extent Article 27 GDPR requires StackV to appoint a representative in the EU or UK, the representative's details will be listed here: [EU REPRESENTATIVE — appoint if you regularly offer services to or monitor individuals in the EU; to be confirmed with counsel].
11. Changes and contact
We may update this Policy; the latest version with its effective date is always at stackv.online. Material changes will be flagged on the site. Contact for all privacy matters: stackv@stackv.online, or by post to [REGISTERED ADDRESS, Pune, Maharashtra, India].
Effective date: 10 June 2026 · Last updated: 10 June 2026
These Terms of Service ("Terms") are a binding agreement between [STACKV LEGAL ENTITY NAME — e.g. “Lakshya [Surname], trading as StackV” until a company is registered], of [REGISTERED ADDRESS, Pune, Maharashtra, India] ("StackV", "we", "us"), and the business client engaging our services ("Client", "you"). By signing a Statement of Work, paying an invoice, or instructing us to begin work, you accept these Terms.
1. Who we serve — business clients only
StackV provides services exclusively to businesses, professionals, and organisations acting in the course of their trade. Our services are not offered to consumers. You represent that you are entering this agreement for business purposes, that you are at least 18 years old, and that you have authority to bind the organisation you represent. Consumer-protection regimes (including those applicable to consumers in the EU, Switzerland, or India) do not apply to this business-to-business relationship.
2. Services
StackV designs, builds, and operates software systems including AI agents, automation workflows, retrieval (RAG) systems, voice agents, web and app builds, lead-generation and CRM infrastructure, and related consulting (the “Services”). The specific scope, deliverables, timeline, fees, and acceptance criteria for each engagement are defined in a written Statement of Work, proposal, or written quote accepted by both parties (“SOW”). If these Terms and an SOW conflict, the SOW prevails for that engagement only.
Anything not expressly listed in an SOW is out of scope. Changes to scope must be agreed in writing (email is sufficient) and may carry additional fees and revised timelines. Estimates of timeline or outcome metrics (delivery days, reliability figures, conversion uplifts, case-study results) are illustrative targets based on past engagements, not promises, unless the SOW expressly states a guaranteed figure.
3. Fees, invoicing, and payment
Fees are stated in the SOW. Unless the SOW says otherwise: [50]% is payable in advance before work begins, and the balance on delivery or per the milestone schedule in the SOW.
Invoices are due within [7] days of issue. Amounts are exclusive of taxes; you are responsible for GST, VAT, withholding tax, or similar amounts required by your jurisdiction, grossed up so that StackV receives the full invoiced amount.
Late amounts accrue interest at 1.5% per month (or the maximum permitted by law, if lower), plus reasonable collection costs.
We may suspend work, withhold deliverables, and revoke licences while any undisputed invoice is overdue. Suspension does not extend deadlines or excuse payment.
Fees for work performed, and advance payments covering work already commenced, are non-refundable. If you cancel an engagement mid-way, you pay for all work performed up to cancellation plus a kill fee of [25]% of the remaining SOW value, compensating for reserved capacity.
4. Client responsibilities
Timely delivery depends on you. You agree to: (a) provide accurate, complete information, content, credentials, and access we reasonably request; (b) review and respond to deliverables, questions, and approvals within [5] business days; (c) designate a single authorised point of contact; and (d) maintain your own accounts with third-party platforms required for the project. Delays caused by you extend our deadlines day-for-day and may incur restart fees.
You warrant that all data, content, lists, and materials you provide or instruct us to use (“Client Materials”) are lawfully obtained, that you have all rights and consents needed for us to use them as instructed, and that they do not infringe any third-party right or law. We rely on this warranty and do not independently verify Client Materials.
5. Outbound marketing, lead generation, and compliance — Client's sole responsibility
This clause matters. Read it carefully.
