Privacy Policy

1. Introduction

StackItSmart ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal information when you use our website and services (collectively, the "Service").

Data Controller: StackItSmart is operated by Eli Gorelick. For the purposes of applicable data protection legislation (including the GDPR), the data controller is Eli Gorelick, contactable at help@stackitsmart.com.

IMPORTANT: StackItSmart is an educational and research platform. The Service provides information about performance enhancement compounds for research purposes only and is NOT a medical service. By using our Service, you acknowledge that:

• We collect sensitive health information you voluntarily provide
• Your data may be shared with third-party AI services to provide features
• You have rights to access, delete, and control your data under GDPR and CCPA
• We implement security measures but cannot guarantee absolute data security

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address: Used for authentication and account recovery
• Password: Stored securely using Firebase Authentication (bcrypt hashing)
• Account creation date: Timestamp of registration
• User ID: Unique identifier generated by Firebase

2.2 Profile Information (Optional)

You may voluntarily provide:

• Age: Used for age-gated content and safety checks
• Biological sex: Used for personalized recommendations
• Weight and height: Used for dosage calculations (educational only)
• Experience level: Beginner, intermediate, or advanced
• Fitness goals: Bulk, cut, recomp, cognitive, endurance
• Medical conditions: Used for safety warnings and contraindication checks

2.3 Health Data

• Lab results: Blood test values (testosterone, liver enzymes, lipids, etc.)
• Journal entries: Daily logs of mood, energy, sleep quality, side effects
• Cycle protocols: Algorithm-generated or manually created cycle plans
• Medical conditions: Self-reported health conditions and contraindications

2.4 Usage Data

We automatically collect:

• Session data: Login timestamps, IP addresses (for security)
• Device information: Browser type, operating system, screen resolution
• Analytics: Page views, feature usage, time spent (via Google Analytics)
• Rate limiting data: API usage counts to enforce daily limits
• Error logs: Technical errors for debugging (no personal data included)

2.5 AI Chat Data

When you use the AI chat assistant:

• Chat messages: Questions and responses with the AI assistant
• Cycle context (optional): When you ask the AI about a saved cycle, the cycle details are included as context for that conversation
• AI responses: Answers and research discussion generated by the AI assistant

3. How We Use Your Information

3.1 Core Service Delivery

• Authenticate your account and maintain login sessions
• Generate personalized cycle recommendations via our proprietary deterministic algorithm
• Provide AI chatbot assistance for research questions
• Store and display your journal entries, lab results, and saved cycles
• Calculate suppression scores and risk tiers based on your profile
• Enforce age gates (21+ requirement for certain features)
• Provide safety warnings based on medical conditions you enter

3.2 Safety and Security

• Prevent unauthorized access to your account
• Detect and prevent fraud, abuse, and security threats
• Enforce rate limits to prevent API abuse
• Monitor for prompt injection attacks and misuse of AI features
• Comply with legal obligations and law enforcement requests

3.3 Analytics and Improvement

• Analyze usage patterns to improve the Service (via Google Analytics and Vercel Analytics)
• Monitor performance metrics (page load times, error rates) via Vercel Speed Insights
• Generate aggregate statistics (e.g., "% of users who complete cycles")

3.4 Communication

• Send important service notifications (e.g., security alerts, policy changes)
• Provide customer support and respond to inquiries
• Send optional educational content (if you opt in)

Note: We do NOT sell your data to third parties for advertising purposes.

4. Third-Party Data Sharing

4.1 Anthropic Claude (Chat Assistant)

Provider: We use Anthropic Claude (anthropic.com), a US-based AI service, to power the AI Chat Assistant. The Cycle Builder itself runs on our proprietary deterministic algorithm and does not send data to Anthropic. Data sent to Anthropic is processed on servers located in the United States. (Migrated from DeepSeek/PRC in April 2026; the consent you previously gave covered DeepSeek processing — continued use of the Chat Assistant after this migration constitutes consent to Anthropic processing under the same terms.)

Data Shared:

• Chat messages sent to the AI assistant
• Context about a saved cycle (only when you use cycle-specific chat)
• Medical conditions you enter into a chat (if any)

Purpose: Answer research questions and discuss your saved cycles.

