Legal

Privacy Notice

Effective June 13, 2026

This Privacy Notice explains how Stalk Yourself LLC, doing business as STALK YOURSELF (the "Service", "we", "us"), processes your personal data. For a friendly summary in plain English, see our Privacy pledge; this page is the legally binding version.

1. Data controller

Stalk Yourself LLC is the data controller for personal data processed through the Service. Contact: privacy@stalkyourself.app.

2. Categories of personal data we collect

  • Account data: email address, hashed password (or OAuth identifier), account creation date.
  • Scan input: your name, city, social handles, optional phone number, optional photo you upload.
  • Scan output: findings retrieved from public sources about you, stored as report records linked to your account.
  • Usage and telemetry: IP address, browser/device user-agent, timestamps, error logs.
  • Support communications: messages you send us.
  • Billing data: handled directly by Stripe (see §5). We store only a Stripe customer ID and subscription status.

3. Purposes and legal bases (GDPR / UK GDPR)

  • Provide the Service (run scans, store your reports, authenticate) — performance of a contract.
  • Security, fraud prevention, abuse detectionlegitimate interests.
  • Product improvement and aggregate analytics (no profiling for advertising) — legitimate interests.
  • Customer supportperformance of a contract / legitimate interests.
  • Legal and tax compliancelegal obligation.
  • Marketing emails (if you opt in) — consent, withdrawable at any time.
For California residents (CCPA/CPRA), we do not "sell" or "share" personal information for cross-context behavioral advertising.

4. Where the data comes from

Most data comes directly from you. Scan findings are retrieved by us from publicly available third-party sources (data-broker indexes, breach databases such as Have I Been Pwned-style services, public social profiles, search engines, web archives) using the identifiers you provide.

5. Who we share data with

  • Stripe Payments Europe, Ltd. and Stripe, Inc. ("Stripe") — our payment processor. Stripe processes all payments, subscriptions, taxes, and invoicing on our behalf and is an independent data controller for payment data. See Stripe's Privacy Policy.
  • Hosting and infrastructure: Supabase (database, auth, storage) and Cloudflare (edge compute, CDN), acting as processors.
  • AI inference: the Lovable AI Gateway routes prompts to model providers (e.g. Google Gemini) to generate dossier summaries. Prompts contain only the scan inputs you provided.
  • Public-source providers we query on your behalf (data-broker indexes, breach lookups, search APIs).
  • Professional advisers (legal, accounting) where needed.
  • Authorities where required by law, court order, or to protect rights and safety.
We do not sell your personal data and we do not share it with advertisers.

6. International transfers

Data may be processed outside your country, including in the United States and the European Economic Area. Where required, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum.

7. Retention

  • Account and reports: retained while your account is active, and deleted within 30 days of account deletion. You can wipe everything immediately from Settings.
  • Uploaded photos: stored in a private bucket and deleted with your account or sooner on request.
  • Billing records: Stripe retains transaction records as required by tax law (typically 7–10 years).
  • Support emails and logs: retained up to 24 months.
  • Backups are rotated and overwritten within 30 days; deleted data does not persist beyond that window.

8. Your rights

Subject to applicable law (GDPR, UK GDPR, CCPA/CPRA, and similar), you have the right to: access your data, rectify inaccuracies, request erasure, restrict or object to processing, request portability, and withdraw consent at any time. California residents have the additional rights to know, delete, correct, and limit use of sensitive personal information, and to be free from retaliation for exercising these rights. To exercise any right, email privacy@stalkyourself.app. We respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority (e.g. the UK ICO, your EU member-state DPA, or a state attorney general).

9. Security

We implement appropriate technical and organizational measures including TLS in transit, encryption at rest for stored databases and storage buckets, role-based access control, row-level security on every user-facing table, signed-URL access for photos, and audit logging. No system is perfectly secure; please use a strong, unique password.

10. Cookies and tracking

We use only strictly necessary cookies (authentication session, CSRF). We do not use advertising cookies or cross-site trackers. If we ever add analytics, we will request consent first where required.

11. Children

The Service is not directed to children under 16 and we do not knowingly collect their data. If you believe a child has provided us data, contact us and we will delete it.

12. Changes to this Notice

We may update this Notice from time to time. Material changes will be notified by email or in-app at least 14 days before they take effect.

13. Contact and complaints

Privacy questions: privacy@stalkyourself.app. Postal: available on request. You may also contact your local data protection authority.