Privacy Policy

Last updated: April 13, 2026

This Privacy Policy explains how Willow Stories FlexCo, Rotenlöwengasse 15/5, 1090 Vienna, Austria ("we", "us", "Willow Stories") collects, uses, shares, and protects personal data in connection with the Quack Stack service ("the Service"). We comply with the EU General Data Protection Regulation (GDPR) and Austrian data protection law.

This policy covers personal data relating to:

  • Visitors to our marketing website at quack-stack.com.
  • Users of the Quack Stack application at app.quack-stack.com.
  • End users whose personal data appears in Customer Data (for example, names in interview transcripts or support tickets that a customer uploads).

Who we are (data controller)

For personal data of website visitors and account holders, the data controller is:

Willow Stories FlexCo
Rotenlöwengasse 15/5
1090 Vienna, Austria
Privacy contact: privacy@quack-stack.com

We do not have a statutory Data Protection Officer. For data protection questions, please contact privacy@quack-stack.com.

For personal data contained in Customer Data that a paying customer uploads to the Service (for example, interview transcripts, support tickets, or CRM exports), our customer is the data controller and we act as a data processor on their behalf. See the "Data Processing Addendum" section below for the data processing terms that apply in that relationship.

What we collect

Account and workspace data

  • Name
  • Email address
  • Password (stored only as a hash)
  • Profile photo (if you upload one)
  • Workspace name and membership
  • Timezone, locale, and display preferences

Billing data (for paid Subscriptions, not yet active)

  • Billing contact name and email
  • Company name and billing address
  • VAT number (where applicable)
  • Payment method details (processed by our payment provider, we do not store full card numbers)
  • Invoice history

Usage and telemetry

  • Pages visited and features used within the Service
  • Clicks, scroll depth, and interaction events
  • Session timestamps and duration
  • Browser type, operating system, device type, approximate location (from IP), and referring URL
  • Error reports and stack traces (with related context such as URL, user ID, and request parameters, see the note on Sentry below)

Customer Data that you submit to the Service, which may include:

  • URLs, web pages, and content you ask us to scrape or analyse
  • Documents and files you upload
  • Competitor names, pricing information, and positioning notes
  • Interview transcripts, meeting recordings, and support conversations
  • Slack messages from channels you connect to the Service
  • Strategy documents, experiment plans, and research notes
  • Anything you type into Quack Stack's chat interfaces

Customer Data often incidentally contains personal data of third parties (for example, the name of an interviewee or a support ticket author). The "Data Processing Addendum" section below explains our role in respect of that data.

Communications

  • Messages you send us via email, in-app chat, or support channels.
  • Responses to surveys and feedback forms.

How we collect it

  • Directly from you: when you create an Account, subscribe to a plan, upload content, send us a message, or use the Service.
  • From your browser or device: when you visit our website or use the Service (cookies, session tokens, analytics events).
  • From third-party integrations you connect: when you authorise the Service to access a third-party tool such as Slack, we collect data from that tool within the scope of the permissions you grant.
  • From public sources: when the Service crawls public web pages you direct it to (for example, a competitor's website) or runs broad market research, it may collect publicly available information that incidentally includes personal data of third parties (names of authors, quotes from public forums, and so on).

Why we process it (purposes and legal bases)

Under GDPR Article 6, every processing activity needs a lawful basis. Ours are:

  • Providing the Service to you (creating your account, running analyses, generating insights), Account data, Customer Data, usage data. Legal basis: Contract (Art. 6(1)(b)), performance of our Terms of Service.
  • Taking steps at your request before you enter into a contract (for example, during trial), Account data, Customer Data you upload during trial. Legal basis: Contract (Art. 6(1)(b)), pre-contractual measures.
  • Sending service emails (password resets, billing notices, security alerts), Account data, email address. Legal basis: Contract (Art. 6(1)(b)).
  • Sending product updates, tips, and marketing emails: Email address, name, engagement signals. Legal basis: Consent (Art. 6(1)(a)), opt-in at signup or from the marketing site, with an unsubscribe link in every email.
  • Debugging and improving the Service (error reports, usage analytics), Usage data, error reports. Legal basis: Legitimate interest (Art. 6(1)(f)), our interest in running a reliable service, balanced against your privacy.
  • Billing and accounting: Billing data, usage data. Legal basis: Contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)), tax and accounting law.
  • Preventing fraud, abuse, and unauthorised access: Account data, IP addresses, device fingerprints, error reports. Legal basis: Legitimate interest (Art. 6(1)(f)).
  • Responding to legal requests and enforcing our Terms: any applicable data. Legal basis: Legal obligation (Art. 6(1)(c)) or legitimate interest (Art. 6(1)(f)).

