Legal · Privacy

Privacy Policy

StackLift AI is a product of Atharva System Inc.. This policy explains what personal data we collect, how we use it, who we share it with, and your rights — in plain language. Covers GDPR, CCPA, CPRA, PIPEDA, LGPD, and other applicable frameworks.

Effective: June 11, 2025·Last updated: June 11, 2025

GDPR (EU)CCPA / CPRA (CA)PIPEDA (Canada)LGPD (Brazil)ICO (UK)No data selling

Jump to section

1. Who We Are & Scope 2. Personal Data We Collect 3. Lawful Basis for Processing 4. Purposes of Processing 5. Automated Decision-Making & Profiling 6. Third-Party Processors & Data Sharing 7. International Data Transfers 8. Data Retention 9. Security Measures 10. Your Privacy Rights 11. Marketing & Communication Preferences 12. Cookies & Tracking Technologies 13. Data Deletion & Erasure Requests 14. Policy Changes

Personal Data We Process — At a Glance

CCPA §1798.100 disclosure table

Data Category	Examples	Purpose	Retention	Shared With
Project & Estimation Data	Project name, description, feature selections, platforms, integrations, complexity, budget range, timeline, uploaded scope documents, reference URLs, adaptive quiz answers	Generate AI-powered software estimates	14 days (browser localStorage) · Lead record: up to 3 years after last contact	AI model providers (for inference only)
Identity & Contact	Full name, work email address, phone number (optional), job title, company name, company website, LinkedIn profile URL	Follow-up, proposal delivery, sales engagement	Up to 3 years from last contact, or until deletion requested	Internal CRM, email service provider
Company & Firmographic	Industry, company size, geography, current tech stack, annual revenue (optional)	Segment and tailor proposal recommendations	Same as identity/contact data	Internal CRM only
Usage & Interaction Data	Pages visited, wizard steps completed, features selected, time spent per step, button clicks, scroll depth	Improve tool usability and conversion funnel	24 months (anonymised after 90 days)	Analytics provider (anonymised)
Technical & Device Data	IP address (truncated), browser type and version, OS, screen resolution, referring URL, session ID, timezone	Security, fraud prevention, site reliability	90 days raw · 24 months aggregated	Infrastructure/CDN providers
Communications Data	Email opens, clicks, replies, preference centre selections, opt-out history	Manage marketing consent and communication effectiveness	Until opt-out + 3 years suppression record	Email service provider
Uploaded Documents	SOW files, requirement PDFs, Figma exports, screenshots, design briefs	AI scope analysis for wizard pre-fill	Deleted within 24 hours of processing	AI model providers (for inference only, not training)

1. Who We Are & Scope

Data Controller

Atharva System Inc. ("we", "us", "our") operates StackLift AI at stacklift.ai. We are the data controller for all personal data processed through this website and estimation tool. Our registered address is Atharva System Inc., United States.

Scope of This Policy

This Privacy Policy applies to all personal data we collect when you: (a) visit any page on stacklift.ai; (b) use the AI-powered software estimation wizard; (c) submit a contact or lead form; (d) interact with our emails, proposals, or client portal; (e) attend webinars or events we host; or (f) contact us by any channel. This policy does NOT apply to third-party websites we link to. Each has its own privacy policy.

Children's Privacy

StackLift AI is intended for business use by adults aged 18 and over. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected data from a minor, contact us immediately at contact@stacklift.ai and we will delete it promptly.

2. Personal Data We Collect

Information You Provide Directly

We collect information you actively submit: • Estimation wizard inputs: project name, description, feature selections, technology preferences, complexity, timeline and budget expectations, adaptive discovery answers, and any free-text context you enter • Contact form submissions: name, work email, phone, company name, role, company size, industry, website, LinkedIn (optional) • Uploaded files: SOW documents, PDFs, Figma files, images, requirement specs • Reference inputs: app URLs or product names submitted for AI pre-fill analysis • Communications: emails, support requests, or feedback you send us

Information Collected Automatically

When you visit stacklift.ai, our servers and analytics tools automatically record: • IP address (stored truncated — last octet removed for GDPR compliance) • Browser type, version, and rendering engine • Operating system and device type • Referring URL and entry page • Pages visited, time on page, and scroll depth • Wizard interaction events (step completions, back/forward navigation, option selections) • Session identifiers and session duration • Timezone and approximate geography (country/region level only)

Cookies & Similar Technologies

We use cookies and similar client-side storage to: • Preserve your wizard session and in-progress draft across page reloads (localStorage) • Remember your light/dark theme preference • Record your cookie consent choice • Collect anonymised analytics about site usage • Deliver and measure email engagement See our Cookie Policy for the full category-by-category breakdown and your opt-out options.