Where the Services include lead-generation, data enrichment, scraping, cold outreach, email sequencing, or CRM campaigns, StackV provides tooling and infrastructure only. You are the data controller and the sender. You — not StackV — are solely responsible for ensuring that your campaigns, target lists, message content, sending practices, and data sources comply with all applicable laws, including without limitation: the EU GDPR and ePrivacy rules, Germany's UWG (Act Against Unfair Competition) restrictions on unsolicited B2B contact, the Swiss FADP/nDSG and UCA, India's DPDP Act 2023, the US CAN-SPAM Act and TCPA, and the terms of service of any platform from which data is sourced. You will obtain all required consents and legal bases before any outreach is sent. StackV may refuse instructions it reasonably believes are unlawful, without liability.
6. AI-specific terms and disclaimers
Probabilistic systems. AI and large-language-model outputs are probabilistic. They can be inaccurate, incomplete, biased, outdated, or fabricated (“hallucinations”) despite competent engineering. You acknowledge this is inherent to the technology, not a defect in the Services.
Human review required. You will not rely on AI output for any consequential decision (legal, medical, financial, employment, safety, credit, or similar) without qualified human review. Deliverables are tools that assist your staff, not replacements for professional judgment.
Prohibited uses. You will not use deliverables for unlawful purposes, to generate content violating third-party rights, in safety-critical systems, or in “high-risk” uses under the EU AI Act or similar regulation without a separate written agreement covering that use.
Third-party models. Deliverables typically depend on third-party model and platform providers (e.g. OpenAI, Anthropic, Google). Their pricing, availability, behaviour, deprecations, and terms are outside our control; changes to them are not a breach by StackV. You agree to comply with applicable third-party provider terms.
Regulatory roles. Where the EU AI Act applies, you (not StackV) are the “deployer” of the system in your business, responsible for deployment-side obligations, transparency to your end users, and human oversight.
7. Intellectual property
Your stack, on payment. Upon receipt of full payment for an engagement, StackV assigns to you all intellectual-property rights in the bespoke deliverables created specifically for you under that SOW (code, workflows, prompts, designs, documentation), and you receive the repositories and runbooks. Until full payment, all deliverables remain StackV's property and are licensed to you for evaluation only.
Our toolkit stays ours. StackV retains all rights in its pre-existing materials, generic components, templates, internal tools, know-how, and anything not created exclusively for you (“StackV IP”). Where StackV IP is embedded in a deliverable, you receive a perpetual, worldwide, non-exclusive, royalty-free licence to use it as part of that deliverable. We may reuse general skills, techniques, and non-confidential learnings in other projects.
Third-party and open-source components are governed by their own licences, which prevail for those components.
Portfolio. We may identify you as a client and describe the engagement in general, non-confidential terms (name, logo, summary, anonymised metrics) unless you opt out in writing.
8. Acceptance of deliverables
Deliverables are deemed accepted when you confirm acceptance in writing, deploy them to production, use them with real customer data, or fail to give written notice of material non-conformity with the SOW within [10] business days of delivery — whichever happens first. For valid rejections, our sole obligation is to re-perform the non-conforming work at no charge. Acceptance is final per deliverable.
9. Care plans and ongoing services
Retainers and care plans renew monthly and may be cancelled by either party with [30] days' written notice, effective at the end of the then-current billing period. Fees paid for the current period are non-refundable. SLAs, if any, are stated in the SOW; service credits stated there are your sole remedy for SLA misses.
10. Confidentiality
Each party will protect the other's non-public information disclosed in connection with the engagement with at least reasonable care, use it only for the engagement, and not disclose it except to personnel and contractors under equivalent obligations, or where required by law. This clause survives for 3 years after the engagement ends (indefinitely for trade secrets). It does not cover information that is public, independently developed, or rightfully received from a third party.
11. Data protection
Where StackV processes personal data on your behalf, the StackV Data Processing Agreement (DPA) applies and is incorporated into these Terms. Our Privacy Policy governs personal data we process as a controller (e.g. your business contact details). You are responsible for your own privacy compliance towards your customers and data subjects.
