Privacy Policy
Effective 2026-06-14
This Privacy Policy explains how J & M Sorce Holdings, LLC(“we”) collects, uses, and shares personal information when you use https://www.corpstacking.comand related services (the “Service”). We aim to collect the minimum data necessary to run the Service, and we never sell your personal information.
1. What we collect
Data you give us
- Account: email address, password (hashed by Supabase), display name, and optional avatar image.
- Contact for alerts: Telegram chat ID, Discord webhook URL, web push subscription endpoint, or webhook endpoint + signing secret (if you enable those channels). If we re-enable SMS in the future, this would also include the phone number you provide.
- AI Analyst conversations (Pro+):the messages you send to the AI Analyst chat and the tool-call results returned during that conversation. See “AI Analyst” below.
- Personal Stack entries: any holdings, purchases, and watch-only on-chain addresses you save to your personal portfolio.
- Referrals: if you participate in the referral program, we record which referral link or code was used to sign up, and credit completed referrals to the referrer.
- Billing: handled by Stripe. We store a Stripe customer ID mapped to your account; card numbers are never sent to our servers.
- Preferences: the companies you subscribe to, alert thresholds, channel configuration.
Data collected automatically
- Usage + device: IP address, user agent, referrer, pages visited, timestamps. Used for security, analytics, and fraud prevention.
- Cookies and similar:session cookies (required for login), preference cookies (e.g. “pwa_installed”), analytics (Vercel Analytics, PostHog), and — on the free tier only, and only if you accept optional cookies — advertising cookies that the ad networks we use (A-ADS, Coinzilla, Bitmedia) may set. See the Cookie Policy for detail.
- Push subscriptions: if you enable web push, we store the browser-issued subscription endpoint (no personal data embedded).
Data from third parties
If you sign in with a social login such as Google, Microsoft, LinkedIn, or GitHub (OAuth), we receive the email address associated with that account, a stable user ID, and any profile picture URL the provider returns. We do not receive your OAuth password.
2. How we use it
- Run the Service: deliver alerts across your configured channels, render dashboards, process payments, honor your preferences.
- Security: detect abuse, rate-limit, prevent fraud, enforce TCPA opt-outs, protect user accounts.
- Improve the Service: understand which features are used, diagnose errors, prioritize work.
- Communicate: send transactional messages (password resets, receipts, plan changes), and — only if you opt in — the weekly digest email.
We do not use your data to train AI models, and we do not sell your personal information to advertisers or data brokers.
2a. AI Analyst (Pro+)
If you use the AI Analyst chat, we send the contents of your messages and the tool-call results generated during that conversation to our LLM provider (Anthropic, operating Claude) so it can produce a response. Anthropic processes those messages as our subprocessor under their commercial terms and does not use the data to train their models. We retain conversation history in our database so you can return to prior chats; you can delete individual conversations from the AI Analyst UI, and deleting your account removes all conversation history. Do not paste anything into the chat that you would not want sent to a third-party LLM provider.
3. Who we share data with
We share only with the subprocessors necessary to run the Service. Each is contractually bound to use your data solely to provide their service to us.
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | United States |
| Vercel | Hosting, edge network, build CI, performance analytics | United States |
| Stripe | Payment processing, subscription billing | United States |
| Resend | Transactional email + magic-link delivery | United States |
| Anthropic | AI analyst — Claude API for /chat tool calls | United States |
| PostHog | Product analytics — optional, user-consented | United States / EU |
| Telegram | Telegram bot — alert delivery only | Global |
| Slack | Alert delivery to user-configured Slack workspace webhooks | United States |
| Discord | Alert delivery to user-configured Discord channel webhooks | United States |
| mempool.space | BTC watch-only wallet balance lookups (Personal Stack) | Global CDN |
| blockstream.info | BTC watch-only wallet balance fallback (Personal Stack) | Global CDN |
| Etherscan | ETH watch-only wallet balance lookups (Personal Stack) | Global CDN |
| A-ADS | Free-tier advertising — privacy-focused cookieless ad units | Global CDN |
| Coinzilla | Free-tier advertising | Global CDN |
| Bitmedia | Free-tier advertising | Global CDN |
| CoinGecko | Cryptocurrency market data | Global CDN |
| CryptoCompare | Historical cryptocurrency price data | Global CDN |
| Bitbo | Public corporate-treasury reference data | Global CDN |
| alternative.me | Fear & Greed Index data | Global CDN |
| Cloudflare | Turnstile bot-protection challenge on sign-in / sign-up | Global edge |
| ScrapingBee | Renders public third-party pages for data ingestion (ETF flows, sponsor / IR pages) | United States |
| Polygon.io | US equity price data for market-cap figures | United States |
We may also disclose information to comply with legal process (subpoenas, court orders), to enforce our Terms, or to protect our rights, property, or safety.
