Legal
Privacy Policy
Last updated: 23 May 2026
1. Who we are
lifestack ("lifestack", "we", "us", or "our") is operated by lifestack Consulting Ltd, a company registered in the United Kingdom. We provide an AI-powered transformation platform for operators running £300K–£5M businesses.
For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, lifestack is the "data controller" in respect of personal data you provide to us through the platform at lifestack.studio.
2. What personal data we collect
We collect and process the following categories of personal data:
- Account data: your name, email address, password hash, organisation, and role.
- Diagnostic data: answers, free-text responses, and AI-generated portraits produced during the 30-minute diagnostic conversation.
- Operating data: goals, decisions, journal entries, stakeholder notes, and any other content you choose to store in the platform.
- Billing data: subscription status and transaction identifiers. Card details are handled by our payments provider; we do not store them.
- Technical data: IP address, device and browser metadata, and minimal telemetry to keep the service running.
3. Lawful bases for processing
We rely on the following lawful bases under Article 6 UK GDPR:
- Contract — to provide the platform you have signed up for.
- Legitimate interests — to keep the service secure, prevent abuse, and improve product quality.
- Consent — for non-essential cookies and any optional marketing communications. You can withdraw consent at any time.
- Legal obligation — to comply with tax, accounting, and regulatory requirements.
4. How we use your data
- To deliver the diagnostic, dashboard, and Chief of Staff functionality.
- To route requests to specialist AI agents on your behalf.
- To send transactional email (account, billing, security).
- To send product updates and newsletter content, where you have opted in. You can unsubscribe from any non-transactional email at any time.
- To detect abuse and meet our legal obligations.
We do not sell personal data. We do not use your diagnostic or journal content to train third-party foundation models.
5. Sub-processors
To run the service we share personal data with a small number of carefully selected sub-processors. Each is bound by a data-processing agreement and processes data only on our instructions.
- Vercel Inc. — frontend hosting (United States, with EU edge regions).
- Render Services Inc. — backend API hosting.
- Supabase Inc. — managed Postgres database and authentication.
- Anthropic PBC — large-language-model inference (Claude). Inputs are processed under Anthropic's zero-retention API terms.
- OpenAI, L.L.C. — embedding and supplementary LLM inference, under zero-retention API terms.
- Paddle.com Market Ltd — merchant of record for subscription billing and payments.
- Plunk B.V. — transactional and marketing email delivery.
- Sentry (Functional Software, Inc.) — error and performance monitoring.
- Cloudflare, Inc. — DNS and edge networking.
We will update this list when sub-processors change. Material changes will be notified by email to platform administrators.
6. International transfers
Some sub-processors are located outside the UK or EEA. Where personal data is transferred internationally, we rely on the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision, together with appropriate supplementary measures (encryption in transit and at rest).
7. Retention
Account and operating data is retained for the duration of your subscription, plus a short grace period after cancellation so you can re-activate. The platform supports soft-deletion: when you delete your account, your records are flagged as deleted and hidden, then hard-deleted from primary storage within 90 days and from backups within an additional 35 days.
Billing records are retained for 7 years to comply with UK tax law. Aggregate, fully anonymised analytics may be retained indefinitely.
8. Your rights
Under UK GDPR you have the right to:
- access the personal data we hold about you;
- request correction of inaccurate or incomplete data;
- request erasure (the "right to be forgotten");
- request restriction of processing or object to processing;
- data portability — receive your data in a structured, machine-readable format;
- withdraw consent where processing is based on consent;
- complain to the Information Commissioner's Office (ICO) at ico.org.uk.
To exercise any of these rights, email privacy@lifestack.studio. We aim to respond within one month, in line with our internal data-subject-request runbook (docs/gdpr-dsr-process.md).
9. Security
We protect personal data with HTTPS in transit, AES-256 at rest, role-based access control, audit logging, and least-privilege secrets management. We carry out periodic penetration testing and we respond to suspected incidents in accordance with UK GDPR Article 33 notification timelines (72 hours to the ICO where required).
10. Cookies
We use a small number of strictly necessary cookies (authentication, security, load balancing) which do not require consent, and optional analytics cookies which are only set if you accept the cookie banner. You can clear your choice at any time by clearing site data in your browser.
11. Children
lifestack is a B2B product aimed at adults running businesses. It is not directed at children under 16, and we do not knowingly collect personal data from children.
12. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top of this page reflects the latest version. Material changes will be notified by email to platform administrators.
13. Contact
For any privacy question, data-subject request, or to report a suspected incident, email privacy@lifestack.studio.