Privacy Policy

Last Updated: March 1, 2026 | Effective Date: March 1, 2026

1. Introduction

StackItSmart ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal information when you use our website and services (collectively, the "Service").

IMPORTANT: StackItSmart is an educational and research platform. The Service provides information about performance enhancement compounds for research purposes only and is NOT a medical service. By using our Service, you acknowledge that:

  • We collect sensitive health information you voluntarily provide
  • Your data may be shared with third-party AI services to provide features
  • You have rights to access, delete, and control your data under GDPR and CCPA
  • We implement security measures but cannot guarantee absolute data security

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address: Used for authentication and account recovery
  • Password: Stored securely using Firebase Authentication (bcrypt hashing)
  • Account creation date: Timestamp of registration
  • User ID: Unique identifier generated by Firebase

2.2 Profile Information (Optional)

You may voluntarily provide:

  • Age: Used for age-gated content and safety checks
  • Biological sex: Used for personalized recommendations
  • Weight and height: Used for dosage calculations (educational only)
  • Experience level: Beginner, intermediate, or advanced
  • Fitness goals: Bulk, cut, recomp, cognitive, endurance
  • Medical conditions: Used for safety warnings and contraindication checks

2.3 Health Data

⚠️ Sensitive Personal Information: The following data qualifies as sensitive health information under GDPR Article 9 and CCPA. We collect this data ONLY with your explicit consent.

  • Lab results: Blood test values (testosterone, liver enzymes, lipids, etc.)
  • Journal entries: Daily logs of mood, energy, sleep quality, side effects
  • Cycle protocols: AI-generated or manually created cycle plans
  • Medical conditions: Self-reported health conditions and contraindications

2.4 Usage Data

We automatically collect:

  • Session data: Login timestamps, IP addresses (for security)
  • Device information: Browser type, operating system, screen resolution
  • Analytics: Page views, feature usage, time spent (via Google Analytics)
  • Rate limiting data: API usage counts to enforce daily limits
  • Error logs: Technical errors for debugging (no personal data included)

2.5 AI Chat Data

When you use the AI assistant or cycle builder:

  • Chat messages: Questions and responses with the AI assistant
  • Cycle generation inputs: Parameters sent to AI services for cycle creation
  • AI responses: Generated cycle protocols and health recommendations

Third-Party Sharing: Chat data is sent to third-party AI services for processing. See Section 4 for details.

3. How We Use Your Information

3.1 Core Service Delivery

  • Authenticate your account and maintain login sessions
  • Generate personalized AI cycle recommendations
  • Provide AI chatbot assistance for research questions
  • Store and display your journal entries, lab results, and saved cycles
  • Calculate suppression scores and risk tiers based on your profile
  • Enforce age gates (21+ requirement for certain features)
  • Provide safety warnings based on medical conditions you enter

3.2 Safety and Security

  • Prevent unauthorized access to your account
  • Detect and prevent fraud, abuse, and security threats
  • Enforce rate limits to prevent API abuse
  • Monitor for prompt injection attacks and misuse of AI features
  • Comply with legal obligations and law enforcement requests

3.3 Analytics and Improvement

  • Analyze usage patterns to improve the Service
  • Monitor performance metrics (page load times, error rates)
  • Conduct A/B testing for feature improvements
  • Generate aggregate statistics (e.g., "% of users who complete cycles")

3.4 Communication

  • Send important service notifications (e.g., security alerts, policy changes)
  • Provide customer support and respond to inquiries
  • Send optional educational content (if you opt in)

Note: We do NOT sell your data to third parties for advertising purposes.

4. Third-Party Data Sharing

⚠️ CRITICAL DISCLOSURE: Your health data and chat messages are shared with third-party services to provide AI features. By using these features, you consent to this sharing.

4.1 DeepSeek AI (Cycle Builder & Chat Assistant)

Provider: We use DeepSeek (deepseek.com), a China-based AI service, to power the AI Cycle Builder and Chat Assistant features. Data sent to DeepSeek is processed on servers located in China.

Data Shared:

  • Your age, biological sex, weight, height, experience level, fitness goals
  • Medical conditions you enter (if any)
  • Chat messages sent to the AI assistant
  • Cycle builder input parameters

Purpose: Generate personalized cycle recommendations and answer research questions using AI.

DeepSeek Data Policy: Data sent to DeepSeek:

  • Is NOT used to train AI models
  • Is retained for a limited time for abuse monitoring, then deleted
  • Is subject to DeepSeek's privacy policy and security measures

International Transfer Notice: By using AI features, you consent to your data being transferred to and processed in China. If you are located in the EU/EEA, this transfer is based on your explicit consent under GDPR Article 49(1)(a).

Your Control: Do not use the AI features if you do not consent to third-party AI processing of your data. A separate privacy consent prompt is displayed before your first use of AI features.

4.2 Firebase / Google Cloud (Database & Authentication)

Data Shared: All data you provide (account, profile, health data, journal entries, lab results).

Purpose: Store and secure your data using Firestore (Google Cloud database).