Anthropic Data Policy: Data sent to Anthropic:

• Is NOT used to train Anthropic models by default (commercial API terms)
• Is retained for up to 30 days for abuse monitoring, then deleted
• Is subject to Anthropic's privacy policy and SOC 2 Type II security controls

Your Control: Do not use the AI features if you do not consent to third-party AI processing of your data. A separate privacy consent prompt is displayed before your first use of AI features.

4.2 Firebase / Google Cloud (Database & Authentication)

Data Shared: All data you provide (account, profile, health data, journal entries, lab results).

Purpose: Store and secure your data using Firestore (Google Cloud database).

Google Cloud Data Policy: Subject to Google Cloud Privacy Notice: https://cloud.google.com/terms/cloud-privacy-notice

Security: Data is encrypted at rest and in transit. Firestore security rules enforce user-level access control.

4.3 Google Analytics (Usage Tracking)

Data Shared: Anonymized usage data (page views, clicks, session duration).

Purpose: Understand how users interact with the Service.

Your Control: Use browser extensions (e.g., uBlock Origin) to block Google Analytics.

4.4 Hosting Provider (Vercel)

Data Shared: Server logs (IP addresses, request URLs, timestamps).

Purpose: Host and deliver the website.

4.5 Vercel Analytics & Speed Insights

Provider: Vercel Inc. (vercel.com)

Data Shared: Page views, navigation paths, Web Vitals performance metrics (Largest Contentful Paint, First Input Delay, Cumulative Layout Shift), device type, browser, and geographic region (country-level). No personally identifiable information is collected.

Purpose: Monitor website performance, page load speeds, and usage patterns to improve the Service.

Privacy: Subject to Vercel's Privacy Policy. Vercel Analytics is privacy-focused and does not use cookies.

4.6 Legal Disclosures

We may disclose your data if required by law, court order, or government request, or to protect our rights, safety, or property.

5. Data Retention

• Account data: Retained until you delete your account
• Health data (labs, journals, cycles): Retained until you delete it or your account
• Chat history: Stored in Firestore until you delete your account. AI assistant conversations can be deleted individually from the dashboard.
• AI provider data (Anthropic, current): Retained by Anthropic for up to 30 days for abuse monitoring, then deleted from their systems. Anthropic is SOC 2 Type II audited and contractually does not use the data to train its models
• AI provider data (DeepSeek, pre-April-2026 history or rollback configurations only): Retained by DeepSeek for abuse monitoring per their separate retention policy, then deleted
• Analytics data: Aggregated data retained indefinitely; individual session data deleted after 26 months (Google Analytics default)
• Server logs: Retained for 90 days for security monitoring

Account Deletion: When you delete your account, we permanently delete all associated data within 30 days, except where retention is required by law.

6. Your Rights (GDPR & CCPA)

6.1 European Users (GDPR)

If you are in the European Economic Area (EEA), you have the following rights:

• Right to Access: Request a copy of all data we hold about you
• Right to Rectification: Correct inaccurate data in your profile
• Right to Erasure: Delete your account and all associated data
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in a structured, machine-readable format (JSON) upon request
• Right to Object: Object to analytics tracking or AI processing
• Right to Withdraw Consent: Revoke consent for sensitive data processing
• Right to Lodge a Complaint: Contact your national data protection authority

6.2 California Users (CCPA)

If you are a California resident, you have the following rights:

• Right to Know: Request disclosure of what data we collect and how we use it
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: We do NOT sell your data, so no opt-out needed
• Right to Non-Discrimination: We will not discriminate if you exercise your rights

6.3 How to Exercise Your Rights

To exercise any of these rights, please:

• Email us at: help@stackitsmart.com
• Use the "Delete Account" button in your profile settings
• Request a copy of your data by emailing us — we will provide it in JSON format within the applicable response period

We will respond to verified requests within 30 days (GDPR) or 45 days (CCPA).

7. Data Security

We implement industry-standard security measures:

• Encryption in transit: All data transmitted over HTTPS (TLS 1.3)
• Encryption at rest: Firestore encrypts all data at rest by default
• Secure authentication: Passwords hashed with bcrypt via Firebase Authentication
• HTTP-only cookies: Session tokens stored in secure, HTTP-only cookies (not localStorage)
• Access control: Firestore security rules enforce user-level permissions
• Rate limiting: API limits prevent abuse and brute-force attacks
• Error logging: Client-side error tracking for debugging and security review

8. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach (as required by GDPR Article 33)
• Notify affected users without undue delay if the breach is likely to result in a high risk to your rights and freedoms (GDPR Article 34)
• Provide details including the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the breach
• Document all breaches, including those that do not meet the notification threshold, along with the facts, effects, and remedial action taken

California Residents: In compliance with California Civil Code Section 1798.82, if we determine that a breach of security has occurred involving your unencrypted personal information, we will notify you as expeditiously as practicable and without unreasonable delay.

