Privacy Policy
Last updated July 6, 2026
Stack Space Solutions (“Stack Space”, “we”, “us”) is a US-based company founded by Noah Gregory. We make an all-in-one business platform — CRM, AI receptionist and AI employees, invoicing, messaging, and marketing tools — available at stackspacesolutions.com and app.stackspacesolutions.com (the “Service”). This policy explains what data the Service handles, why, and what your choices are. We have tried to write it the way the product is actually built, not the way policies are usually written.
The short version: we collect what the Service needs to work, we never sell personal data, we run no third-party advertising trackers, and you can ask us to delete your data at any time by emailing founder@stackspacesolutions.com.
1. Two layers of data — who is responsible for what
The Service holds two very different kinds of personal data, and the responsibilities differ:
- Your data as our customer. Your account details, billing information, business profile, and how you use the Service. For this data, Stack Space is the data controller: we decide how it is collected and used, as described in this policy. The same applies to visitors of our marketing site.
- Your customers’ data (end-customer data). The contacts, callers, invoice recipients, and messages you put into — or route through — the Service. For this data, you are the controller and Stack Space is a processor acting on your instructions. We store it, run it through the features you enable, and otherwise leave it alone.
Because you control the end-customer layer, you are responsible for your own legal bases toward your contacts: obtaining any consent required to record or transcribe calls in your jurisdiction, having lawful consent to text or email people, and honoring their privacy rights. The platform gives you tools for this (opt-out handling, suppression lists, unsubscribe links), but the legal obligation is yours.
2. What we collect
Account and organization data
- Name, email address, and a hashed password (we never store the plain password).
- Organization details: business name, logo, brand color, industry, timezone, business hours, support email, and how you heard about us.
- Team members and invitations (invitee email addresses), roles, and login timestamps.
Business profile and “Business Brain” content
Free-text descriptions of your business — services, pricing, audience, tone, FAQs, service area — plus knowledge items the AI learns from your website, pasted material, or (if you leave that setting on) summaries of its own calls. This content is used to personalize the AI that works for you.
CRM and end-customer data you store
Clients, contacts, leads, and deals: names, email addresses, phone numbers, postal addresses, job titles, social profile links, notes, custom fields, appointments (invitee name, email, phone), estimates including typed signatures, invoices, review requests and review text, and do-not-text/opt-out lists. Lead-discovery features also store publicly available business information (business name, contact details, website, social links).
Calls — recordings, transcripts, and AI analysis
Voice calls handled by the AI receptionist are recorded and transcribed. For each call we store the caller and receiving numbers, duration, a link to the recording, the full transcript, and AI-generated outputs: a summary, a sentiment label, and a structured recap (for example, next steps and a drafted follow-up email). See section 7 for the consent notice.
Messages sent and received through the Service
Emails and text messages you send and receive through your connected accounts pass through, and are stored by, the Service: inbound email bodies, subjects, and sender details; a log of every outbound email and SMS (recipient, subject, and a short preview); and campaign or template content you write. Outbound email is sent through your own connected mailbox, not a shared Stack Space mail server.
Engagement tracking on messages you send
- Email opens: tracked emails include a small tracking pixel. When the recipient opens the email, we record the fact and time of the first open on the message log. We do not store the recipient’s IP address or browser details from the pixel.
- Link clicks: links in outbound texts and campaign emails are wrapped in short tracking links. Each click increments a counter and records the time of the click; we do not record the clicker’s IP address or user agent.
Forms and funnels
When someone submits one of your forms or funnel pages, we store the submitted answers along with the submitter’s IP address and (for forms) browser user agent, which helps you and us tell real submissions from spam.
Usage metering and referral attribution
- Usage records for the metered features on your plan (AI actions, texts, voice minutes, lead lookups, social posts), so the in-app meter and billing are accurate.
- If you arrive through an affiliate link (
/r/<code>), a referral attribution cookie is set for 30 days so the referring affiliate is credited when you sign up. See section 8 on cookies.
Push notifications
If you enable browser push notifications, we store the push subscription for your browser (endpoint and delivery keys) so we can send you notifications. Notification content is sent transiently and not stored on the subscription.
Payment data
Payments are handled by Stripe. Card numbers never touch our servers and we never store them — we keep only Stripe references (such as customer and session identifiers) and invoice records.
3. How we use data
- To provide the Service: run your CRM, answer your calls, send your messages, generate your documents.
- To personalize the AI that works for your business (using your business profile and content).
- To meter usage, bill correctly, and show you your live usage meter.
- To secure the Service, prevent abuse, and enforce opt-outs and suppression lists.
- To support you and to send you service communications about your account.
- To comply with legal obligations.