12. Warranties and disclaimer
StackV warrants that Services will be performed with reasonable skill and care by competent personnel. EXCEPT FOR THAT EXPRESS WARRANTY, AND TO THE MAXIMUM EXTENT PERMITTED BY LAW, THE SERVICES AND DELIVERABLES ARE PROVIDED “AS IS” AND “AS AVAILABLE”. STACKV DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, UNINTERRUPTED OR ERROR-FREE OPERATION, AND ANY WARRANTY AS TO THE ACCURACY OR RELIABILITY OF AI-GENERATED OUTPUT OR ANY BUSINESS RESULT, REVENUE, RANKING, DELIVERABILITY, OR CONVERSION OUTCOME.
13. Limitation of liability
TO THE MAXIMUM EXTENT PERMITTED BY LAW: (a) NEITHER PARTY IS LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR FOR LOST PROFITS, REVENUE, GOODWILL, DATA, OR BUSINESS INTERRUPTION, EVEN IF ADVISED OF THE POSSIBILITY; AND (b) STACKV'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO AN ENGAGEMENT, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, IS CAPPED AT THE FEES ACTUALLY PAID BY YOU TO STACKV UNDER THE RELEVANT SOW IN THE THREE (3) MONTHS PRECEDING THE EVENT GIVING RISE TO LIABILITY.
Nothing in these Terms excludes or limits liability that cannot be excluded or limited under applicable law, including liability for fraud, wilful misconduct, or gross negligence where such limitation is not permitted. Claims must be brought within 12 months of the event giving rise to them, where such a limitation period is permitted by law.
14. Indemnity by Client
You will defend, indemnify, and hold harmless StackV and its personnel from and against all claims, damages, fines, penalties, and costs (including reasonable legal fees) arising out of: (a) Client Materials; (b) your use of deliverables, including outreach campaigns and AI outputs acted upon by you; (c) your breach of Sections 4, 5, or 6; or (d) your violation of law or third-party rights. StackV will promptly notify you of any such claim and allow you to control the defence, provided you do not settle in a way that admits fault by StackV without our consent.
15. Term, termination, and suspension
Either party may terminate an SOW for material breach not cured within [14] days of written notice.
StackV may terminate or suspend immediately if you fail to pay when due, become insolvent, or instruct us to do something we reasonably believe is unlawful.
On termination: you pay for all work performed to date; licences to unpaid deliverables end; Sections 5–7, 10–14, and 16–19 survive.
16. Force majeure and third-party dependencies
Neither party is liable for delay or failure caused by events beyond its reasonable control, including outages of third-party APIs, models, hosting, or platforms; internet or power failure; acts of government; epidemics; or labour disputes. Deadlines extend by the duration of the event. If a force-majeure event continues for more than 30 days, either party may terminate the affected SOW, with payment due for work performed.
17. Non-solicitation
During an engagement and for 12 months after, neither party will directly solicit for employment the other's personnel who worked on the engagement, without written consent. General job advertisements are not solicitation.
18. Governing law and dispute resolution
These Terms and all engagements are governed by the laws of India, without regard to conflict-of-laws rules. The UN Convention on Contracts for the International Sale of Goods does not apply.
Negotiation first. The parties will attempt in good faith to resolve any dispute through senior-level discussion for 30 days after written notice of the dispute.
Arbitration. Any dispute not so resolved shall be finally settled by arbitration under the (Indian) Arbitration and Conciliation Act, 1996, by a sole arbitrator appointed by mutual agreement (failing which, per the Act). Seat and venue: Pune, Maharashtra, India. Language: English. The award is final and binding and may be enforced in any court of competent jurisdiction, including under the New York Convention.
Courts at Pune, Maharashtra, India have exclusive jurisdiction for interim relief and any matter not arbitrable.
To the extent permitted by law, disputes are resolved on an individual basis only; neither party will participate in a class or representative action against the other.
19. General
Entire agreement. These Terms plus the applicable SOW and DPA are the entire agreement and supersede prior discussions. Client purchase-order terms do not apply even if referenced or signed.
