Privacy Policy

Last updated: 16 March 2026

This policy explains how StackFlag (stackflag.com) collects, uses, and protects your information.

What we collect

Account information: Your email address and a hashed version of your password. Optionally, a display name.

Stack data: The software names, versions, and monitoring rules you define. This is used solely to match vulnerabilities against your stack.

Usage data: Server logs (IP address, browser user-agent, pages visited) for security monitoring, rate limiting, and debugging. We do not use analytics tracking scripts.

Flag and alert history: Records of which vulnerabilities matched your stack, your triage actions (read, acknowledged, dismissed), and notes you add.

Feedback messages: If you use the feedback form, we receive the message content, your email (if provided), and the page you were viewing.

How we use your data

  • To provide the service: matching vulnerabilities to your stack, sending alerts, displaying your flag queue.
  • To send transactional emails: verification, password reset, alert digests.
  • To maintain security: rate limiting, login attempt logging, abuse prevention.
  • To improve the service: aggregated, non-identifying usage patterns.

We do not sell your data. We do not share your data with third parties except as required to operate the service (email delivery) or as required by law.

AI processing

Vulnerability summaries are generated automatically as part of StackFlag's enrichment pipeline using a third-party AI service (Cloudflare Workers AI). Only the vulnerability's public title and description are sent for processing. No personal data, stack information, or account details are included in these requests.

Data retention

  • Account and stack data is retained while your account is active.
  • Login attempt logs are retained for 30 days.
  • Notification queue records are retained for 14 days.
  • If you delete your account, your data is permanently removed within 30 days.

Security

Your data is stored on servers protected by firewall rules, SSH key-only access, and encrypted connections. Passwords are hashed with bcrypt. Sessions use secure, HTTP-only cookies.

Cookies

We use a single session cookie (SF_SESS) to maintain your login. No third-party cookies or tracking cookies are used.

Your rights

You can:

  • Access your data through your account settings and stack pages.
  • Export your stack definitions and flag history (feature coming soon).
  • Delete your account and all associated data via Settings.
  • Contact us at [email protected] with any data requests.

Changes to this policy

We may update this policy from time to time. We will notify registered users by email of material changes.

Contact

If you have questions about this policy, email us at [email protected].