Privacy Policy.

We collect three categories of information, and only what we need:

• Information you give us. Your name, email address, and (optionally) profile photo and bio when you create an account via Google through Auth.js. Founder story submissions also include the company details, links, and editorial content you choose to share.
• Payment information. If you submit a paid Founder Story, payments are processed by Stripe. We never see or store your full card number — Stripe returns a token and a receipt; we keep only the receipt metadata (amount, tier, last 4 digits, status).
• Usage information. Pages viewed, articles read, referring source, approximate location (city/country level), and device class. This is aggregated through Vercel Analytics and Google Analytics 4 with IP anonymisation.

We use what we collect to:

• Run your account, comments, follows, and reading history.
• Send the editorial newsletter and product updates you opted into (with one-click unsubscribe in every email).
• Process Founder Story submissions, payments, and editor-author communication.
• Understand which stories resonate so we can publish better ones — never to sell ad targeting profiles.
• Detect spam, abuse, and security threats.
• Comply with legal obligations.

We use a small number of cookies and similar storage. The first time you visit the site, our cookie banner asks for your choice and stores it locally. You can change your choice any time by clearing this site's storage from your browser settings, which will make the banner reappear.

• Essential cookies — session, authentication, and CSRF tokens issued by Auth.js, plus the cookie-consent record itself. These are required for sign-in and cannot be disabled.
• Preference storage — your light/dark theme, dismissed banners, reader font-size, and reading progress. Stored in localStorage on your device only.
• Analytics — Vercel Analytics (privacy-respecting, cookieless) and Google Analytics 4 with anonymised IPs andSameSite=None;Secure cookies. Google Analytics is gated behind Google Consent Mode v2: until you accept analytics cookies, GA4 receives no identifiable data and does not set ad identifiers.
• Advertising (Google AdSense) — when (and only when) you accept advertising cookies, we may serve ads via Google AdSense. Google and its partners may use cookies to serve ads based on your prior visits to this site and other sites on the internet. See Google's Advertising policies for details. You can opt out of personalised advertising by visiting Google's Ads Settings or, for EU/UK users, via YourOnlineChoices.

We rely on a short list of trusted vendors. Each of them processes data only for the specific purpose listed and under their own published privacy policies:

• Stripe — payments for Founder Story submissions (PCI-DSS Level 1).
• Google (Auth.js OAuth) — sign-in. We receive email, name, and profile photo; nothing else.
• Neon — managed Postgres hosting for accounts, comments, and editorial data (encrypted at rest and in transit).
• Vercel — hosting, edge runtime, and analytics.
• Email provider — newsletter delivery and transactional emails.
• Google AdSense — display advertising on article pages (only after you consent via the cookie banner). Google may use information about your visits to this and other sites to provide relevant advertisements. See Google's Privacy & Terms for their practices.
• Google Analytics 4 — aggregated readership measurement. Data is anonymised and used in aggregate only.

The Stack Stories is not directed to children under the age of 13 (or under 16 in the EU/UK, where required by local law). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact privacy@thestackstories.com and we will delete it promptly.

Wherever you live, you have the right to access, correct, export, and delete the personal data we hold about you. If you are in the EU, UK, or California, you additionally have the right to:

• Object to or restrict processing.
• Withdraw consent at any time.
• Lodge a complaint with your local data protection authority.
• Opt out of any sale or sharing of personal information (we do neither, but the right is stated for clarity).

Email privacy@thestackstories.com and we will action your request within 30 days. Account deletion is also available self-serve from your profile page.

We keep account data for as long as your account is active. If you delete your account, profile data is removed within 30 days; comments you wrote may be anonymised (attribution removed) rather than deleted to preserve the integrity of public threads. Stripe receipt metadata is retained for seven years to meet tax and accounting obligations. Aggregated analytics are kept for 26 months and cannot be tied back to you.

The Stack Stories is written for an adult audience. We do not knowingly collect personal information from anyone under 16. If you believe a child has created an account, contact us at privacy@thestackstories.com and we will delete it.

All traffic is served over TLS 1.3. Sessions use HttpOnly, Secure cookies. Database connections are encrypted in transit and at rest. We follow least-privilege access for staff and run continuous dependency-vulnerability scanning. No system is perfect, so if you spot something, please write to security@thestackstories.com.

We may update this policy as the platform evolves. Material changes will be announced in the newsletter and on this page at least 14 days before they take effect. The “Last updated” date at the top is the source of truth.

Privacy questions: privacy@thestackstories.com
General editorial: hello@thestackstories.com

See also our Terms of Service.