Changes. We may update these Terms prospectively by posting the new version with a new effective date; the version in force when an SOW is signed governs that SOW.
Assignment. You may not assign without our written consent; we may assign to a successor entity (including a company we register to carry on the StackV business).
Notices. Written notices go to the email addresses used for the engagement; to StackV at stackv@stackv.online.
Severability and waiver. Invalid clauses are replaced with valid ones closest in effect; the rest stays in force. Failure to enforce is not a waiver.
Independent contractor. StackV is an independent contractor; nothing creates employment, agency, or partnership.
Questions about these Terms: stackv@stackv.online
Effective date: 10 June 2026 · Last updated: 10 June 2026
This Cookie Policy explains how stackv.online uses cookies and similar technologies (localStorage, pixels, SDKs), and how you control them. It supplements our Privacy Policy.
1. Current status: a near-cookieless site
As of the effective date, stackv.online sets no analytics, advertising, or tracking cookies. The only browser storage we use is strictly necessary: a single localStorage entry that remembers your cookie preferences once you make a choice. Fonts and assets are bundled into the page, so no third-party font or CDN requests occur.
If we ever introduce analytics or marketing technologies, we will (a) update this Policy first, (b) list each technology in the table below, and (c) request your consent via the settings panel before any non-essential cookie is set — as required by the ePrivacy rules, GDPR, and the Swiss FADP.
2. Categories we use or may use
Strictly necessary (always on): required for the site to function and to remember your consent choice. Legal basis: legitimate interest / exemption from consent. Currently: “stackv-consent” (localStorage, kept 12 months).
Analytics (off by default): would measure visits and page performance in aggregate (e.g. a privacy-friendly analytics tool or Google Analytics 4). Set only with your consent. Currently: none.
Marketing (off by default): would support advertising and remarketing (e.g. LinkedIn Insight, Meta Pixel). Set only with your consent. Currently: none.
3. Managing your preferences
Use the cookie settings panel (in the HTML version of this page, below; on the live site, the “Cookie settings” link in the footer) to grant or withdraw consent per category at any time. Withdrawing consent takes effect immediately for future processing. You can also clear or block cookies in your browser settings; blocking strictly necessary storage may affect the consent banner's memory of your choice.
4. Consent records
When you make a choice, we store the categories selected and a timestamp locally in your browser. We re-ask for consent every 12 months, when categories change, or when you clear your browser storage.
5. Contact
Questions about cookies: stackv@stackv.online. See the Privacy Policy for your rights and our details.
Cookie settings
Your choice is stored on this device only and re-requested every 12 months.
Strictly necessary
Required for the site to work and to remember this choice. Always on.
Analytics
Aggregate visit statistics. Currently no analytics tools are deployed; this preference applies if they ever are.
Marketing
Advertising and remarketing pixels. Currently none are deployed; this preference applies if they ever are.
Version: 1.0 · Effective date: 10 June 2026
This Data Processing Agreement ("DPA") forms part of the agreement for services ("Agreement") between [STACKV LEGAL ENTITY NAME — e.g. “Lakshya [Surname], trading as StackV” until a company is registered], of [REGISTERED ADDRESS, Pune, Maharashtra, India] ("StackV", the "Processor"), and the client identified in the applicable Statement of Work (the "Client", the "Controller"). It applies whenever StackV processes personal data on the Client's behalf, and is drafted to satisfy Article 28(3) GDPR, the Swiss FADP/nDSG, and India's DPDP Act, 2023.
1. Definitions
“Personal data”, “processing”, “controller”, “processor”, “data subject”, “supervisory authority” and “personal data breach” have the meanings in the GDPR. “Data Protection Laws” means all laws applicable to the processing, including the GDPR, UK GDPR, Swiss FADP, and the DPDP Act. “SCCs” means the EU Commission's Standard Contractual Clauses (Decision 2021/914).