Sensitive Data

We do not intentionally collect sensitive or special-category personal data (health data, racial or ethnic origin, political opinions, religious beliefs, biometric data, sexual orientation). Please do not include such data in project descriptions or uploaded files. If you inadvertently submit it, contact us and we will delete it.

3. Lawful Basis for Processing

Legitimate Interests (Art. 6(1)(f) GDPR)

We rely on legitimate interests for: • Operating and improving the estimation tool and website • Security monitoring and fraud prevention • Analysing aggregate usage to improve our products • Following up on submitted leads with relevant proposal information We have conducted a Legitimate Interests Assessment (LIA) confirming that our interests do not override your fundamental rights and freedoms. You may request a copy of this LIA by emailing contact@stacklift.ai.

Consent (Art. 6(1)(a) GDPR)

We rely on your explicit consent for: • Marketing and promotional email communications • Non-essential analytics and tracking cookies • Use of your project description as a case study or testimonial (separate written consent) You may withdraw consent at any time without penalty. Withdrawal does not affect the lawfulness of processing before withdrawal.

Contract Performance (Art. 6(1)(b) GDPR)

If you engage Atharva System Inc. for paid software delivery services, processing is necessary to perform the contract — including project scoping, team assignment, progress reporting, invoicing, and client portal access.

Legal Obligation (Art. 6(1)(c) GDPR)

We may process data to comply with legal obligations, including accounting and tax requirements, responding to lawful data requests from government authorities, and maintaining suppression lists to honour opt-outs.

4. Purposes of Processing

AI-Powered Estimation

Your project inputs are processed by AI language models (see Section 6 for the list of providers) to generate scope analysis, effort hours, cost ranges, technology stack recommendations, delivery timelines, risk factors, and architectural guidance. This is the primary purpose of the tool. AI processing happens at inference time only — your inputs are not used to train or fine-tune any AI model unless you give separate explicit consent.

Lead Follow-Up & Sales Engagement

When you submit a contact form, your details and estimation results are stored in our CRM and shared with the StackLift AI / Atharva System Inc. sales and engineering team. We use this to prepare a custom proposal, schedule discovery calls, and manage the sales relationship. You can opt out of follow-up emails at any time.

Proposal & Contract Delivery

If you proceed to a paid engagement, we use your data to prepare and deliver proposals, NDAs, statements of work, invoices, and progress reports through the client portal. This processing is necessary for contract performance.

Product Analytics & Improvement

Anonymised, aggregated usage data (e.g. which wizard steps see the highest abandonment, which feature categories are most selected) is used to improve the estimation tool. This data cannot be linked back to you individually.

Security & Fraud Prevention

Technical data (IP address, request headers, rate-limiting signals) is processed to detect and prevent abuse, automated scraping, and fraudulent form submissions. We use server-side rate limiting and bot detection measures.

Legal Compliance & Dispute Resolution

We may process and retain data as required by applicable law, to defend legal claims, enforce our Terms of Service, or respond to lawful requests from law enforcement or regulatory authorities.

Marketing Communications

With your consent, we may send emails about software development insights, industry guides, StackLift AI product updates, and webinar invitations. Each marketing email contains a one-click unsubscribe link. We maintain permanent suppression records for all opt-outs.

5. Automated Decision-Making & Profiling

AI-Generated Estimates

The estimation tool uses automated processing (AI inference) to generate cost, timeline, and technology outputs based on your inputs. This constitutes automated decision-making under GDPR Art. 22. However, since the outputs are advisory only (no legal or significant effects flow directly from the estimate without human review), standard Art. 22 safeguards do not apply. All AI-generated estimates are reviewed by a human engineer before any formal proposal or contract is issued.

Lead Scoring

We may use firmographic signals (company size, industry, budget range) to prioritise sales follow-up. This scoring is advisory only and does not produce legally significant effects. You may request human review of any automated assessment by contacting contact@stacklift.ai.

Your Rights Regarding Automated Processing

You have the right to request human review of any automated decision that significantly affects you, to express your point of view, and to challenge the outcome. Contact contact@stacklift.ai to exercise this right.

6. Third-Party Processors & Data Sharing

AI Model Providers

Your project inputs may be sent to one or more AI inference providers depending on system configuration: • OpenAI, LLC (USA) — GPT model family • Anthropic, PBC (USA) — Claude model family • Google LLC (USA/EU) — Gemini model family • Microsoft Azure OpenAI (USA/EU) — Azure-hosted OpenAI models • AWS Bedrock — Bedrock-hosted foundation models • Ollama / self-hosted models — may run on Atharva System Inc. infrastructure All providers operate under Data Processing Agreements (DPAs). For US-based providers, cross-border transfers to the EU are covered by Standard Contractual Clauses (SCCs). Your data is used for inference only — no AI provider uses your data to train their public models under our agreements.