Automated decision-making. The Service ranks, scores, and prioritises opportunities, experiments, and findings using AI models. These scores are decision-support outputs shown to humans who make the actual decisions. We do not make decisions that produce legal or similarly significant effects on you based solely on automated processing within the meaning of GDPR Article 22.

Third-party subprocessors

To operate the Service we share personal data with the following subprocessors. All of them are bound by contractual obligations to protect the data and to process it only on our instructions.

  • Neon: PostgreSQL database hosting. Account data and Customer Data. EU (Frankfurt).
  • Railway: application hosting, compute, and persistent volume storage for project files. All data in transit, application logs, files written to the mounted volume. EU West, Amsterdam, Netherlands (GCP europe-west4). Single-region deployment with no replicas outside the EU.
  • Cloudflare: CDN, DNS, R2 object storage, DDoS protection. All data in transit, static assets, generated landing pages. Global edge network with EU data residency options. International transfers under EU Standard Contractual Clauses and Cloudflare's Data Processing Addendum.
  • Anthropic (Claude), AI analysis of Customer Data. Customer Data sent for analysis. USA. Transfers under EU Standard Contractual Clauses. Anthropic's commercial terms prohibit training models on customer inputs.
  • Loops: transactional and marketing email delivery. Name, email, email engagement events. USA. Transfers under EU Standard Contractual Clauses.
  • PostHog: product analytics for the web application and the marketing website. Account ID, pseudonymised usage events, IP address, session recordings. EU cloud (eu.i.posthog.com). No transfer outside the EU for the analytics service.
  • Sentry: error monitoring and performance tracking. IP address, user agent, request URLs and headers, error stack traces, user ID, breadcrumbs (which may include partial Customer Data surfaced in error contexts). EU region. No transfer outside the EU for error reports.
  • Slack (if you connect it), team communication integration. Slack user IDs, channel content from channels you authorise. USA. Transfers under EU Standard Contractual Clauses.

About Sentry specifically. Our Sentry configuration has sendDefaultPii enabled, which means error reports include the IP address, user agent, URL, request headers, cookies, and related context of the request that triggered the error. If an error occurs during processing of Customer Data, incidental portions of that Customer Data may appear in the error context (for example, in a stack trace or request body). We use this information solely to diagnose and fix errors. Error reports are retained for 30 days, after which Sentry automatically deletes them in line with the retention policy of our Developer plan.

About Google AI and image generation. The Service uses Google's Gemini API for a narrow, team-authored use case, generating stock imagery and illustrations from prompts we write ourselves (for example, team headshots, expert panel avatars, campaign visuals). Customer Data is never sent to Google. The text analysis, research synthesis, and chat conversations are handled exclusively by Anthropic (see above). We mention this here for transparency because Google may appear in outbound network logs when image generation runs.

Payment provider. Paid Subscriptions are not yet live. When they are, we will use Stripe as our payment processor and will update this subprocessor list with the specific data categories shared with it (typically billing contact, billing address, VAT number, and tokenised payment method, we do not see or store full card numbers). Stripe is US-based; transfers rely on EU Standard Contractual Clauses.

Changes to subprocessors. We may add or change subprocessors from time to time. Paying customers can request prior notice of material subprocessor changes by emailing privacy@quack-stack.com.