2. Roles, scope, and instructions
The Client is the controller; StackV is the processor. Annex 1 describes the subject matter, duration, nature and purpose of processing, data categories, and data subjects.
StackV processes personal data only on the Client's documented instructions (including this DPA, the SOW, and configuration choices the Client makes), unless required to do otherwise by law — in which case StackV will inform the Client before processing, unless the law prohibits this.
StackV will immediately inform the Client if, in its opinion, an instruction infringes Data Protection Laws. StackV may suspend execution of such an instruction without breach of the Agreement.
The Client warrants that it has a lawful basis, all required consents and notices, and the right to instruct the processing — including for any lead lists, scraped data, or outreach targets it supplies or directs. The Client is solely responsible for the lawfulness of its campaigns and instructions.
3. Confidentiality and personnel
StackV ensures that all persons authorised to process the personal data are bound by confidentiality obligations (contractual or statutory) and receive appropriate data-protection training, and that access is limited to what each person needs for the engagement.
4. Security (Art. 32 GDPR)
StackV implements and maintains the technical and organisational measures described in Annex 3 (TOMs), appropriate to the risk, including encryption, access control, pseudonymisation where feasible, resilience, and regular testing. StackV may update the TOMs provided security is not materially reduced.
5. Sub-processors
The Client gives general written authorisation for the sub-processors listed in Annex 2.
StackV will notify the Client at least 14 days before adding or replacing a sub-processor. The Client may object on reasonable data-protection grounds within that period; if no resolution is found, either party may terminate the affected services, with payment due for work performed.
StackV imposes data-protection obligations on each sub-processor that are materially equivalent to this DPA, and remains liable to the Client for the sub-processor's performance.
6. Data-subject rights and assistance
Taking into account the nature of the processing, StackV will assist the Client with appropriate technical and organisational measures, insofar as possible, in fulfilling the Client's obligations to respond to data-subject requests (access, rectification, erasure, restriction, portability, objection). StackV will forward to the Client without undue delay any request it receives directly, and will not respond to it except on the Client's instruction. StackV will also assist the Client, as reasonably required, with Articles 32–36 GDPR (security, breach notification, DPIAs, prior consultation). Assistance beyond a reasonable level is chargeable at StackV's standard rates.
7. Personal data breach
StackV will notify the Client without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting the Client's personal data, providing the information reasonably available (nature, categories and approximate numbers, likely consequences, measures taken or proposed). StackV will cooperate with the Client's investigation and remediation. Notification is not an admission of fault. The Client is responsible for notifying authorities and data subjects.
8. International transfers
StackV processes data primarily from India. For personal data subject to the GDPR transferred to StackV, the SCCs, Module Two (controller-to-processor), are incorporated into this DPA by reference, with the Client as data exporter and StackV as data importer; Annexes 1–3 of this DPA serve as the SCC Annexes; clause 17 option: law of Ireland; clause 18: courts of Ireland. For Swiss data, the SCCs apply as adapted per FDPIC guidance (references to the GDPR include the FADP; competent authority: FDPIC; Swiss law applies for Swiss-only transfers). Onward transfers to sub-processors occur only with equivalent safeguards.
9. Audits
StackV will make available to the Client all information reasonably necessary to demonstrate compliance with Article 28 GDPR, and will allow and contribute to audits, including inspections, conducted by the Client or its mandated auditor — no more than once per 12 months (except after a breach or where required by a supervisory authority), on at least 14 days' notice, during business hours, without disrupting operations, and subject to confidentiality. The Client may first be offered StackV's most recent security documentation or third-party attestations in satisfaction of an audit request. The Client bears its own audit costs and StackV's reasonable time beyond one business day per audit.
10. Return and deletion
At the end of the services, at the Client's choice, StackV will delete or return all personal data processed on the Client's behalf and delete existing copies within 30 days, unless law requires storage — in which case the data remains protected under this DPA and is isolated from further processing. Deletion from backups occurs in the ordinary backup-rotation cycle (maximum 90 days). On request, StackV will confirm deletion in writing.