4. Data retention
- Active accounts: we retain account data for as long as your account is open.
- Deleted accounts:when you delete your account, we erase your personal data immediately — there is no recovery window, and the deletion cannot be undone. Two things are kept: your email is added to a do-not-contact list so we don’t email you again (including the newsletter), and Stripe invoice and payment records are retained as required by tax law (see “Billing records” below). Anonymized analytics that contain no personal information may be retained indefinitely for aggregate reporting.
- Billing records: retained for 7 years to comply with tax and accounting rules.
- Alert history: retained while your account is active so you can audit delivery.
5. Your rights
Depending on where you live, you may have the right to access, correct, delete, or export your personal information, to object to or restrict certain processing, and to withdraw consent.
- Access / export: email [email protected] and we will provide a copy within 30 days.
- Correct: most fields can be updated in Settings. For anything else, email us.
- Delete:delete your account from Settings → Danger Zone, or email us. Deletion cascades through Supabase + removes billing data we’re not required to retain.
- Opt out of marketing: every marketing email has an unsubscribe link. Transactional messages (receipts, security notices) cannot be opted out of without closing your account.
- SMS STOP: SMS is not currently offered as a notification channel. If we re-enable it, you will be able to reply
STOPto any SMS to opt out, and we will honor STOP immediately.
GDPR (European Economic Area, UK, Switzerland)
We process your data on the legal bases of (a) performance of a contract (to provide the Service), (b) legitimate interests (security, improvement), and (c) consent (for optional analytics and marketing). You have the right to lodge a complaint with your local data protection authority.
CCPA / CPRA (California)
California residents have the right to know what personal information we collect, request deletion, correct inaccurate data, and opt out of sale or sharing. We do not sell or share personal information for cross-context behavioral advertising. To exercise these rights, email [email protected].
6. Security
We use industry-standard security — TLS in transit, encryption at rest for Supabase, Stripe for PCI-compliant payment handling, hashed passwords, row-level security on every user-scoped database table. No system is 100% secure; if you believe your account is compromised, contact [email protected] immediately.
7. International transfers
Our primary infrastructure is hosted in the United States (Supabase, Vercel, Stripe). If you are located outside the US, your data will be transferred to and processed in the US. Where applicable, we rely on Standard Contractual Clauses or equivalent safeguards for cross-border transfers.
8. Children
The Service is not directed to children under 16 and we do not knowingly collect personal information from them. If you believe a child has provided us personal information, email [email protected] and we will delete it.
9. Changes
We may update this Privacy Policy. The effective date at the top will reflect the latest revision. Material changes will be announced by email to registered users.
10. Contact
Privacy inquiries: [email protected]
Personal Stack data
If you use the Personal Stack feature, we store the holdings, purchases, and watch-only addresses you enter in our database (Supabase, encrypted at rest). Only you can read them — every table enforces this at the database level via row-level security bound to your authenticated user ID.
We never accept private keys or seed phrases. Watch-only addresses are public on the blockchain; we poll their balances via mempool.space and blockstream.info. We do not sell or share any of this data. Deleting your account (Settings → Account) removes all of it.