Privacy Policy

1. Introduction

StackItSmart ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal information when you use our website and services (collectively, the "Service").

IMPORTANT: StackItSmart is an educational and research platform. The Service provides information about performance enhancement compounds for research purposes only and is NOT a medical service. By using our Service, you acknowledge that:

• We collect sensitive health information you voluntarily provide
• Your data may be shared with third-party AI services (OpenAI) to provide features
• You have rights to access, delete, and control your data under GDPR and CCPA
• We implement security measures but cannot guarantee absolute data security

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address: Used for authentication and account recovery
• Password: Stored securely using Firebase Authentication (bcrypt hashing)
• Account creation date: Timestamp of registration
• User ID: Unique identifier generated by Firebase

2.2 Profile Information (Optional)

You may voluntarily provide:

• Age: Used for age-gated content and safety checks
• Biological sex: Used for personalized recommendations
• Weight and height: Used for dosage calculations (educational only)
• Experience level: Beginner, intermediate, or advanced
• Fitness goals: Bulk, cut, recomp, cognitive, endurance
• Medical conditions: Used for safety warnings and contraindication checks

2.3 Health Data

• Lab results: Blood test values (testosterone, liver enzymes, lipids, etc.)
• Journal entries: Daily logs of mood, energy, sleep quality, side effects
• Cycle protocols: AI-generated or manually created cycle plans
• Medical conditions: Self-reported health conditions and contraindications

2.4 Usage Data

We automatically collect:

• Session data: Login timestamps, IP addresses (for security)
• Device information: Browser type, operating system, screen resolution
• Analytics: Page views, feature usage, time spent (via Google Analytics)
• Rate limiting data: API usage counts to enforce daily limits
• Error logs: Technical errors for debugging (no personal data included)

2.5 AI Chat Data

When you use the AI assistant or cycle builder:

• Chat messages: Questions and responses with the AI assistant
• Cycle generation inputs: Parameters sent to OpenAI GPT-4 for cycle creation
• AI responses: Generated cycle protocols and health recommendations

3. How We Use Your Information

3.1 Core Service Delivery

• Authenticate your account and maintain login sessions
• Generate personalized AI cycle recommendations
• Provide AI chatbot assistance for research questions
• Store and display your journal entries, lab results, and saved cycles
• Calculate suppression scores and risk tiers based on your profile
• Enforce age gates (21+ requirement for certain features)
• Provide safety warnings based on medical conditions you enter

3.2 Safety and Security

• Prevent unauthorized access to your account
• Detect and prevent fraud, abuse, and security threats
• Enforce rate limits to prevent API abuse
• Monitor for prompt injection attacks and misuse of AI features
• Comply with legal obligations and law enforcement requests

3.3 Analytics and Improvement

• Analyze usage patterns to improve the Service
• Monitor performance metrics (page load times, error rates)
• Conduct A/B testing for feature improvements
• Generate aggregate statistics (e.g., "% of users who complete cycles")

3.4 Communication

• Send important service notifications (e.g., security alerts, policy changes)
• Provide customer support and respond to inquiries
• Send optional educational content (if you opt in)

Note: We do NOT sell your data to third parties for advertising purposes.

4. Third-Party Data Sharing

4.1 OpenAI (AI Cycle Builder & Chat Assistant)

Data Shared:

• Your age, biological sex, weight, height, experience level, fitness goals
• Medical conditions you enter (if any)
• Chat messages sent to the AI assistant
• Cycle builder input parameters

Purpose: Generate personalized cycle recommendations and answer research questions using GPT-4.

OpenAI Data Policy: As of March 2023, OpenAI states that data sent via API is:

• NOT used to train OpenAI models (API data opt-out)
• Retained for 30 days for abuse monitoring, then deleted
• Subject to OpenAI's privacy policy: https://openai.com/policies/privacy-policy

Your Control: Do not use the AI features if you do not consent to OpenAI processing your data.

4.2 Firebase / Google Cloud (Database & Authentication)

Data Shared: All data you provide (account, profile, health data, journal entries, lab results).

Purpose: Store and secure your data using Firestore (Google Cloud database).

