Skip to main content
Stackd

Privacy Policy

Last updated: 13 March 2026

Stackd (“we”, “us”, “our”) operates the website stackd.community. This Privacy Policy explains what personal data we collect, how we use it, and your rights under the UK GDPR and EU GDPR. By using Stackd you agree to the practices described here.

1. Data We Collect

We collect the following categories of personal data:

  • Account data — your email address and chosen username, collected when you register or sign in via Google OAuth.
  • Profile data — display name, optional bio, and profile picture (supplied by Google OAuth or left as an initial avatar).
  • Collection data — the LEGO sets you log, their status (Owned / Built / Wishlist), ratings you submit across five criteria, and any written reviews.
  • Social data — accounts you follow, likes you give to community reviews, and notifications generated by those actions.
  • Usage data — standard server logs including IP address, browser type, and pages visited, retained briefly for security and diagnostic purposes.

We do not collect payment information, precise location data, or any special-category personal data.

2. How We Use Your Data

We process your personal data on the following lawful bases:

  • Performance of a contract — to create and manage your account, display your collection, and provide the core service.
  • Legitimate interests — to show your public profile and reviews to other users (where you have chosen to log sets publicly), to send transactional emails (password resets, email confirmation), and to prevent abuse.
  • Compliance with legal obligations — to respond to lawful requests from authorities where required.

We do not sell your personal data, use it for advertising profiling, or share it with third parties for their own marketing purposes.

3. Amazon Affiliate Links

Stackd participates in the Amazon Associates programme. Set detail pages include affiliate links to Amazon (tagged stackdcommuni-21). When you click one of these links and make a purchase on Amazon, we may earn a small commission at no extra cost to you.

Clicking an Amazon link takes you to Amazon’s website, which is governed by Amazon’s own Privacy Policy. Amazon may set cookies and collect data about your visit and purchase in accordance with their policies. Stackd has no access to or control over Amazon’s data collection.

4. Data Processors

We use the following third-party processors to operate the service:

  • Supabase Inc. — our database and authentication provider. All account, profile, collection, and social data is stored on Supabase-managed PostgreSQL infrastructure. Supabase processes data under a Data Processing Agreement in compliance with GDPR. Data is hosted in the EU (Frankfurt, AWS eu-central-1).
  • Vercel Inc. — our hosting and edge-delivery provider. Page requests are handled by Vercel’s global network. Vercel retains access logs for a limited period for security purposes.
  • Google LLC — if you sign in with Google, your name, email, and profile picture are shared with us by Google under their OAuth consent flow.
  • Rebrickable — we query the Rebrickable API to retrieve publicly available LEGO set metadata (names, images, piece counts). No personal data is sent to Rebrickable.

5. Cookies and Local Storage

Stackd uses a session cookie set by Supabase to keep you logged in. We also store a single localStorage flag (pwa_install_dismissed) to remember if you have dismissed the app install prompt. We do not use tracking cookies, advertising cookies, or analytics cookies.

6. Data Retention

Your account and collection data is retained for as long as your account is active. If you request deletion of your account, we will permanently delete your personal data within 30 days, except where retention is required by law. Anonymised, aggregated usage statistics (e.g. how many times a set has been logged community-wide) may be retained indefinitely.

7. Your Rights Under GDPR

If you are located in the UK or European Economic Area, you have the following rights:

  • Right of access — you can request a copy of the personal data we hold about you.
  • Right to rectification — you can correct inaccurate data via your profile settings at any time.
  • Right to erasure — you can request deletion of your account and all associated personal data.
  • Right to portability — you can request an export of your collection data in a machine-readable format (JSON or CSV).
  • Right to restrict processing — you can ask us to stop processing your data in certain circumstances.
  • Right to object — you can object to processing based on our legitimate interests.

To exercise any of these rights, contact us at the address in section 8. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority — in the UK this is the Information Commissioner’s Office (ICO).

8. Contact

For any privacy-related questions, data requests, or to exercise your rights, please email us at hello@stackd.community. We aim to respond to all requests within 30 days.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be indicated by a new “Last updated” date at the top of this page. Continued use of Stackd after changes are posted constitutes your acceptance of the updated policy.