TechStack
Legal

Privacy Policy

Last updated: April 24, 2026

TechStack ("we," "us," "our") operates Retention IQ, Revenue IQ, and Refi IQ. This policy explains what we collect, why, how we store and protect it, and the choices you have.

1. Information we collect

We collect three categories of information:

  • Account information — name, email, password hash, practice/company name, role.
  • Client data you upload — CSV imports of your past-client book. For mortgage professionals this includes borrower name, contact info, loan amount, rate, and origination date. For service businesses this includes patient/client contact info and visit history. You own this data; we process it on your behalf under a data-processing agreement (and, where applicable, a Business Associate Agreement).
  • Usage data — which features you use, when, how often. We use this to improve the product and surface relevant recommendations. We never sell or share usage data.

2. How we use information

  • Operate, maintain, and improve the services.
  • Generate outreach drafts, attribution records, and analytics visible to you.
  • Send account, billing, and service-critical email.
  • Comply with legal obligations.

We do not sell personal data. We do not share your client data with third parties except as required by law or as part of a sub-processor relationship disclosed below.

3. Where your data lives

  • Database: Supabase (PostgreSQL), US-East-1, SOC 2 Type II.
  • Application hosting: Hostinger VPS, US region.
  • Encryption at rest: AES-256.
  • Encryption in transit: TLS 1.3.

4. Sub-processors

We use the following sub-processors. All are bound by data-processing agreements.

  • Supabase — database, authentication.
  • Stripe — payment processing (when billing is active).
  • Hostinger — application hosting.
  • Sentry (planned) — error tracking.

5. HIPAA (medical-practice customers)

For dental practices, med spas, and other healthcare customers, we sign a Business Associate Agreement ("BAA") before production use. Under the BAA we treat uploaded client data as Protected Health Information and commit to HIPAA-compliant handling: access controls, encryption, audit logging, breach notification, 6-year retention. Request the BAA at hello@techstackllc.info.

6. Mortgage compliance (Refi IQ customers)

Refi IQ never sends outreach on your behalf. Drafts generate for your review and you decide whether and how to deliver. Every draft carries compliance notes aligned with RESPA, TILA, TCPA, ECOA, and Fair Housing. You remain the licensed party responsible for final communications.

7. Your rights

  • Access / export — download your account and client data at any time.
  • Correction — update inaccurate information via the app or by contacting us.
  • Deletion — request deletion. We retain backups for 30 days after deletion, then purge.
  • Portability — export client data as CSV.

California residents: you have additional rights under the CCPA. EU/UK residents: you have rights under GDPR, including the right to lodge a complaint with a supervisory authority.

8. Retention

Active account data is retained while your account is active. Client data uploaded under a BAA is retained for 6 years after you delete or deactivate. Non-BAA data is retained 2 years after deactivation. Payment records are retained 7 years for tax compliance.

9. Security

We use Row-Level Security in Postgres, PKCE auth, TLS 1.3, and AES-256. We log access to sensitive actions. We will notify affected customers within 72 hours of discovering any breach of protected data.

10. Children

Our services are not directed to children under 16. We do not knowingly collect information from children.

11. Changes

When this policy changes materially we will notify you by email and update the "Last updated" date at the top of this page.

12. Contact

TechStack LLC
Austin, TX
hello@techstackllc.info

Legal review note: This policy is a working draft. Before paid customers onboard, have it reviewed by privacy counsel licensed in your jurisdictions and update the HIPAA, CCPA, and GDPR sections to match your actual practices and signed customer agreements.