Google Cloud Data Policy: Subject to Google Cloud Privacy Notice: https://cloud.google.com/terms/cloud-privacy-notice

Security: Data is encrypted at rest and in transit. Firestore security rules enforce user-level access control.

4.3 Google Analytics (Usage Tracking)

Data Shared: Anonymized usage data (page views, clicks, session duration).

Purpose: Understand how users interact with the Service.

Your Control: Use browser extensions (e.g., uBlock Origin) to block Google Analytics.

4.4 Hosting Providers (Netlify / Vercel)

Data Shared: Server logs (IP addresses, request URLs, timestamps).

Purpose: Host and deliver the website.

4.5 Legal Disclosures

We may disclose your data if required by law, court order, or government request, or to protect our rights, safety, or property.

5. Data Retention

• Account data: Retained until you delete your account
• Health data (labs, journals, cycles): Retained until you delete it or your account
• Chat history: Stored in Firestore indefinitely (you can delete individual chats)
• OpenAI data: Retained by OpenAI for 30 days, then deleted
• Analytics data: Aggregated data retained indefinitely; individual session data deleted after 26 months (Google Analytics default)
• Server logs: Retained for 90 days for security monitoring

Account Deletion: When you delete your account, we permanently delete all associated data within 30 days, except where retention is required by law.

6. Your Rights (GDPR & CCPA)

6.1 European Users (GDPR)

If you are in the European Economic Area (EEA), you have the following rights:

• Right to Access: Request a copy of all data we hold about you
• Right to Rectification: Correct inaccurate data in your profile
• Right to Erasure: Delete your account and all associated data
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Export your data in JSON format
• Right to Object: Object to analytics tracking or AI processing
• Right to Withdraw Consent: Revoke consent for sensitive data processing
• Right to Lodge a Complaint: Contact your national data protection authority

6.2 California Users (CCPA)

If you are a California resident, you have the following rights:

• Right to Know: Request disclosure of what data we collect and how we use it
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: We do NOT sell your data, so no opt-out needed
• Right to Non-Discrimination: We will not discriminate if you exercise your rights

6.3 How to Exercise Your Rights

To exercise any of these rights, please:

• Email us at: privacy@stackitsmart.com
• Use the "Delete Account" button in your profile settings
• Use the "Export Data" button to download your data (if implemented)

We will respond to verified requests within 30 days (GDPR) or 45 days (CCPA).

7. Data Security

We implement industry-standard security measures:

• Encryption in transit: All data transmitted over HTTPS (TLS 1.3)
• Encryption at rest: Firestore encrypts all data at rest by default
• Secure authentication: Passwords hashed with bcrypt via Firebase Authentication
• HTTP-only cookies: Session tokens stored in secure, HTTP-only cookies (not localStorage)
• Access control: Firestore security rules enforce user-level permissions
• Rate limiting: API limits prevent abuse and brute-force attacks
• Security monitoring: Automated alerts for suspicious activity

8. Children's Privacy

Age Requirement: You must be 18 years or older to create an account. Certain features (AI cycle builder) require you to be 21 or older.

We do NOT knowingly collect data from individuals under 18. If we discover that a minor has created an account, we will delete it immediately.

If you are a parent and believe your child has provided data to us, please contact privacy@stackitsmart.com.

9. International Data Transfers

Our servers and third-party providers (Firebase, OpenAI) may be located in the United States or other countries. By using the Service, you consent to the transfer of your data to these jurisdictions.

For EEA users: We rely on Standard Contractual Clauses (SCCs) and adequacy decisions for data transfers outside the EEA.

10. Changes to This Policy

We may update this Privacy Policy periodically. If we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Notify you via email (if you have provided one)
• Display a prominent notice on the website

Continued use of the Service after changes constitutes acceptance of the new policy.

11. Contact Us

If you have questions, concerns, or requests about your privacy:

• Email: privacy@stackitsmart.com
• Data Protection Officer: dpo@stackitsmart.com (if required by GDPR)
• Mailing Address: [To be added]

For GDPR-related inquiries, you may also contact your local supervisory authority.