Privacy Policy
How StackRadar handles your data
Last Updated: May 26, 2026
This Privacy Policy explains how SIA StackRadar, registered in Latvia under registration number 40203749357, with registered office at Dzirciema street 121, Riga, Latvia, LV-1055 ("StackRadar", "we", "us"), processes personal data when you visit https://stackradar.com (the "Website") or use the StackRadar software-as-a-service platform and related applications, APIs, and integrations (together, the "Service").
We process personal data in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR") and the Latvian Personal Data Processing Law.
1. Controller and Processor Roles
We act as controller for the personal data we collect about you and your authorized users in connection with the Website and your StackRadar account (for example, account information, billing information, and support communications). This Policy describes that processing.
When you connect a source code repository or other source to the Service and that data includes personal data of third parties (for example, commit author names and email addresses), we act as processor on your behalf. That processing is governed by our Data Processing Agreement (the "DPA"), which is incorporated into the Terms of Service.
2. Personal Data We Collect
Information you provide:
- Account information: name, email address, password (stored using a strong salted one-way password hash), profile image, multi-factor authentication credentials.
- Organization information: organization name, team membership, role, invitations.
- Billing information: billing contact name and email, billing address, VAT number, plan, invoice history, and a payment-method token issued by our payment processor. We do not store full payment card numbers.
- Support, sales, waitlist, and feedback communications: name, email, job title, company, message content, and any other information you choose to share.
Information we receive when you connect a third-party system (for example, GitHub for source code, or Slack or Discord for notifications): OAuth tokens and connection metadata, identifiers of the connected account/workspace/repository, the identifier of the user who authorized the connection, and the contents of repositories, manifests, configuration, commit history, and similar artifacts that we need to provide the features you enable. These may include incidental personal data of contributors (such as names and email addresses in commit metadata).
Information we collect automatically: usage data (pages and features used, actions taken, search queries, dashboards viewed), device and connection data (IP address, approximate location from IP, browser, operating system, language, referring URL, cookie and session identifiers), and diagnostics and error data (application errors, stack traces, request metadata).
Information from third parties: identifiers from authentication providers you sign in with, billing status and transaction information from our payment processor, and vulnerability and ecosystem data from public sources (which do not normally identify you).
3. How and Why We Use Personal Data
We use personal data on the following legal bases under Article 6 GDPR:
| Purpose | Legal basis |
|---|---|
| Provide, operate, and support the Website and the Service; create and manage your account; respond to support requests | Performance of a contract (Art. 6(1)(b)) — pre-contractual where you are not yet a customer |
| Process payments, manage subscriptions, send invoices, and meet tax and accounting obligations | Performance of a contract (Art. 6(1)(b)); compliance with legal obligations (Art. 6(1)(c)) |
| Authenticate users; detect and prevent fraud, abuse, and unauthorized access; secure the Service and our infrastructure; investigate and respond to security incidents | Legitimate interests in the security and integrity of the Service (Art. 6(1)(f)); performance of a contract (Art. 6(1)(b)) |
| Communicate with you about the Service (service announcements, security and billing notices, terms changes) | Performance of a contract (Art. 6(1)(b)); compliance with legal obligations (Art. 6(1)(c)) |
| Send marketing to prospective customers | Consent (Art. 6(1)(a)). You may withdraw consent at any time |
| Send similar-product marketing to existing customers | Legitimate interests, supported by a "soft opt-in" under the Latvian implementation of the ePrivacy Directive (Art. 6(1)(f)). You may opt out at any time |
| Measure, analyze, and improve the authenticated Service | Legitimate interests in operating and improving the Service (Art. 6(1)(f)) |
| Comply with legal obligations and establish, exercise, or defend legal claims | Compliance with legal obligations (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f)) |
We do not use personal data to train machine learning models, and we do not sell personal data.
Required and optional data. Your name, email, and authentication credentials are required to create an account. Billing information is required for paid plans. Connecting a source code host is required to use the dependency discovery, vulnerability analysis, and remediation features. Connecting Slack or Discord is optional. Survey and feedback responses, profile images, and marketing consent are optional. If you do not provide required data, we cannot provide the corresponding feature.
Special categories. The Service is not intended for processing special categories of personal data under Article 9 GDPR (such as health, biometric, or sex-life data) or data relating to criminal convictions. Please do not submit such data.
Automated decisions. We do not use automated decision-making that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR.
4. Sharing and Subprocessors
We share personal data only as needed to operate the Service and as described in this Policy:
- With your organization. If you use the Service as part of an organization, your account and usage information may be visible to other members and administrators of that organization, in accordance with the visibility settings of the Service.
- With service providers. We use vendors that process personal data on our behalf to help us run the Service. These include providers of application hosting and diagnostics, cloud infrastructure, and error monitoring (which may handle Customer Personal Data on the customer's behalf — listed by name in Annex III of the DPA), as well as providers that we engage on our own behalf for transactional and marketing email delivery (currently Resend, Inc.) and for payment processing of billing contact details (currently Stripe Payments Europe Limited). Some of these vendors are based outside the EU/EEA, including in the United States. For DPA-scope subprocessors, we will provide at least 30 days' advance notice of new additions to the account owner or administrator on file (by email or in-app notification), and you may object on reasonable data protection grounds as described in the DPA.
- With third-party systems you connect. When you authorize an integration with a source code host (such as GitHub) or a notification tool (such as Slack or Discord), we exchange data with that system as needed to provide the integration. Those systems are independent controllers; your use of them is governed by their own terms and privacy policies.
- In corporate transactions. With actual or prospective acquirers, investors, or successors in a merger, acquisition, reorganization, or sale of assets, subject to confidentiality obligations.
