Privacy Policy
How StatStack collects, uses, and protects your information.
Table of Contents
1. Information We Collect
StatStack is a creator and talent management platform for esports organizations. We collect different types of information depending on how you interact with the platform.
Account Information
When you sign up for StatStack, we collect:
- Organization name, admin email address, and subdomain
- Staff member names and email addresses (when invited by organization admins)
Creator Information
Organization admins collect the following information about their creators through configurable onboarding forms:
- Personal details: First name, last name, email, phone number, mailing address, birthday, PayPal email
- Social media handles: Twitter/X, Twitch, YouTube, Instagram, TikTok, Discord
- Apparel: T-shirt size, hoodie size, pant size, shoe size and gender
- Gaming: Gamer tag, jersey number
- Profile photo: Uploaded to AWS S3 cloud storage
- Custom questions: Organization admins may configure additional questions on their onboarding forms
Employment and Financial Data
Organization admins may enter the following information about their creators:
- Monthly salary, contract terms (at-will or fixed-term), and contract end dates
This data is entered by organization admins, not by creators directly.
Social Media Statistics
- Public follower counts fetched from YouTube, Twitch, Twitter/X, TikTok, Instagram, and Kick
- Demographic estimates including age bracket, gender, and country breakdowns
Usage Data
- IP addresses: Logged in audit trails and used for rate limiting
- Session data: 7-day session cookies scoped to the .statstackhq.com domain
- Chatbot logs: Stacky AI stores up to 20 messages per user
- Analytics: Page views and interactions collected via Google Analytics 4
Payment Information
All billing and payment processing is handled entirely by Stripe. We do not store credit card numbers or payment method details. We store Stripe customer IDs and subscription IDs solely for billing management purposes.
2. How We Use Information
We use the information we collect to:
- Provide and operate the StatStack platform
- Process payments and manage subscriptions through Stripe
- Send transactional emails such as welcome messages, password resets, and platform notifications
- Fetch and display social media statistics for creators
- Power AI chatbot (Stacky) responses based on your organization's data
- Maintain platform security through fraud prevention, rate limiting, and audit logging
We do not sell your personal information to third parties.
3. Third-Party Services
StatStack integrates with the following third-party services. Each service receives only the data necessary for its function.
Stripe — Payment Processing
Receives email address, organization name, and subscription data. PCI DSS Level 1 compliant.
stripe.com/privacyAmazon Web Services (AWS) — Infrastructure
All platform data is stored on AWS infrastructure, including RDS (database), S3 (file storage), and EC2 (compute).
aws.amazon.com/privacyAnthropic (Claude AI) — AI Chatbot
Conversation text is sent to the Claude API to generate Stacky AI responses.
anthropic.com/privacySendGrid (Twilio) — Email Delivery
Receives recipient email addresses and email content. Click tracking is enabled, meaning URLs in emails may be rewritten through SendGrid for tracking purposes.
twilio.com/legal/privacyGoogle reCAPTCHA — Bot Protection
Used on onboarding forms. Receives IP address and browser data to distinguish humans from bots.
policies.google.com/privacyGoogle Analytics 4 — Usage Analytics
Collects page views, user interactions, and IP address for analytics and platform improvement.
policies.google.com/privacyTwitter/X API — OAuth & Giveaways
Used for OAuth authentication and giveaway features. Receives Twitter user IDs and OAuth tokens.
twitter.com/privacyDiscord API — Bot Integration
Used for bot notifications and slash commands. Receives Discord user IDs and server information.
discord.com/privacyYouTube Data API — Statistics Fetching
Retrieves public channel data including subscriber counts and video statistics.
policies.google.com/privacyTwitch API — Statistics Fetching
Retrieves public channel data including follower counts and stream information.
twitch.tv/p/legal/privacy-noticeRapidAPI — API Gateway
Used as an API gateway for Twitter/X and TikTok statistics fetching. Receives social media handles only.
rapidapi.com/privacy4. Data Retention
- Account data: Retained while your account is active, plus 30 days after deletion to allow for account recovery
- Chatbot logs: Up to 20 messages retained per user session; overwritten when a new session begins
- Audit logs: Retained indefinitely for security and compliance purposes
- Database backups: 14-day automated backup retention through AWS RDS, after which backups are automatically deleted
There is currently no self-service data deletion workflow. To request deletion of your data, please contact us at security@statstackhq.com.
5. Cookies & Tracking
StatStack uses the following cookies and tracking technologies:
- Session cookies: 7-day lifetime, scoped to the .statstackhq.com domain, used to maintain your login session
- CSRF protection cookies: Used to protect against cross-site request forgery attacks
- Remember-me cookies: Persistent cookies that keep you logged in across browser sessions
- Google reCAPTCHA cookies: Third-party cookies used for bot detection on onboarding forms
- Stripe checkout cookies: Set during the payment flow for secure checkout processing
- Google Analytics cookies: Used to collect anonymous usage statistics and improve the platform
- SendGrid click tracking: Links in emails from StatStack may be rewritten through SendGrid to track email engagement
For more details, see our Cookie Policy.
6. Your Rights
You have the following rights regarding your personal data:
- Access: You may request a copy of the personal data we hold about you
- Correction: You may request correction of any inaccurate or incomplete data
- Deletion: You may request deletion of your personal data. Note that there is currently no self-service deletion workflow; please contact us directly
- Portability: You may request your data in a portable, machine-readable format. Note that automated data export is not yet available
California Residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to know: You can request details about the personal information we collect and how it is used
- Right to delete: You can request deletion of your personal information
- Right to opt-out of sale: We do not sell personal data. There is nothing to opt out of
Minors (Ages 13–17)
Users between the ages of 13 and 17 are afforded additional protections. We do not knowingly sell or share the personal information of minors. If you are under 18, a parent or guardian should review this policy and supervise your use of the platform.
7. Data Security
We take reasonable measures to protect your data, including:
- Encryption at rest: All data stored in our AWS RDS database is encrypted using AES-256
- Encryption in transit: All connections use TLS/HTTPS to protect data during transmission
- Multi-tenant isolation: Each organization's data is logically separated from all other organizations
- Rate limiting and audit logging: Automated protections against abuse, with logging for security review
- Automated backups: Daily database backups with 14-day retention for disaster recovery
No system is perfectly secure. While we work hard to protect your data, we cannot guarantee absolute security. If you become aware of a security vulnerability, please report it to security@statstackhq.com.
8. Multi-Tenant Data
StatStack is a multi-tenant platform, meaning multiple organizations use the same infrastructure while their data remains separated. Here is how that works:
- Organization admins control what creator data is collected through configurable onboarding forms
- StatStack processes this data on behalf of organizations
- Each organization's data is logically isolated from all other organizations on the platform
- Organization admins are responsible for obtaining appropriate consent from their creators before collecting personal data through StatStack
9. Children's Privacy
StatStack is intended for users age 13 and older. We do not knowingly collect personal information from children under 13.
If we learn that we have collected data from a child under 13, we will delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us at security@statstackhq.com.
Creators between the ages of 13 and 17 should have parental or guardian consent before their information is submitted to the platform by an organization admin.
10. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify registered users via email.
Continued use of the platform after changes are posted constitutes acceptance of the updated policy. We encourage you to review this page periodically.
11. Contact
If you have questions about this privacy policy or wish to exercise any of your data rights, you can reach us at:
- Email: security@statstackhq.com
- Website: statstackhq.com
Have a Privacy Concern?
If you have questions about how we handle your data or want to exercise your privacy rights, reach out directly.
security@statstackhq.com