International data transfers

The Service is operated from the European Union. Our core infrastructure, application hosting (Railway, Amsterdam), database (Neon, Frankfurt), product analytics (PostHog, EU cloud), and error monitoring (Sentry, EU region), is located within the EU/EEA. No personal data is transferred outside the EU/EEA for these services.

Some of our subprocessors are located in the United States:

  • Anthropic: Customer Data sent for AI analysis.
  • Cloudflare: CDN, DNS, and object storage, with EU data residency configured where available.
  • Loops: transactional and marketing email delivery.
  • Slack: where you choose to connect the Slack integration.
  • Google: narrow use for team-authored image generation prompts only; Customer Data is not sent.

For these US transfers we rely on:

  • EU Standard Contractual Clauses (Commission Decision 2021/914).
  • EU-US Data Privacy Framework where the recipient is certified under that framework.
  • Technical and organisational safeguards such as encryption in transit and at rest.

You can request copies of the relevant transfer agreements by emailing privacy@quack-stack.com.

How long we keep it

  • Account data: for as long as your Account is active, then up to 30 days after deletion.
  • Customer Data: for as long as the Workspace that contains it is active, then up to 30 days after Workspace termination for export, then deleted.
  • Backups (including Customer Data), up to 90 days, then overwritten.
  • Billing records and invoices: 7 years (Austrian tax law requirement).
  • Marketing email subscribers: until you unsubscribe, then email is removed within 30 days.
  • Error reports (Sentry): 30 days (Sentry Developer plan).
  • Product analytics events (PostHog): 1 year guaranteed, then moved to cold storage (PostHog free plan).
  • Session recordings (PostHog): 30 days (PostHog free plan).
  • Server access logs: 30 days.
  • Aggregated, anonymised data: indefinitely (no longer personal data once anonymised).

We will retain data longer where required by law, to resolve disputes, or to enforce our Terms.

Your rights under GDPR

You have the following rights regarding your personal data:

  • Access: ask what personal data we hold about you and receive a copy.
  • Rectification: ask us to correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten"), ask us to delete your personal data, subject to legal retention obligations.
  • Restriction: ask us to limit how we process your data.
  • Objection: object to processing based on legitimate interests.
  • Portability: receive your data in a structured, commonly-used, machine-readable format and ask us to transmit it to another controller.
  • Withdraw consent: where processing is based on consent (for example, marketing emails), you can withdraw consent at any time.
  • Not be subject to automated decisions: you can ask for human review of any automated decision that has a legal or similarly significant effect on you. (We do not believe we make such decisions, but you can always ask.)

To exercise any of these rights, email privacy@quack-stack.com. We will respond within one month (extendable to three months for complex requests, with notice to you). We do not charge for responding to rights requests unless they are manifestly unfounded or excessive.

If your personal data is in Customer Data held by one of our customers (for example, you are an interviewee whose transcript was uploaded to the Service), please contact that customer directly. They are the data controller. We will forward requests to the relevant customer where we can identify them.

Right to lodge a complaint. You have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Austrian Data Protection Authority (Datenschutzbehörde):

Österreichische Datenschutzbehörde
Barichgasse 40-42
1030 Vienna, Austria
https://www.dsb.gv.at

You may also lodge a complaint with the supervisory authority in your EU member state of residence.

Cookies and similar technologies

We use cookies and similar technologies sparingly. Specifically:

  • Essential session cookie: qs_session. Keeps you logged in. Strictly necessary for the Service to function. No consent is required for essential cookies.
  • PostHog analytics cookies: first-party cookies for product analytics. PostHog is loaded on both the web application (app.quack-stack.com) and the marketing website (quack-stack.com), both configured to send data to the EU cloud (eu.i.posthog.com). PostHog is the only analytics tool we use.
  • No third-party advertising or tracking cookies. We do not use Google Analytics, advertising pixels, remarketing tags, or cross-site tracking.

You can disable cookies in your browser settings, but doing so may prevent the Service from working correctly (you will not be able to log in without the essential session cookie).

