Privacy Policy | StackRefit

Website: https://stackrefit.com/
Controller: StackRefit
Address: Craiova, Romania
Privacy contact: [email protected]

StackRefit provides services for legacy PHP, WordPress, WooCommerce, Laravel, Linux, and related web systems.

1. What Data We Collect

Website and technical data

When you visit the website, we and our providers may process basic technical data such as IP address, browser, device information, pages visited, timestamps, server logs, error logs, security events, and analytics events.

We use this to operate the website, measure basic usage, keep the website secure, troubleshoot problems, and prevent abuse.

Self-check data

The StackRefit self-check is intended to work without email, signup, or stored responses. It gives an immediate informational score based on the answers selected.

If this changes, this Privacy Policy should be updated before self-check responses are stored or linked to users.

Contact and enquiry data

If you contact us or submit an audit request, we may collect the information you provide, such as:

name;
email address;
company;
role or type of requester;
rough stack details;
whether the system is yours or a client system;
whether the system is live or revenue-critical;
availability of staging, repository access, hosting, or server access;
deadlines, risks, incidents, or concerns you describe;
campaign attribution, referral source, landing page, current page, and similar lead-source details;
any other information you choose to send.

Please do not send passwords, SSH keys, API keys, .env files, database dumps, source code, customer exports, payment data, or sensitive logs through the contact form or ordinary email.

Client and project data

If we work together, we may process project-related information such as emails, call notes, proposals, contracts, invoices, technical notes, audit findings, access instructions, system URLs, repository metadata, hosting details, logs, screenshots, documentation, and other materials needed for the agreed scope.

Where possible, we prefer read-only access, least-privilege access, temporary named accounts, redacted logs, schema-only database access, sanitized staging data, and written authorization before production changes.

Incidental personal data in client systems

During technical work, we may incidentally see personal data inside a client system, such as user accounts, customer names, email addresses, order IDs, booking details, support tickets, IP addresses, or staff/admin data.

We try to avoid raw customer data unless it is necessary for the engagement and properly authorized. Where StackRefit processes personal data on behalf of a client, agency, or system owner, StackRefit will usually act as a processor and the relevant agreement, data processing agreement, statement of work, or written instructions will also apply.

2. How We Use Data

We use personal data to:

operate, secure, and improve the website;
measure website usage and understand which pages are useful;
respond to enquiries;
scope audits and technical work;
prepare proposals, contracts, and invoices;
provide agreed services;
coordinate access, approvals, support, and project communication;
document findings and deliverables;
maintain business, tax, accounting, and legal records;
protect our rights, clients, systems, and services;
comply with legal obligations.

Under GDPR, the usual legal bases are contract, steps before entering into a contract, legitimate interests, legal obligations, consent where required, and client instructions where we act as processor.

We do not sell personal data.

3. AI-Assisted Work

StackRefit may use AI tools to help draft documentation, organize notes, classify risks, create checklists, or summarize sanitized technical findings.

We do not intentionally send client code, credentials, logs, customer data, personal data, or confidential system details to external AI tools unless this is explicitly agreed for the relevant engagement.

AI-assisted outputs are reviewed by a human before being treated as final advice or deliverables.

4. Cookies and Analytics

The website uses Google Analytics, Google Tag Manager, and PostHog to understand website traffic, usage, outbound-link clicks, and contact-form conversion events. These tools may use cookies, localStorage, or similar technologies to collect information such as pages visited, approximate location, browser/device details, referral source, campaign parameters, and interactions with the website.

The website stores first-touch and last-touch attribution in localStorage so contact submissions can include source context such as UTM parameters, referrer, landing page, and current page. The website may also append StackRefit UTM parameters to outbound links so off-site traffic can be attributed.

The website also uses Cloudflare for security, performance, DNS, CDN, and abuse prevention. Cloudflare may process technical data such as IP addresses, request metadata, security events, and cookies or similar technologies needed to protect and deliver the website.

You can control cookies through your browser settings. If a cookie banner or consent tool is shown on the website, you can also use it to manage optional cookies where available.