Google Cloud Data Policy: Subject to Google Cloud Privacy Notice: https://cloud.google.com/terms/cloud-privacy-notice

Security: Data is encrypted at rest and in transit. Firestore security rules enforce user-level access control.

4.3 Google Analytics (Usage Tracking)

Data Shared: Anonymized usage data (page views, clicks, session duration).

Purpose: Understand how users interact with the Service.

Your Control: Use browser extensions (e.g., uBlock Origin) to block Google Analytics.

GDPR Compliant: Google Analytics only loads after you consent via our cookie banner. You can change your cookie preferences at any time.

4.4 Hosting Provider (Vercel)

Data Shared: Server logs (IP addresses, request URLs, timestamps).

Purpose: Host and deliver the website.

4.5 Legal Disclosures

We may disclose your data if required by law, court order, or government request, or to protect our rights, safety, or property.

5. Data Retention

  • Account data: Retained until you delete your account
  • Health data (labs, journals, cycles): Retained until you delete it or your account
  • Chat history: Stored in Firestore indefinitely (you can delete individual chats)
  • DeepSeek data: Retained by DeepSeek for abuse monitoring purposes, then deleted per their retention policy
  • Analytics data: Aggregated data retained indefinitely; individual session data deleted after 26 months (Google Analytics default)
  • Server logs: Retained for 90 days for security monitoring

Account Deletion: When you delete your account, we permanently delete all associated data within 30 days, except where retention is required by law.

6. Your Rights (GDPR & CCPA)

6.1 European Users (GDPR)

If you are in the European Economic Area (EEA), you have the following rights:

  • Right to Access: Request a copy of all data we hold about you
  • Right to Rectification: Correct inaccurate data in your profile
  • Right to Erasure: Delete your account and all associated data
  • Right to Restrict Processing: Limit how we use your data
  • Right to Data Portability: Export your data in JSON format
  • Right to Object: Object to analytics tracking or AI processing
  • Right to Withdraw Consent: Revoke consent for sensitive data processing
  • Right to Lodge a Complaint: Contact your national data protection authority

6.2 California Users (CCPA)

If you are a California resident, you have the following rights:

  • Right to Know: Request disclosure of what data we collect and how we use it
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: We do NOT sell your data, so no opt-out needed
  • Right to Non-Discrimination: We will not discriminate if you exercise your rights

6.3 How to Exercise Your Rights

To exercise any of these rights, please:

  • Email us at: eligorelick01@gmail.com
  • Use the "Delete Account" button in your profile settings
  • Use the "Export Data" button in your profile settings to download your data in JSON format

We will respond to verified requests within 30 days (GDPR) or 45 days (CCPA).

7. Data Security

We implement industry-standard security measures:

  • Encryption in transit: All data transmitted over HTTPS (TLS 1.3)
  • Encryption at rest: Firestore encrypts all data at rest by default
  • Secure authentication: Passwords hashed with bcrypt via Firebase Authentication
  • HTTP-only cookies: Session tokens stored in secure, HTTP-only cookies (not localStorage)
  • Access control: Firestore security rules enforce user-level permissions
  • Rate limiting: API limits prevent abuse and brute-force attacks
  • Security monitoring: Automated alerts for suspicious activity

⚠️ No Guarantee: Despite our efforts, no system is 100% secure. Use strong passwords and enable two-factor authentication (if available).

8. Children's Privacy (COPPA Compliance)

IMPORTANT: This Service is NOT intended for children under 18 years of age. We do NOT knowingly collect personal information from children under 13 (or 16 in the EU/EEA) in compliance with the Children's Online Privacy Protection Act (COPPA) and GDPR.

Age Requirements:

  • You must be at least 18 years old to create an account
  • You must be at least 21 years old to use the AI Cycle Builder feature
  • We rely on self-reported age during registration and do not knowingly process data from minors

If We Discover a Minor's Account: If we learn that we have collected personal information from a child under the applicable age limit, we will:

  • Immediately delete the account and all associated data
  • Block further access from that user
  • Notify the parent/guardian if contact information is available

Parental Notice: If you are a parent or guardian and believe your child has provided personal information to us without your consent, please contact us immediately at eligorelick01@gmail.com. We will promptly investigate and delete any unauthorized data.

9. International Data Transfers

Our servers and third-party providers (Firebase, DeepSeek) may be located in the United States, China, or other countries. By using the Service, you consent to the transfer of your data to these jurisdictions.

For EEA users: We rely on Standard Contractual Clauses (SCCs) and adequacy decisions for data transfers outside the EEA.

10. Changes to This Policy

We may update this Privacy Policy periodically. If we make material changes, we will:

  • Update the "Last Updated" date at the top of this page
  • Notify you via email (if you have provided one)
  • Display a prominent notice on the website

Continued use of the Service after changes constitutes acceptance of the new policy.

11. Contact Us

If you have questions, concerns, or requests about your privacy:

  • Email: eligorelick01@gmail.com

For GDPR-related inquiries, you may also contact your local supervisory authority.

12. Related Policies

This Privacy Policy should be read in conjunction with our other legal documents:

Acknowledgment

By using StackItSmart, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and sharing of your data as described herein.

Skip to main content