11. Liability, term, and order of precedence
This DPA takes effect with the Agreement and lasts as long as StackV processes personal data for the Client. Liability under this DPA is subject to the limitations and exclusions in the Agreement, to the extent permitted by Data Protection Laws; nothing limits a data subject's rights against either party under law. If this DPA conflicts with the Agreement, this DPA prevails for data-protection matters; the SCCs prevail over both where they apply. This DPA is governed by the law governing the Agreement, except where the SCCs require otherwise.
Annex 1 — Description of processing
Subject matter: provision of AI, automation, lead-generation, CRM, web/app, and related services described in the SOW.
Duration: the term of the Agreement plus the deletion period in Section 10.
Nature and purpose: hosting, structuring, enrichment, scoring, routing, generation of communications drafts, support automation, analytics, and related operations as instructed.
Categories of data subjects: the Client's leads, prospects, customers, end users, suppliers, and personnel, as determined by the Client.
Categories of personal data: business contact details (name, role, company, email, phone), communication content (emails, tickets, call transcripts where instructed), CRM records, usage data. No special-category data unless expressly agreed in the SOW with additional safeguards.
Frequency: continuous for the duration of the services.
Annex 2 — Authorised sub-processors (as of the effective date)
Anthropic (US/EU) — LLM inference (Claude) — model processing of project data where used.
OpenAI (US/EU) — LLM inference (GPT) — model processing of project data where used.
Supabase (US/EU regions as configured) — managed PostgreSQL database and authentication.
n8n (self-hosted by StackV, or n8n GmbH cloud, Germany — per SOW) — workflow orchestration.
Google (Workspace / Cloud, US/EU) — email, documents, and cloud infrastructure.
Apify (Czech Republic/EU) — web data collection, where instructed.
Slack Technologies (US) — operational notifications and escalation, where used.
GitHub (US) — code repositories (no production personal data by design).
Sentry (US/EU) — error monitoring (personal data scrubbed where feasible).
[Adjust this list per engagement — strike out providers not used; add Clearbit/Apollo/HubSpot or others only where the SOW includes them.]
Annex 3 — Technical and organisational measures (TOMs)
Access control: unique accounts, MFA on production systems, role-based least privilege, prompt revocation on offboarding, no shared credentials; client credentials stored in a secrets manager, never in code.
Encryption: TLS 1.2+ in transit; AES-256 (or provider-equivalent) at rest for databases and backups.
Environment separation: development, staging, and production isolated; production personal data not used in development without anonymisation or written instruction.
Logging and monitoring: audit logs on production access and workflow runs; error and uptime monitoring with alerting; kill switches on automated pipelines.
Data minimisation: only fields needed for the instructed purpose are collected and retained; retention and deletion per Section 10.
Vendor management: sub-processors assessed for security posture and bound by data-protection terms; transfers safeguarded per Section 8.
Resilience and recovery: automated backups with defined rotation; documented restore procedure; incident-response runbook with 48-hour client notification commitment.
Organisational: confidentiality undertakings for all personnel and contractors; security and privacy training; documented SDLC with code review; principle of human oversight for consequential automated actions.
Signed by execution of the Agreement / SOW that references this DPA. Counter-signature copies available on request: stackv@stackv.online
Version 1.0 · 10 June 2026
Honesty statement. StackV has not yet undergone a SOC 1/2/3 audit and holds no SOC report or ISO 27001 certificate. This document describes our actual security controls and our roadmap toward an independent SOC 2 examination. We will never represent an unaudited posture as a certification — and we put that commitment in writing here. Clients requiring an audited report today should treat this document as a vendor-security questionnaire response.
1. Who we are and what we touch
StackV is a small, senior engineering studio (Pune, India / remote) building production AI agents, automation workflows, RAG systems, and growth infrastructure. In most engagements we access: client cloud accounts (scoped), CRM and database records, communication content routed through workflows, and API keys for third-party services. We design every engagement so the client owns the stack — repos, infrastructure, and data stay in or return to client control.
