Privacy Policy

1. About this policy

This Privacy Policy explains how Practical LLC, doing business as StoutStack (“StoutStack,” “we,” “us,” or “our”), collects, uses, and shares personal information. It applies to our website at stoutstack.com and to the StoutStack platform — the multi-site website builder and content management service (together, the “Service”).

By creating an account or using the Service, you agree to the practices described in this policy. If you do not agree, please do not use the Service.

2. Controller and processor — our two roles

StoutStack handles personal information in two different roles, and it matters which one applies to you.

For information about our own customers — the people and businesses who hold StoutStack accounts — we act as a data controller, and this policy governs how we use that information.

For the personal information that a customer’s website visitors submit through a site built on StoutStack (for example, a contact-form entry or a newsletter signup), the customer is the controller and StoutStack acts only as a data processor on that customer’s behalf. If you are a visitor to a website built on StoutStack, please direct privacy requests to that website’s owner; we will refer such requests to them.

3. Information we collect

We collect the following categories of personal information.

Account and billing information

Your name, email address, a hashed (never plain-text) password, your plan, and billing details. Payments are processed by Stripe; we receive limited billing information such as the last four digits of your card and your billing status, and we never see or store full card numbers.

Content you create

The pages, posts, images, media, forms, settings, and other content you create or upload to build sites on the Service.

Visitor data on customer sites

When a site built on StoutStack collects information from its visitors — form submissions, newsletter subscriptions, and similar — that information is stored on our systems on the customer’s behalf. We process it as a processor, not for our own purposes.

Usage, device, and log data

Server and application logs, IP address, browser and device information, the pages and features you use, and an audit log of significant account actions. We use this to operate, secure, and improve the Service.

Cookies

See the Cookies section below.

4. How we use information

We use personal information to:

• Provide, maintain, and operate the Service and your account;
• Process payments and manage subscriptions, trials, and renewals;
• Send transactional and service messages, such as receipts, security alerts, and account notices;
• Provide customer support and respond to your requests;
• Monitor, secure, and improve the Service, including preventing fraud, abuse, and security incidents;
• Comply with legal obligations and enforce our Terms of Service.

Where the GDPR applies, we rely on these legal bases: performance of our contract with you (operating the Service); our legitimate interests (securing and improving the Service); your consent (where we ask for it, such as for certain cookies); and compliance with our legal obligations.

5. Cookies and similar technologies

On stoutstack.com and in the StoutStack admin, we use a small number of strictly necessary cookies — primarily a session cookie that keeps you signed in. These are required for the Service to function.

Websites built on StoutStack may use additional cookies depending on the choices of the site’s owner. If a customer enables Google Analytics on their site, analytics cookies are set for that site’s visitors, who can decline non-essential cookies through the site’s cookie banner. We do not use advertising cookies and we do not track individuals across unrelated websites.

6. How we share information — our subprocessors

We do not sell personal information, and we do not share it for cross-context behavioral advertising. We share it only as described here.

We use a small set of trusted service providers (“subprocessors”) to run the Service. Each is bound by a data processing agreement and may process personal information only on our instructions:

• Vercel — application hosting, content delivery, and edge infrastructure;
• MongoDB Atlas — primary database for account, content, and configuration data;
• Cloudflare — image and file storage (Cloudflare R2) and CDN delivery;
• Upstash — Redis-backed rate limiting and short-lived caches;
• Stripe — payment processing;
• Resend — delivery of transactional and service email;
• Google — web-font delivery, and website analytics where a customer chooses to enable it.

We may also disclose information if required by law, to respond to lawful requests or legal process, to protect the rights, safety, and property of StoutStack, our customers, or others, or in connection with a merger, acquisition, or sale of assets — in which case we will notify affected customers.

7. International data transfers

StoutStack is based in the United States, and we and our subprocessors generally store and process personal information in the United States. If you access the Service from the European Economic Area, the United Kingdom, or elsewhere, your information will be transferred to and processed in the United States.

Where required, we rely on appropriate safeguards for these transfers, such as the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum.

8. Data retention

We keep account and content data for as long as your account is active. If you cancel your subscription, your site goes offline at the end of your current billing period, but we retain your account data so you can resubscribe and reactivate at any time. To permanently delete your account and all associated data, request deletion from your billing settings or by emailing privacy@stoutstack.com — we will purge your data within 7 days of that request. Routine backups are retained for a limited period and then cycled out.

We may retain certain information for longer where required to comply with legal obligations, resolve disputes, or enforce our agreements.

9. How we protect information

We protect personal information with technical and organizational measures, including encryption in transit (HTTPS/TLS with HSTS), hashed account passwords, scoped access controls, tenant isolation, and rate limiting.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If we become aware of a breach affecting your personal information, we will notify you and the relevant authorities as required by law.

10. Your privacy rights

Depending on where you live, you have rights over your personal information. We honor these rights for all customers, regardless of location.

If you are in the EEA or UK (GDPR)

You have the right to access, correct, delete, restrict, or object to our processing of your personal information; the right to data portability; and the right to withdraw consent at any time. You also have the right to lodge a complaint with your local data protection supervisory authority.

If you are a California resident (CCPA/CPRA)

You have the right to know what personal information we collect and how we use and disclose it; to access and delete it; to correct inaccurate information; and to opt out of the “sale” or “sharing” of personal information. We do not sell or share personal information as those terms are defined under California law. We will not discriminate against you for exercising any of these rights.

How to exercise your rights

Email us at privacy@stoutstack.com and we will respond within the time required by law (generally 30 days under the GDPR and 45 days under the CCPA). We may need to verify your identity before acting on a request. If you are a visitor to a customer’s website, please contact that website’s owner, who is the controller of your information.

11. Children’s privacy

The Service is intended for businesses and is not directed to children. You must be at least 18 years old to hold a StoutStack account, and we do not knowingly collect personal information from children under 16. If you believe a child has provided us personal information, contact us and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you by email or through the Service. Your continued use of the Service after an update means you accept the revised policy.

13. Contact us

Questions about this Privacy Policy, or the personal information we hold about you? Email our team at privacy@stoutstack.com and we will be glad to help.