Cloud Infrastructure

StackLift AI is hosted on Vercel (CDN/serverless, USA) and uses cloud infrastructure (AWS or equivalent). All data in transit is encrypted with TLS 1.2+. Data at rest is encrypted with AES-256.

CRM & Sales Tools

Contact form submissions are stored in our internal CRM system. Only Atharva System Inc. employees with a legitimate business need can access lead records. We do not sell or rent CRM data to third parties.

Email Service Provider

Transactional and marketing emails are delivered via an email service provider operating under a DPA. Email engagement data (opens, clicks) is used only for managing communication preferences and measuring deliverability.

Analytics

We may use privacy-respecting analytics (e.g. PostHog with anonymisation enabled, or similar). IP addresses are truncated. We do not use Google Analytics with personally identifiable information. Analytics providers operate under DPAs.

Law Enforcement & Legal Requests

We may disclose personal data to government authorities, regulators, or courts when required by law, court order, or to protect our legal rights, the safety of users, or the public. We will notify affected users where legally permitted.

Business Transfers

If Atharva System Inc. is involved in a merger, acquisition, asset sale, or bankruptcy, your personal data may be transferred as a business asset. We will notify you via email or prominent website notice before your data is transferred and becomes subject to a different privacy policy.

We Do Not Sell Your Data

We do not sell, rent, broker, or trade personal data to third parties for their own marketing or commercial purposes. This applies to all users, including California residents under the CCPA "Do Not Sell or Share My Personal Information" provision.

7. International Data Transfers

Transfers Outside the EEA/UK

StackLift AI operates from the United States. If you are in the EU, UK, or other jurisdictions with data export restrictions, your personal data will be transferred internationally. We ensure adequate protection through: • Standard Contractual Clauses (SCCs) approved by the European Commission • Data Processing Agreements with all sub-processors • EU-US Data Privacy Framework (where applicable) • UK International Data Transfer Agreements (IDTAs) for UK users For a copy of the SCCs or DPAs in place with our sub-processors, email contact@stacklift.ai.

8. Data Retention

Wizard Draft Data

In-progress wizard data is stored only in your browser's localStorage. It is never sent to our servers until you submit a contact form. localStorage data is cleared automatically after 14 days of inactivity, or when you complete and close an estimate session.

Submitted Lead & Contact Records

When you submit a contact form, your personal data and estimation output are stored in our CRM for up to 3 years from the date of last contact. After 3 years of inactivity, records are automatically purged. You may request earlier deletion at any time.

Active Client Project Data

If you become a paying client, project-related data is retained for the duration of the engagement plus 7 years (to comply with accounting and tax obligations). After 7 years, data is permanently deleted or fully anonymised.

Uploaded Files

Files uploaded for scope analysis are deleted from AI provider infrastructure and our own systems within 24 hours of processing. We do not store uploaded files beyond this window.

Analytics & Technical Logs

Raw server access logs: 90 days. Anonymised aggregated analytics: 24 months. Rate-limiting and security logs: 90 days.

Marketing Opt-Out Records

If you opt out of marketing communications, we retain a permanent suppression record (email address only, flagged as opted-out) to ensure we never re-add you to marketing lists.

9. Security Measures

Technical Safeguards

We implement industry-standard security measures: • TLS 1.2+ encryption for all data in transit • AES-256 encryption for data at rest • Database-level encryption and access controls • Row-level security on multi-tenant data • API key rotation and secret management via environment vaults • Server-side rate limiting on all intake endpoints • Bot detection and request validation • Regular dependency vulnerability scanning

Organisational Safeguards

• Access to personal data is limited to employees with a documented business need • All team members with data access undergo privacy training • Contractors sign confidentiality and DPA agreements • Internal access logs are maintained for audit purposes

Data Breach Response

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and affected individuals without undue delay (GDPR Art. 34). Notifications will include: nature of the breach, approximate number of records affected, likely consequences, and measures taken or planned.

No Absolute Guarantee

No internet transmission or electronic storage system is 100% secure. While we take reasonable precautions, we cannot guarantee absolute security. If you discover a security vulnerability, please report it responsibly to contact@stacklift.ai.

