Privacy Policy

Overview

Fluxcode Studio LLC, operating as Superstack ("we", "our", or "us"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our token optimization service.

Information We Collect

Account Information

When you create an account, we collect your email address and authentication credentials through our OAuth providers (GitHub, Google).

Usage Data

We collect anonymized metrics about token usage to provide you with savings statistics and improve our optimization algorithms:

• Token counts (input/output)
• Model types used (Haiku, Sonnet, Opus)
• Optimization ratios and savings calculations
• Timestamps of API calls

Important: We never store the content of your prompts or API responses. All prompt processing happens locally on your device.

Device Information

We generate a unique, anonymous device identifier (SHA256 hash) to track device limits per subscription tier. This identifier cannot be used to identify you personally.

How We Use Your Information

• Provide and maintain our service
• Calculate and display your token savings
• Process subscription payments
• Improve our optimization algorithms
• Send important service updates (opt-in for marketing)
• Prevent fraud and enforce our terms

Legal Bases for Processing (GDPR)

We process your personal data under the following legal bases:

• Contract performance: Processing necessary to provide you with the Superstack service (account data, usage metrics, payment processing)
• Legitimate interests: Improving our optimization algorithms, preventing fraud, and ensuring service security
• Consent: Marketing communications and newsletter subscriptions (opt-in only, withdrawable at any time)
• Legal obligation: Retaining billing records as required by tax and accounting laws

Data Storage and Security

Your data is stored securely using industry-standard practices:

• Database hosted on Neon (PostgreSQL with encryption at rest)
• All data transmitted over HTTPS/TLS
• Authentication via secure OAuth 2.0 providers
• Local data stored in ~/.claude-superstack/ with user-only permissions

Third-Party Services

We integrate with the following third-party services:

Polar

Payment processing. Polar handles all payment information and is PCI-DSS compliant. We do not store your credit card details.

Anthropic

Claude API provider. Your prompts are sent to Anthropic for processing. See Anthropic's Privacy Policy.

OAuth Providers

GitHub and Google for authentication. We only receive your email address and basic profile information.

Resend

Transactional email delivery for account notifications, support ticket confirmations, and service updates. See Resend's Privacy Policy.

Cloudflare Turnstile

Bot protection for our contact and newsletter forms. Turnstile verifies that form submissions come from real users without using CAPTCHAs. See Cloudflare's Privacy Policy.

Sendy

Newsletter delivery for opted-in subscribers. If you subscribe to our newsletter, your email address and name are shared with our self-hosted Sendy instance for email delivery. You can unsubscribe at any time via the link in each email.

Federated Learning (Opt-In)

We offer an optional federated learning feature that shares anonymized optimization metrics to improve our algorithms for all users. This is disabled by default and can be enabled in your settings.

If enabled, we share only:

• Anonymous device ID (SHA256 hash)
• Token savings ratios
• Model usage patterns

We never share prompt content, project names, or personally identifiable information.

Your Rights

Depending on your location, you may have the following rights:

• Access: Request a copy of your data
• Correction: Update inaccurate information
• Deletion: Request deletion of your account and data
• Portability: Export your data in a standard format
• Opt-out: Unsubscribe from marketing communications

To exercise these rights, contact us at Contact us. We will respond to all subject access requests within 30 days. If we need additional time (up to 60 more days for complex requests), we will notify you of the extension and the reason.

Account Deletion: You can delete your account at any time by navigating to Settings → Danger Zone → Delete Account in your dashboard. Upon requesting deletion, your account enters a 7-day grace period during which the deletion can be cancelled. After the grace period, all account data is permanently deleted within 30 days.

Data Export: You can export a copy of your data at any time from Settings → Data Export in your dashboard. The export includes your profile information, usage metrics, and subscription history in JSON format.

California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

• Right to Know: You can request disclosure of the categories and specific pieces of personal information we have collected about you
• Right to Delete: You can request deletion of your personal information, subject to certain exceptions
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
• Right to Opt-Out of Sale: We do not sell your personal information to third parties

To exercise your CCPA rights, contact us at Contact us. We will verify your identity before processing any request.

International Data Transfers

Superstack is operated from the United States. If you are accessing our service from outside the United States, your data may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on Standard Contractual Clauses approved by the European Commission, or other lawful transfer mechanisms to ensure your data receives adequate protection.

Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users within 72 hours of becoming aware of the breach, as required by GDPR. Notification will be sent via the email address associated with your account and will include the nature of the breach, the data affected, and steps we are taking to address it.

Data Retention

We retain your data for as long as your account is active. Usage metrics are retained based on your subscription tier:

• Pro: 90 days
• Team: 365 days
• Enterprise: Unlimited

Upon requesting account deletion, your account enters a 7-day grace period during which you can cancel the deletion request. After the grace period, all personal data and usage metrics are permanently deleted within 30 days, except where retention is required by law (e.g., billing records).

Children's Privacy

Superstack is not intended for users under 13 years of age. We do not knowingly collect information from children.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through the service. Your continued use after changes constitutes acceptance.

Cookies

Superstack uses essential cookies only. These cookies are strictly necessary for the operation of our service:

• Session cookies: Maintain your login session
• Authentication cookies: Securely identify your account

With your consent, we use anonymous analytics cookies from Google Analytics and PostHog to understand how visitors use our site and improve the experience. These are only loaded after you accept the cookie banner. You can decline analytics cookies and still use the full site. We do not use advertising cookies.

Contact Us

If you have questions about this Privacy Policy, contact us at:

Email: Contact us