Beta notice
Stacko is currently in a closed beta. During this period your data is processed on infrastructure located outside the Republic of South Africa (see section 5). We intend to migrate to South African-hosted infrastructure before public launch.
1. Who we are
Stacko is a personal financial planning tool operated by [LEGAL ENTITY NAME — AWAITING REGISTRATION](“Stacko”, “we”, “us”). We are the responsible party in terms of the Protection of Personal Information Act 4 of 2013 (“POPIA”).
Contact for data queries: hello@stacko.money
2. What we collect and why
| Data | Purpose | Legal basis |
|---|---|---|
| Email address (stored as a one-way hash) | Account identification and login | Consent |
| Password (bcrypt hash, not plaintext) | Authentication | Consent |
| First name, date of birth, province | Personalised projections and tax estimates | Consent |
| Financial data (assets, liabilities, income, expenses) | Core service — net worth and retirement modelling | Consent |
| Usage logs (actions, timestamps) | Security auditing and fraud prevention | Legitimate interest |
We do not sell, rent, or share your personal information with third parties for marketing purposes. We do not build advertising profiles.
3. How we store and protect your data
- Your email address is stored as a one-way HMAC-SHA256 hash — we cannot read it.
- Passwords are hashed with bcrypt (cost factor 12) — they are never stored in plaintext.
- All data is transmitted over TLS (HTTPS). HTTP connections are rejected.
- Access to the database requires authentication and is restricted to application services.
- Rate limiting and audit logging are applied to all account actions.
4. Data retention
We retain your personal information for as long as your account is active. If you request deletion, your data will be permanently and irreversibly purged within 30 days. After deletion, anonymised audit log entries (with your user ID replaced by a cryptographic hash) may be retained for security purposes.
5. Cross-border data transfers
During the beta period, Stacko uses cloud infrastructure providers that process your data outside the Republic of South Africa. We have entered into data processing agreements (DPAs) with each provider:
- Vercel (hosting) — United States and Europe
- Neon (database) — PostgreSQL on AWS, United States
- Upstash (rate limiting) — Redis, European Union
- Resend (transactional email) — United States
- Anthropic (AI-generated insights) — United States. Only anonymised, aggregated financial summaries are sent — no names, email addresses, or account identifiers.
- Sentry (error monitoring) — United States. Receives technical error reports only (error type, page, browser version) — no names, email addresses, IP addresses, or financial data.
All providers operate under industry-standard security controls. We intend to migrate primary data storage and processing to South African-hosted infrastructure (Google Cloud, Johannesburg region) before public launch, which will address POPIA’s cross-border transfer requirements for most personal data. By registering during the beta you consent to this interim cross-border processing.
6a. Automated processing and AI-generated insights
Stacko uses artificial intelligence (Anthropic Claude) to generate personalised financial flags, scenario suggestions, and report summaries. Before your data is sent to Anthropic, it is anonymised: your name, email address, and all account identifiers are removed and financial figures are rounded. Anthropic does not receive data that could identify you as an individual.
AI-generated content is clearly labelled within the app and is supplementary only. Nothing generated by AI constitutes financial advice as defined under the Financial Advisory and Intermediary Services Act (FAIS). You may opt out of AI-generated insights at any time via your account settings.
7. Your rights under POPIA
You have the right to:
- Access — request a copy of the personal information we hold about you
- Correction — update your information at any time via your account settings
- Deletion — request permanent deletion of your account and all associated data
- Objection — object to processing of your personal information
- Complaint — lodge a complaint with the Information Regulator of South Africa at www.inforegulator.org.za
To exercise any of these rights, email us at hello@stacko.money or use the account settings page to export or delete your data directly.
8. Cookies and tracking
Stacko uses a single session cookie to keep you logged in. We do not use tracking cookies, analytics cookies, or any third-party advertising technology. No data is shared with Google Analytics, Meta Pixel, or similar services.
9. Changes to this policy
We will notify registered users of material changes to this policy by email (where you have opted in to communications) and by updating the “Last updated” date above. Continued use of Stacko after changes take effect constitutes acceptance of the revised policy.
Questions about this policy? hello@stacko.money