2. Security controls in place today
Identity and access: MFA enforced on all production and client-facing accounts; unique named accounts; role-based least privilege; access reviewed at project milestones and revoked at offboarding within 24 hours.
Secrets: client credentials and API keys live in a secrets manager / encrypted vault, never in source code, tickets, or chat; rotation on personnel change or suspected exposure.
Encryption: TLS 1.2+ for all data in transit; encryption at rest on managed databases and backups (provider-managed AES-256 class).
Environment separation: dev/staging/production isolation; production personal data is not pulled into development without anonymisation or explicit client instruction.
Engineering hygiene: version control with mandatory review for production changes; dependency pinning; CI checks including prompt-regression evals; kill switches and rate limits on autonomous agents from day one.
Monitoring: centralised error tracking, uptime monitoring, and audit logging on workflow executions and production access; alerting to on-call.
Backups and recovery: automated backups with defined rotation (max 90 days); restores tested on engagement handover.
Vendor security: sub-processors (see DPA Annex 2) selected for security posture; data-protection terms flowed down; transfers from the EEA/UK/Switzerland safeguarded by SCCs.
People: confidentiality undertakings signed by everyone touching client work; security/privacy onboarding; background of all contractors known to founders (small, named teams by design).
Incident response: documented runbook; client notification within 48 hours of a confirmed breach affecting their data; post-incident reviews with corrective actions.
3. AI-specific safeguards
Human-in-the-loop defaults for consequential actions (sending, deleting, paying, publishing) unless the client signs off on full autonomy for a bounded action set.
Offline evaluation harnesses and regression fixtures before model or prompt changes ship; behaviour diffs reported, not vibes.
Prompt-injection surface review for agents that read untrusted content (inboxes, web pages); tool calls typed, allow-listed, and logged.
Model-provider data controls: API tiers with no-training-on-inputs settings used where available; zero-retention options requested where offered and required by the client.
4. Compliance posture
GDPR / Swiss FADP: we sign our DPA (Art. 28) with every client whose projects involve personal data; SCCs incorporated for EEA/UK/Swiss transfers; sub-processor transparency and 14-day change notice.
India DPDP Act 2023: grievance-redressal contact published in our Privacy Policy; processor-style obligations mirrored in our DPA.
EU AI Act: we track obligations relevant to the systems we build and document the client's deployer responsibilities in each SOW.
We are happy to complete client security questionnaires (CAIQ, SIG-Lite, or bespoke) as part of procurement.
5. SOC 2 readiness roadmap
Target framework: SOC 2 (Trust Services Criteria: Security; Availability and Confidentiality as optional categories), via an independent licensed CPA firm.
Phase 1 — Foundation (now): controls above operating; policies formalised in writing (access, incident response, vendor management, SDLC, data retention).
Phase 2 — Gap assessment: engage a readiness platform/auditor for a gap analysis against TSC; remediate findings; deploy continuous-compliance monitoring.
Phase 3 — SOC 2 Type I: point-in-time examination of control design. Target: within [6–9] months of entity registration.
Phase 4 — SOC 2 Type II: 3–12 month observation window evidencing operating effectiveness. Target: within [12–18] months.
Until a report exists, the words “SOC 2” on our materials refer only to this roadmap, never to a held certification.
6. Shared-responsibility model
Security is shared. StackV is responsible for the controls above within systems we build and operate. The client remains responsible for: lawfulness of its data and campaigns, access governance on its own accounts, configuration choices it instructs, end-user transparency, and human review of AI output used in consequential decisions. The split for each engagement is documented in the SOW and DPA.
7. Contact and disclosure
Security questions, questionnaires, or vulnerability reports: stackv@stackv.online (please use “SECURITY” in the subject). We acknowledge vulnerability reports within 2 business days and do not pursue good-faith researchers. This document is reviewed at least annually and on material change.