Privacy Policy

Privacy Policy

Last updated: May 10, 2026 — version 1.1

Introduction

Stackable ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our brick-building application.

1. Data We Collect

We collect the following categories of information:

Personal information. Your email address (if you sign up), the authentication provider you use (Google, Apple, or Email), and your IP address (for security and audit purposes). We also capture a device identifier on each build you submit, used solely for free-tier anti-abuse rate limiting; for anonymous sessions, the device identifier is not stored against your account record.

Profile information (registered users only). If you create an account and choose to share builds publicly, you may also provide a username (publicly visible on your shared builds), a display name and short bio, and an avatar image.

Build data. Your build descriptions (the natural-language prompts you submit), your chat messages with our AI assistant, the generated 3D models and files (LDR, PNG, PDF, 3DS) we produce for you, and the timestamps of when each build was created.

Usage data. The number of builds you've created, your subscription tier, and your feature usage patterns.

2. How We Use Your Data

We use your information to provide and improve our brick-building service, generate custom builds based on your requests, manage your account and subscription, enforce usage quotas and rate limits, train and improve our AI models (using anonymized data — see Section 3), and comply with legal obligations and prevent fraud.

3. Data Retention & Anonymization

Active accounts. We retain your personal information and build data for as long as your account is active.

Deleted accounts. When you delete your account, your personal information (email, device identifier, username, display name, bio, and avatar) is immediately removed from your account record. Your previously uploaded scan images (camera photos used to identify your bricks) are removed within 30 days. Your builds and chat messages have all personal identifiers stripped — a "scrub" pass removes emails, phone numbers, and personal-name patterns from the text — and the de-identified content is retained for service improvement and model training. Your audit-log entries have your account identifier and IP address removed at the end of the grace period. You have 30 days to restore your account with a new email; after 30 days, account restoration is no longer possible.

Legal basis under GDPR. Under Recital 26 of the General Data Protection Regulation, anonymous data is not considered personal data. Once anonymized as described above, your builds no longer identify you and can be used for improving our service.

Audit logs. For security and compliance, we retain audit logs of privacy actions (data exports, account deletions, login events) for up to 3 years. After 3 years they are automatically purged.

Waitlist signups. If you join our waitlist before creating an account, we collect your email and connection metadata (IP address, browser user agent) to manage capacity and prevent abuse. Waitlist signups are retained for up to 12 months or until you create an account, whichever comes first.

4. Your Privacy Rights (GDPR)

Right to access (Article 15). You can view your profile and usage data in the Profile tab.

Right to data portability (Article 20). Download all your data in JSON format via Settings → "Download My Data". The export includes your profile, your builds, your chat messages, your scan results, and your usage history.

Right to erasure (Article 17). Delete your account via Settings → "Delete My Account". Your personal information will be removed immediately, with a 30-day grace period for restoration. See Section 3 above for the full inventory of what is removed and what is anonymized.

Right to object (Article 21). You can object to data processing by deleting your account or contacting us.

Right to rectification (Article 16). Update your profile information in the Profile tab.

5. Data Security

We implement security measures appropriate to the sensitivity of the data:

• Encryption in transit (HTTPS/TLS) for all client-server communication
• Server-side encryption on file storage (where supported by our storage provider)
• JWT-based authentication
• Rate limiting and abuse prevention
• Audit logging for sensitive actions, with automated review of unusual access patterns

Production database encryption-at-rest is configured before public production launch. We do not currently encrypt individual database fields beyond what the underlying storage provides.

6. Data Sharing

We do not sell your personal information. We share specific categories of data with third-party service providers who are contractually bound to protect your data and comply with the GDPR.

Named providers — services where it is meaningful for you to know specifically who we use:

• Amazon Web Services stores your files (the LDR, PNG, PDF, and 3DS files we generate, your scan photos, and your avatar image) in encrypted cloud storage.
• Supabase handles your account authentication (email, password hash, authentication tokens).
• RevenueCat manages your Pro subscription (purchase tokens and subscription status).
• AI service providers receive your build prompt text and, where applicable, your scan photos in order to generate builds and identify parts. We currently route these requests to one of OpenAI, Anthropic, or Google (Gemini), depending on availability and feature; each is bound by a data-processing agreement.

Service categories — operational tooling we use without naming specific vendors (vendors may change over time):

• Product analytics services receive a pseudonymous identifier plus event names and properties (subscription tier, auth provider, build counts) to help us understand how the product is used.
• Error monitoring services receive a pseudonymous identifier plus error stack traces and scrubbed request context to help us diagnose bugs. Your email address is not forwarded.
• Transactional email services (when account-related emails are enabled) receive your email address and the message body solely to deliver the email.

We may also disclose your information when legally required (e.g., valid court orders or law enforcement requests).

Catalog data about brick sets, themes, and parts inventories is pulled from the public Rebrickable dataset under their attribution terms; we do not send any of your personal data to Rebrickable.

7. Children's Privacy

Our service is not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately at the address below.

8. International Data Transfers

Your data may be transferred to and processed in countries outside your residence, including the United States. We ensure appropriate safeguards are in place through:

• Standard Contractual Clauses (SCCs)
• Data Processing Agreements with providers
• Compliance with GDPR and equivalent regulations

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or in-app notification. Continued use of the service after changes constitutes acceptance.

10. Data Controller and Contact

For the purposes of the GDPR, the controller of your personal data is Stackable Studio, established in the Netherlands. You can reach us at:

• Email: privacy@stackable.studio
• Data Protection Officer: dpo@stackable.studio

You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or with the supervisory authority in your EU/EEA country of residence if you believe your privacy rights have been violated.

11. GDPR Compliance Statement

This Privacy Policy complies with the EU General Data Protection Regulation (GDPR) and equivalent regulations worldwide. We are committed to protecting your fundamental rights to privacy and data protection.

12. Trademark Notice

LEGO® is a trademark of the LEGO Group of Companies. The LEGO Group does not sponsor, authorize, or endorse Stackable. References to LEGO® in this document are nominative and descriptive only. The full trademark notice appears in Section 7 of our Terms of Service.