How We Notify You: Breach notifications will be sent via email to the address associated with your account. If we do not have a valid email address on file, we will post a conspicuous notice on our website.

9. Automated Decision-Making and Profiling

Our Service uses the following forms of automated processing:

• Cycle Generation: When you use the Cycle Builder, your profile data (age, sex, weight, medical conditions, experience level, goals) is processed locally by our proprietary deterministic algorithm to produce cycle protocol suggestions. This data is not sent to any third-party AI service. The outputs are educational only and are not medical recommendations.
• Risk Scoring: Our math-based risk assessment tool calculates suppression scores, liver strain indicators, and cardiovascular risk tiers based on the compounds you select. These calculations are deterministic (rule-based, not AI) and the algorithms are documented in the platform.
• Age Gating: Users under 21 are automatically blocked from the Cycle Builder feature; users aged 21-24 receive additional safety warnings. This is based solely on self-reported age.
• Drug Interaction Checks: The platform automatically flags critical, warning, and informational interactions between selected compounds using a predefined interaction matrix.

Your Rights: Under GDPR Article 22, you have the right:

• Not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you
• To obtain human intervention in respect of any automated decision
• To express your point of view and contest any automated decision
• To receive an explanation of any automated decision made about you

Important Clarification: None of our automated outputs constitute binding decisions with legal or similarly significant effects. All AI-generated and algorithmically-calculated outputs are presented as educational information only. You are never obligated to follow any output from our automated systems. If you believe an automated output is incorrect, contact us at help@stackitsmart.com.

10. Children's Privacy (COPPA Compliance)

Age Requirements:

• You must be at least 18 years old to create an account
• You must be at least 21 years old to use the Cycle Builder feature
• We rely on self-reported age during registration and do not knowingly process data from minors

If We Discover a Minor's Account: If we learn that we have collected personal information from a child under the applicable age limit, we will:

• Immediately delete the account and all associated data
• Block further access from that user
• Notify the parent/guardian if contact information is available

Parental Notice: If you are a parent or guardian and believe your child has provided personal information to us without your consent, please contact us immediately at help@stackitsmart.com. We will promptly investigate and delete any unauthorized data.

11. International Data Transfers

Our servers and third-party providers are located in the United States. Firebase (Google Cloud) and Anthropic — the AI provider powering the AI Chat Assistant — both process data in the United States. If LLM_PROVIDER=deepseek is explicitly enabled as a rollback configuration, chat messages are additionally routed to DeepSeek in the People's Republic of China; the Cycle Builder is unaffected. By using the Service, you consent to the transfer of your data to these jurisdictions.

For EEA/UK/Swiss users: Transfers to the United States rely on the EU-US Data Privacy Framework (Module 2) with Standard Contractual Clauses (Module 2) as a contractual fallback should the framework lapse. AI Chat is currently geo-blocked in EEA/UK/Switzerland pending finalization of our Data Processing Agreement and Transfer Impact Assessment; the block will be lifted once that documentation is in place.

12. Changes to This Policy

We may update this Privacy Policy periodically. If we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Notify you via email (if you have provided one)
• Display a prominent notice on the website

Continued use of the Service after changes constitutes acceptance of the new policy.

13. Contact Us

If you have questions, concerns, or requests about your privacy:

• Data Controller: Eli Gorelick
• Email: help@stackitsmart.com
• Response Time: Within 48 hours for general inquiries; within 30 days (GDPR) or 45 days (CCPA) for formal rights requests

Supervisory Authorities:

• EU/EEA Residents: Contact your local Data Protection Authority. A list is available at edpb.europa.eu
• UK Residents: Information Commissioner's Office (ICO) at ico.org.uk
• California Residents: California Attorney General's Office at oag.ca.gov/privacy

14. Related Policies

This Privacy Policy should be read in conjunction with our other legal documents:

• Terms of Service - Terms and conditions of use
• Cookie Policy - How we use cookies and similar technologies
• Privacy & Data Protection - Additional privacy information and compliance details