Privacy Policy
Effective: 2026-04-19
1. Who We Are (Data Controller)
MindSparkStack is operated by Aiden Bolin, an individual sole proprietor doing business as “MindSparkStack” (collectively, “MindSparkStack,” “we,” “us,” “our”). We are the data controller for personal data collected through mindsparkstack.com and our hosted product surfaces, including vault.mindsparkstack.com.
Privacy contact: privacy@mindsparkstack.com. General contact: aiden@mindsparkstack.com.
2. Personal Data We Collect
We collect personal data in these categories:
- Identifiers: name, email address, account ID.
- Commercial info: products purchased, subscription tier, transaction history.
- Payment data: handled directly by Stripe; we receive token + last-4 + brand only, never the full PAN.
- Communications: support tickets, email replies, contact-form submissions, Discord interactions if you join our server.
- Usage / device data: IP address, user agent, referrer, pages visited, timestamps, approximate region (from IP).
- Cookies and similar tech: session cookies, consent state, analytics IDs. See Cookie Policy.
- Product telemetry: for StackPatch customers, server inventory (kernel + installed packages + Docker image tags + listening ports + modprobe state) and CVE-match findings. We never collect SSH keys, env vars, source code, database contents, full hostnames, IPs, MAC addresses, or third-party trackers.
We do not knowingly collect special-category / sensitive personal data (race, health, biometrics, precise geolocation, government IDs). Do not submit such data through our forms.
3. How We Use Your Data — Lawful Bases (GDPR / UK GDPR)
| Purpose | Data categories | Lawful basis |
|---|---|---|
| Deliver purchased products (StackPatch agent + audit URL) | Identifiers, commercial | Contract (Art. 6(1)(b)) |
| Process payments + prevent fraud | Payment, identifiers | Contract + legitimate interest |
| Send transactional email (receipts, password reset) | Identifiers | Contract |
| Send marketing newsletter (Accuoa Daily) | Identifiers | Consent (Art. 6(1)(a)) |
| Operate the website + product | Usage, device | Legitimate interest (Art. 6(1)(f)) |
| Analytics + product improvement | Usage, cookies | Consent (where required) / legitimate interest |
| Comply with tax + legal obligations | Identifiers, commercial | Legal obligation (Art. 6(1)(c)) |
| Defend legal claims | All | Legitimate interest |
4. Sharing With Service Providers
We do not sell personal data and we do not share it for cross-context behavioral advertising in the CCPA/CPRA sense. We engage processors who handle data on our instructions only. The current list lives at /sub-processors.
We may also disclose data when required by law, valid legal process, or to protect our rights, users, or the public.
5. International Data Transfers
Our infrastructure runs primarily in the United States (Netlify, Supabase US-East, Hostinger EU). When personal data of EEA, UK, or Swiss residents is transferred outside that region, we rely on (i) the European Commission’s Standard Contractual Clauses (2021/914), (ii) the UK International Data Transfer Addendum, and (iii) the Swiss DPA equivalents, supplemented by additional safeguards described in our sub-processor agreements.
6. Retention
| Data | Retention |
|---|---|
| Account profile | Life of account + 30 days after deletion request |
| Order + tax records | 7 years (US tax retention) |
| Support email | 2 years from last interaction |
| Server access logs | 90 days |
| Newsletter subscription | Until unsubscribe + 12 months suppression list |
| StackPatch server inventory + findings | Latest inventory only; findings retained for resolution history; quickscan submissions cached 5 min then dropped |
| Backups | 35 days rolling, then permanent purge |
7. Your Rights
Subject to your jurisdiction, you may:
- Access the personal data we hold about you
- Request correction or completion of inaccurate data
- Request deletion (right to be forgotten)
- Restrict or object to processing, including profiling
- Receive your data in a portable machine-readable format
- Withdraw consent at any time without affecting prior lawful processing
- Lodge a complaint with your supervisory authority (e.g., Ireland DPC for EU; ICO for UK; California Attorney General / CPPA for CA residents)
To exercise any right, email privacy@mindsparkstack.com with the subject “Data Subject Request.” We respond within 30 days (extendable by 60 days for complex requests, with notice). We will verify identity before fulfilling requests against the account’s registered email.
8. California Residents (CCPA / CPRA)
In the prior 12 months we collected the following categories (Cal. Civ. Code § 1798.140):
- Identifiers (name, email, IP)
- Customer records (purchase history)
- Internet/network activity (page views, referrer)
- Inferences (segment, lifecycle stage)
We do not sell personal information and do not shareit for cross-context behavioral advertising. We do not knowingly collect or process the personal information of consumers under 16. We do not collect “sensitive personal information” as defined by CPRA § 1798.140(ae).
California residents may exercise the right to know, right to delete, right to correct, and right to limit use of sensitive PI by emailing privacy@mindsparkstack.com. You may also designate an authorized agent under 11 CCR § 7063. We do not discriminate against residents who exercise these rights.
9. Other US State Rights (CO, CT, UT, VA, TX, OR, MT, IA, DE, NJ, TN, NH)
Residents of states with comprehensive privacy laws have similar rights of access, deletion, correction, portability, and opt-out of targeted advertising / sale / profiling-with-legal-effects. Use the same email address above; we treat all US state requests under the most-protective applicable framework.
10. EU / UK Representative
We currently rely on the GDPR Article 27(2)(a) exemption (occasional, low-risk processing of EU/UK personal data, no monitoring of behavior at scale). Should this change, we will appoint a representative and update this section. EEA/UK data subjects may contact us directly at privacy@mindsparkstack.com.
11. Automated Decision-Making + AI Disclosure
MindSparkStack uses AI agents (the “Accuoa fleet”) to operate the site, draft content, route support, and personalize email cadence. We do not make solely-automated decisions that produce legal or similarly significant effects on you (Art. 22 GDPR). All billing, refund, and access decisions are subject to human review on request. Where AI generates outputs you receive (newsletter, blog posts, support replies), they are marked or otherwise discoverable as AI-assisted.
12. Children
MindSparkStack is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided data, contact us and we will delete it.
13. Security
We use TLS 1.2+ in transit, AES-256 at rest, hashed-and-salted passwords (bcrypt cost 12+), Stripe-hosted card collection, principle-of-least-privilege access controls, and 35-day encrypted backups. See /security for our responsible-disclosure policy. No system is perfectly secure; if you discover a vulnerability, please report it.
14. Breach Notification
If a personal-data breach is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours where required, and notify affected individuals without undue delay where the risk is high.
16. Changes
We will post material changes here with a new effective date, and email registered users where the change affects their data materially. Prior versions are kept on request.
17. Contact
Aiden Bolin d/b/a MindSparkStack · privacy@mindsparkstack.com · United States. Postal address available on request to verified data-subject requests.