We do not sell personal data — yours or your customers’ — ever. We do not use end-customer data to advertise to anyone, and we run no third-party ad or analytics trackers on the Service.
4. AI processing
The Service is built around AI. Text-based AI features (the assistant, drafting, summaries, sentiment, auto-replies) are processed by Anthropic. Image generation is processed by OpenAI. Voice calls are carried and transcribed by Vapi, which provides telephony, speech-to-text, and text-to-speech. These providers process the relevant content — for example, a call transcript or a draft you ask for — in order to provide the feature. When your AI receptionist answers a call, it is given your business profile, recent learned notes, and the caller’s history with you (name, recent call summaries, open estimates) so it can be useful; that data goes to the voice provider for the duration of providing the call.
5. Subprocessors and connected services
Providers we use to run the Service for everyone:
- Stripe — payment processing and payouts.
- Anthropic — AI text processing (drafts, summaries, chat, analysis).
- OpenAI — AI image generation.
- Vapi — voice calls: telephony, speech-to-text, text-to-speech, recordings.
- Twilio — SMS delivery and phone numbers.
- Hostinger — application hosting.
Services you may choose to connect, which then process your data under their own terms:
- Your own email mailbox (SMTP/IMAP credentials you supply) — all your outbound email is sent through it.
- Google (calendar), Microsoft (calendar), and Zoom, via OAuth.
- Unipile — social messaging and posting (LinkedIn, Instagram, Facebook).
- Your own Stripe account — for collecting payments from your customers.
- Optional add-ons: TextBee (sending SMS through your own Android phone) and a managed iMessage line.
- Firecrawl — retrieval of publicly available web data for website import and lead discovery.
6. Security
- Connected-service credentials (such as your mailbox password and integration keys) are encrypted at rest with AES-256-GCM and are never returned to the browser.
- Data is encrypted in transit with TLS.
- The Service is multi-tenant with organization-scoped isolation: every query is scoped to your organization, and sub-accounts are isolated from each other.
- Passwords are stored only as one-way hashes.
No system is perfectly secure, but we treat your credentials and your customers’ data as the most sensitive things we hold.
7. Call recording notice
Calls handled by the AI receptionist may be recorded and transcribed, and the transcript is processed by AI to produce summaries and follow-ups. Call-recording consent laws vary — some jurisdictions require all parties to consent. If you use the voice features, you are responsible for complying with the recording-consent laws that apply to you and your callers, including any required disclosures at the start of a call.
8. Cookies
The Service sets a small number of first-party cookies:
- A session cookie to keep you signed in.
ss_ref— referral attribution when you arrive through an affiliate link; expires after 30 days.- A cookie remembering which sub-account you are viewing (agency accounts).
- Short-lived (about 10 minutes) state cookies during Google, Microsoft, or Zoom connection flows.
There are no third-party advertising or analytics cookies, pixels, or scripts on the Service.
9. Retention and deletion
- We keep your data for as long as your account is active, so the Service can work.
- You can request deletion of your account and data at any time by emailing founder@stackspacesolutions.com. We will delete it except where we must retain records (for example, billing and tax records) for legal reasons.
- Deleted data may persist in encrypted backups until those backups are purged on their normal cycle.
- For end-customer data, we act on our customer’s instructions: if you are someone’s contact and want your data removed, you can contact the business that holds it, or contact us and we will pass the request along and assist.
10. Your rights
Wherever you live, we honor these rights on request: access to the personal data we hold about you, correction of inaccurate data, deletion, portability (a copy in a usable format), and objection to or restriction of certain processing. To exercise any of them, email founder@stackspacesolutions.com from the address on your account (or with enough information for us to verify you). We respond within the timelines applicable law requires.
California residents (CCPA/CPRA)
- Categories we collect: identifiers (name, email, phone), commercial information (subscriptions, invoices), internet activity on the Service (usage metering, message engagement), audio (call recordings), and professional information (business profile).
- We do not sell personal information and we do not share it for cross-context behavioral advertising.
- You have the right to know, the right to delete, the right to correct, and the right not to be discriminated against for exercising these rights. Email us to exercise them; you may also use an authorized agent.
11. Children
The Service is a business tool and is not directed to anyone under 16. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, email us and we will delete it.
12. International transfers
We are based in the United States and process data there. If you use the Service from outside the US, your data will be transferred to and processed in the US, which may have different data-protection laws than your jurisdiction.
13. Changes to this policy
We may update this policy as the product evolves. Material changes will be communicated through the Service, and the “last updated” date above always reflects the current version.
14. Contact
Stack Space Solutions · Noah Gregory, founder · founder@stackspacesolutions.com · stackspacesolutions.com