- When required by law. With courts, regulators, and other public authorities when required by valid legal process or when we believe in good faith that disclosure is necessary to comply with law or protect our or others' rights.
- With your consent or at your direction.
We do not sell personal data, and we do not "share" it for cross-context behavioral advertising as defined under the California Consumer Privacy Act.
5. International Data Transfers
We are based in the European Union (Latvia), and our primary hosting is in the EU. When we transfer personal data to a country outside the EU/EEA that has not been recognized as providing an adequate level of protection, we rely on appropriate safeguards under Chapter V GDPR, in particular the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914), supplemented by additional technical and organizational measures where appropriate. A copy of the safeguards is available on request to privacy@stackradar.com.
6. Cookies
We use only strictly necessary cookies and similar technologies on the Website and in the Service. Examples include:
- your session cookie, CSRF token, and authentication tokens, which are required to provide and secure the Service;
marketing_auth, a session cookie set when you are signed in to your account, so the marketing website can render the logged-in version of the page for you.
These are exempt from consent under Article 5(3) of the ePrivacy Directive as implemented in Latvia because they are strictly necessary to provide the Website or the Service you have requested. Any associated personal-data processing is carried out on the basis of performance of a contract (Art. 6(1)(b) GDPR) or legitimate interests in operating and securing the Service (Art. 6(1)(f) GDPR).
We do not currently set non-essential analytics or marketing cookies. If we introduce any, we will request your prior consent and present a cookie banner that lets you change your preferences. Blocking strictly necessary cookies may prevent parts of the Service from working.
7. Data Retention
We keep personal data only for as long as necessary for the purposes described in this Policy, and to comply with legal, accounting, and reporting obligations:
| Category | Retention |
|---|---|
| Account information and Customer Data | For the life of your account; deleted within 90 days after account closure or earlier on request, subject to backups that are overwritten on a rolling basis |
| Invoices and accounting source documents | 5 years from the end of the relevant financial year, as required by Latvian accounting and VAT law (longer where a specific record category is subject to a longer statutory retention period) |
| Security and application logs, error data, performance diagnostics | Up to 12 months |
| Marketing and waitlist contact data | Until you unsubscribe, withdraw consent, or object, and then for a limited period (typically up to 24 months) on a suppression list |
| Support communications | Up to 36 months from the last interaction |
| Backups | Overwritten on a rolling basis, typically within 35 days |
When data is no longer needed, we delete or anonymize it. We may retain aggregated and de-identified data indefinitely, subject to safeguards designed to prevent re-identification.
8. Security
We implement appropriate technical and organizational measures to protect personal data, including TLS encryption in transit, encryption of secrets and OAuth tokens at rest, strong salted one-way password hashing, multi-factor authentication, role-based access controls, security monitoring, continuous vulnerability scanning of our own dependencies, segregated environments, and documented incident-response, access-management, and vendor-management practices. Further detail is in Annex II of the DPA.
No method of transmission or storage is completely secure. Where we act as controller and a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours where required by Article 33 GDPR, and we will notify affected users without undue delay where required by Article 34 GDPR. Where we act as processor, we will notify the customer of a personal data breach affecting Customer Personal Data without undue delay, and in any event within 72 hours of becoming aware, as described in the DPA.
9. Your Rights
Where the GDPR or a similar law applies to our processing, you have the rights set out in Chapter III GDPR: access, rectification, erasure, restriction of processing, data portability, objection to processing based on our legitimate interests (including direct marketing), withdrawal of consent (without affecting processing carried out before withdrawal), and the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects.
You can exercise most of these rights in your account or by emailing privacy@stackradar.com. We will respond within one month, subject to extensions permitted by law for complex requests. We may need to verify your identity.
If you believe our processing infringes data protection law, you may lodge a complaint with the Latvian Data State Inspectorate (Datu Valsts inspekcija; https://www.dvi.gov.lv) or with the supervisory authority in your country of residence, place of work, or place of the alleged infringement.
If you use the Service through an organization, requests relating to Customer Data that we process on behalf of that organization should be directed to the organization; we will assist as required by the DPA.
10. Other Jurisdictions and Other Topics
Children. The Service is intended for business and professional use. We do not knowingly collect personal data from individuals under 16 years of age and will delete it if we learn we have. If you believe a child has provided us with personal data, contact privacy@stackradar.com.
California, Brazil, and other jurisdictions. We do not currently meet the business applicability thresholds of the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA"). We do not sell personal data and do not "share" it for cross-context behavioral advertising as defined under the CCPA/CPRA. We do not currently target the Brazilian market, take payment from customers in Brazil, or otherwise offer the Service to individuals in Brazil within the meaning of Article 3 of the Brazilian Lei Geral de Proteção de Dados ("LGPD"), and we are not aware of processing personal data collected in Brazil. If any of this changes, or if you believe a law in your jurisdiction gives you additional rights, contact privacy@stackradar.com.
Marketing. You can unsubscribe from marketing emails at any time using the link in any marketing email, in your account preferences, or by emailing privacy@stackradar.com. Even if you opt out of marketing, we will continue to send service messages (such as security alerts, billing notices, subprocessor changes, and changes to the Terms or this Policy).
Changes. We may update this Policy from time to time. If we make material changes, we will notify you by email or by a prominent notice in the Service or on the Website at least 30 days before they take effect, unless a shorter period is required by law. The "Last Updated" date reflects the latest version. Prior versions are available on request.
11. Contact
- Privacy: privacy@stackradar.com
- Postal: SIA StackRadar, Dzirciema street 121, Riga, Latvia, LV-1055
Based on our current processing activities, we are not required to designate a Data Protection Officer under Article 37 GDPR and have not done so. If that changes, we will update this Policy.