1. Who we are
Stacko is a personal financial planning tool operated by [LEGAL ENTITY NAME — AWAITING REGISTRATION](“Stacko”, “we”, “us”). We are the responsible party in terms of the Protection of Personal Information Act 4 of 2013 (“POPIA”).
Contact for data queries: hello@stacko.money
2. What we collect and why
| Data | Purpose | Legal basis |
|---|---|---|
| Email address (stored as a one-way hash) | Account identification and login | Consent |
| Password (bcrypt hash, not plaintext) | Authentication | Consent |
| First name, date of birth, province | Personalised projections and tax estimates | Consent |
| Financial data (assets, liabilities, income, expenses) | Core service — net worth and retirement modelling | Consent |
| Usage logs (actions, timestamps) | Security auditing and fraud prevention | Legitimate interest |
We do not sell, rent, or share your personal information with third parties for marketing purposes. We do not build advertising profiles.
3. How we store and protect your data
- Your email address is stored as a one-way HMAC-SHA256 hash — we cannot read it.
- Passwords are hashed with bcrypt (cost factor 12) — they are never stored in plaintext.
- All data is transmitted over TLS (HTTPS). HTTP connections are rejected.
- Access to the database requires authentication and is restricted to application services.
- Rate limiting and audit logging are applied to all account actions.
4. Data retention
We retain your personal information for as long as your account is active. If you request deletion, your data will be permanently and irreversibly purged within 30 days. After deletion, anonymised audit log entries (with your user ID replaced by a cryptographic hash) may be retained for security purposes.
5. Cross-border data transfers
Stacko uses the following cloud infrastructure providers, which may process your data outside the Republic of South Africa:
- Vercel (hosting) — servers in the United States and Europe
- Neon (database) — PostgreSQL hosted on AWS infrastructure
- Upstash (rate limiting) — Redis hosted in the European Union
- Resend (transactional email) — email infrastructure in the United States
All providers operate under appropriate data processing agreements and industry-standard security controls. By using Stacko you consent to this processing.
6. Your rights under POPIA
You have the right to:
- Access — request a copy of the personal information we hold about you
- Correction — update your information at any time via your account settings
- Deletion — request permanent deletion of your account and all associated data
- Objection — object to processing of your personal information
- Complaint — lodge a complaint with the Information Regulator of South Africa at www.inforegulator.org.za
To exercise any of these rights, email us at hello@stacko.money or use the account settings page to export or delete your data directly.
7. Cookies and tracking
Stacko uses a single session cookie to keep you logged in. We do not use tracking cookies, analytics cookies, or any third-party advertising technology. No data is shared with Google Analytics, Meta Pixel, or similar services.
8. Changes to this policy
We will notify registered users of material changes to this policy by email (where you have opted in to communications) and by updating the “Last updated” date above. Continued use of Stacko after changes take effect constitutes acceptance of the revised policy.
Questions about this policy? hello@stacko.money