10. Your Privacy Rights

Rights Under GDPR (EU/UK Residents)

You have the following rights under the General Data Protection Regulation: • Right of Access (Art. 15) — Request a copy of all personal data we hold about you • Right to Rectification (Art. 16) — Correct inaccurate or incomplete data • Right to Erasure / "Right to be Forgotten" (Art. 17) — Request deletion of your data (subject to legal retention obligations) • Right to Restriction (Art. 18) — Ask us to pause processing while a dispute is resolved • Right to Data Portability (Art. 20) — Receive your data in a structured, machine-readable format (JSON or CSV) • Right to Object (Art. 21) — Object to processing based on legitimate interests or for direct marketing • Right not to be subject to Automated Decisions (Art. 22) — Request human review of any automated processing • Right to Withdraw Consent (Art. 7) — Withdraw any previously given consent at any time We respond to all verifiable requests within 30 days (extendable to 90 days for complex requests with notice).

Rights Under CCPA/CPRA (California Residents)

California residents have additional rights under the California Consumer Privacy Act and California Privacy Rights Act: • Right to Know — What categories and specific pieces of personal information we collect, use, disclose, and sell • Right to Delete — Request deletion of personal information we have collected (subject to exceptions) • Right to Correct — Request correction of inaccurate personal information • Right to Opt-Out of Sale/Sharing — We do not sell or share personal information for cross-context behavioural advertising • Right to Limit Use of Sensitive Personal Information — We do not collect sensitive PI as defined under CPRA • Right to Non-Discrimination — You will not receive discriminatory treatment for exercising your CCPA rights To exercise CCPA rights, contact contact@stacklift.ai with subject "CCPA Request". We will verify your identity before processing.

Rights Under Other Jurisdictions

If you are resident in Canada (PIPEDA/Law 25), Australia (Privacy Act 1988), Brazil (LGPD), or another jurisdiction with data protection laws, you have analogous rights. Contact us and we will respond in accordance with your applicable law.

Supervisory Authority Complaints

EU residents have the right to lodge a complaint with the supervisory authority in their EU member state (e.g. the Irish DPC, French CNIL, German DSK). UK residents may complain to the ICO (ico.org.uk). We encourage you to contact us first — we will do our best to resolve your concern directly.

12. Cookies & Tracking Technologies

Essential Cookies

Session authentication, CSRF protection, cookie consent preference, and wizard draft state. These cannot be disabled without breaking core functionality.

Preference Cookies

Light/dark theme, timezone, and language preferences. Stored in localStorage or a cookie for up to 1 year.

Analytics Cookies

Anonymised session analytics (page views, funnel steps, events). We use privacy-first analytics with IP anonymisation and no cross-site tracking. Set with consent only outside the EU; set with your cookie banner consent inside the EU.

Pixel Tracking in Emails

Marketing emails may contain a tracking pixel (a 1×1 transparent image) that records when an email is opened and the approximate location (country-level). You can disable this by setting your email client to block remote images.

Third-Party Embeds

If we embed third-party content (e.g. a Calendly booking widget, YouTube video), those providers may set their own cookies subject to their privacy policies. We use consent-gated loading where feasible.

Full Cookie Policy

13. Data Deletion & Erasure Requests

How to Submit a Deletion Request

Email contact@stacklift.ai with subject "Data Deletion Request" and include: • Your full name • Email address(es) used • A description of the data you want deleted • Your approximate location (for jurisdiction-specific handling) We will verify your identity, confirm receipt within 5 business days, and complete the deletion within 30 days. We will notify you when complete and confirm which records were deleted or which legal exceptions required retention.

Exceptions to Deletion

We may be required to retain certain data despite a deletion request, including: • Financial and tax records (7 years under US/UK/EU accounting law) • Records required for active or anticipated litigation • Opt-out suppression records (retained in anonymised form to prevent re-adding) • Data required to honour contractual obligations to an active client

14. Policy Changes

How We Notify You

We may update this Privacy Policy from time to time. For material changes (changes to purpose, new data categories, new third-party processors, or changes to your rights), we will: • Post a prominent banner on stacklift.ai at least 14 days before the change takes effect • Send an email notification to all users for whom we hold a contact email For minor, non-material changes (formatting, clarifications), we will update the "Last updated" date without separate notice. Continued use of the platform after the effective date of a change constitutes acceptance.

Privacy Inquiries & Data Requests

For access, correction, deletion, portability, or any other privacy request, contact us:

contact@stacklift.ai

Atharva System Inc. · Atharva System Inc., United States

Acknowledgement within 5 business days · Resolution within 30 days

Complaints: lodge with your local data protection supervisory authority

AI Estimate Disclaimer Terms of Service Cookie Policy Start an estimate