Security

We take reasonable technical and organisational measures to protect personal data, including:

  • Encryption in transit (TLS 1.2+) for all traffic to and from the Service.
  • Encryption at rest for databases and object storage.
  • Password hashing using industry-standard algorithms.
  • Role-based access controls on our infrastructure.
  • Regular backups with access restricted to authorised personnel.
  • Logging and monitoring of administrative actions.
  • Security reviews of code and infrastructure.

No internet-based service can be 100% secure. If we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Austrian Datenschutzbehörde within 72 hours of becoming aware (as required by GDPR Article 33) and, where required, notify affected users without undue delay.

Children

The Service is not intended for, directed at, or designed for use by children under 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact privacy@quack-stack.com and we will delete it.

Data Processing Addendum (inline DPA)

When this section applies. When you (as a customer, represented by a Workspace Owner) upload Customer Data to the Service that contains personal data of third parties (your employees, your customers, interviewees, support ticket authors, and similar), you act as the data controller of that personal data and we act as your data processor. This section, together with the Terms of Service, constitutes the data processing agreement between us under GDPR Article 28. No separate signed DPA is required for you to have GDPR-compliant processing terms in place with us, these apply automatically when you use the Service.

Subject matter and duration. We process personal data on your behalf for the duration of your Subscription, for the purpose of providing the Service as described in our Terms.

Nature and purpose of processing. Hosting, storing, structuring, analysing, synthesising, and returning insights derived from the Customer Data you upload, using the AI providers and other subprocessors listed in "Third-party subprocessors" above.

Types of personal data and categories of data subjects. Determined by you, but typically include: names, email addresses, job titles, organisations, quotes, and free-text content relating to your customers, prospects, employees, interviewees, competitors' public communications, and support ticket authors.

Our obligations as processor (GDPR Art. 28(3)). We will:

  • Process personal data only on your documented instructions, which include your use of the Service and any written instructions you give us through the Service. If applicable law requires us to process data beyond your instructions, we will inform you before doing so unless that law prohibits such notification.
  • Ensure that personnel authorised to process personal data are bound by confidentiality.
  • Implement appropriate technical and organisational measures as described in the "Security" section above.
  • Engage subprocessors only under written agreements that impose data protection obligations equivalent to those in this section. Current subprocessors are listed in "Third-party subprocessors" above. We will give you notice of material changes to the subprocessor list and you may object by terminating your Subscription.
  • Assist you, taking into account the nature of processing and the information available to us, with responding to data subject rights requests, data protection impact assessments, and consultations with supervisory authorities.
  • Notify you without undue delay after becoming aware of a personal data breach affecting your Customer Data.
  • On termination of your Subscription, delete or return (at your choice) all Customer Data, except where applicable law requires retention. Backups will be overwritten within 90 days.
  • Make available to you information reasonably necessary to demonstrate compliance with Article 28. Subject to confidentiality obligations, we will respond to reasonable audit requests (which we normally satisfy with existing certifications, reports, and documentation rather than on-site audits).

Your obligations as controller. You represent and warrant that:

  • You have a lawful basis to process the personal data you upload and to have us process it on your behalf.
  • You have provided all required notices to data subjects.
  • Your instructions to us comply with applicable data protection law.
  • You will not upload personal data where the Service is not an appropriate processor (for example, where a specific regulatory regime applies that we have not agreed to support).

International transfers. Where your Customer Data contains personal data of EU/EEA data subjects and we transfer that data to a subprocessor outside the EU/EEA, we rely on the EU Standard Contractual Clauses and additional safeguards as described in "International data transfers" above.

Signed DPA. If your compliance programme requires a separately signed Data Processing Agreement on paper or your own template, email privacy@quack-stack.com and we will provide one. The inline DPA in this section is the default and applies to all paying Subscriptions automatically.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify registered users by email and/or in-app notification at least 14 days before the changes take effect. The "Last updated" date at the top of this policy shows when it was most recently revised.

Contact

For any privacy question, complaint, or to exercise your rights:

Email: privacy@quack-stack.com

Post:
Willow Stories FlexCo
Attn: Privacy
Rotenlöwengasse 15/5
1090 Vienna, Austria

The newsletter

Occasional notes from the Quack Stack team on what we're learning.