We do not use advertising pixels, heatmaps, or session replay tools unless this policy is updated to say so.

5. Who We Share Data With

We may share data with service providers and advisers where necessary, including:

Hetzner, for website hosting and server infrastructure;
Cloudflare, for DNS, CDN, security, and performance;
Google Analytics, for website analytics;
Google Tag Manager, for managing website measurement tags;
PostHog, for product and conversion analytics;
Airtable, for lead and prospect tracking;
email, contact form, calendar, and communication tools;
project management, document, storage, proposal, and signature tools;
accounting, invoicing, banking, and payment providers;
password manager or secure access-sharing tools, where used;
professional advisers such as accountants, lawyers, insurers, or auditors;
public authorities, regulators, courts, or law enforcement where required;
relevant clients, agencies, system owners, or authorized project contacts.

We do not publish client names, system details, reports, screenshots, findings, testimonials, or case studies without permission.

6. International Transfers

Some providers may process data outside the European Economic Area, the United Kingdom, or Switzerland.

Where required, we rely on appropriate safeguards such as adequacy decisions, standard contractual clauses, data processing agreements, or other lawful transfer mechanisms.

7. Retention

We keep personal data only for as long as needed for the purposes described above, unless a longer period is required for legal, tax, accounting, contractual, security, or dispute-related reasons.

Typical retention rules:

website, server, and security logs: kept for 30 days;
self-check responses: not stored, if the current no-logging setup remains unchanged;
enquiries: kept while we handle the enquiry and for a reasonable follow-up period;
proposals, contracts, invoices, and accounting records: kept as required by business, tax, and legal obligations;
audit notes, reports, screenshots, logs, and technical materials: kept for the engagement and any agreed support or retention period;
credentials and access tokens: should not be stored in reports or ordinary documents and should be revoked, rotated, or reduced when no longer needed;
accidentally received sensitive data: deleted as soon as practical, unless we are legally required to keep it.

Engagement-specific retention rules may be agreed in a contract, statement of work, data processing agreement, or written client instruction.

8. Security

We use practical technical and organizational measures appropriate to the type of work we do, including least-privilege access, read-only audit access where possible, temporary accounts, two-factor authentication where supported, secure credential sharing, redaction of sensitive data where possible, written authorization before production changes, and access removal after the engagement.

No method of transmission or storage is completely secure. If you believe sensitive information, credentials, or personal data were sent to StackRefit by mistake, contact us promptly.

9. Your Rights

Depending on where you live and which law applies, you may have the right to:

access your personal data;
correct inaccurate data;
request deletion;
restrict or object to processing;
request data portability;
withdraw consent where processing is based on consent;
object to direct marketing;
lodge a complaint with a data protection authority.

To exercise these rights, contact us at [email protected].

If your request relates to personal data held inside a client system where StackRefit acts as processor, we may need to forward the request to the relevant client, agency, or system owner.

10. Supervisory Authority

For now, StackRefit uses Romania as its relevant data protection authority. If StackRefit is later incorporated or established elsewhere, this section should be reviewed and updated.

The National Supervisory Authority for Personal Data Processing (ANSPDCP)
Website: https://www.dataprotection.ro/
Email: [email protected]
Address: 28-30 G-ral Gheorghe Magheru Bld., District 1, 010336 Bucharest, Romania

11. Marketing

We may send limited business follow-up messages related to enquiries, proposals, or existing discussions.

We will not add you to a recurring newsletter or marketing list unless a lawful basis exists and any required consent or opt-out mechanism is provided.

You can object to marketing or follow-up communications at any time by replying to the message or contacting us.

12. Children

StackRefit is intended for business users and professional contacts. It is not directed to children, and we do not knowingly collect personal data from children.

13. Changes to This Policy

We may update this Privacy Policy from time to time. The effective date at the top shows when it was last updated.

14. Contact

For privacy questions or requests, contact:

StackRefit
Email: [email protected]
Website: https://stackrefit.com/