Legal

Privacy policy

What we collect, why, and how you stay in control of it.

1. Who we are

MyStack is operated by Pablo M. Hernandez, from Portugal. Contact: hello@mystack.bio for anything general, or privacy@mystack.bio for privacy and data-rights requests specifically.

The supervisory authority for data protection in Portugal is the CNPD (Comissão Nacional de Proteção de Dados). You can lodge a complaint with them at any time, whether or not you contact us first.

2. What this service is

MyStack lets you document your own health protocol — supplements, experiments, lab measurements, life events — and decide, item by item, whether to publish it on your public page. Nothing is public until you choose to make it so.

3. Data we process

  • Account. Email, password hash, your handle, and an optional display name.
  • Health data you enter. Supplements and medications with doses and dose periods, lab measurements, experiments, life events, and any free-text notes you write. This is special-category data under GDPR Article 9.
  • Import pastes. If you use the paste-to-import feature, the text you paste is sent to an AI model to be structured into rows — it is not used to train any model.
  • Technical data. Server logs (IP address, user agent) kept for security purposes, and cookieless analytics on public pages only — your dashboard is never tracked.
  • Cookies. Only the session cookie needed to keep you signed in. No tracking or advertising cookies.

4. Legal bases

We process account and health data under contract, to run the service you asked for. Making any piece of health data public requires your explicit consent (Article 9(2)(a)) — recorded with a timestamp and the version of the consent text you agreed to, visible in your settings. Security and abuse-prevention processing rests on our legitimate interest in keeping the service usable.

You can withdraw consent at any time by unpublishing (instant) or deleting your account. Withdrawing consent doesn't undo the lawfulness of processing that already happened.

5. Where data lives

Your data is stored in Postgres, hosted in Frankfurt, Germany (Neon, EU region). The application is hosted and delivered by Vercel, including the global CDN that makes public pages fast to load — that CDN reach is what "public" means for a page you choose to publish.

6. Who else processes data on our behalf

ProcessorPurposeWhere
VercelHosting, delivery, function executionGlobal (US-based company, SCCs)
NeonDatabaseFrankfurt, EU
Vercel AI Gateway → AnthropicStructuring text you paste into the importer only; no training, transientUS, SCCs / DPF
GoogleSign-in, only if you choose Google sign-inUS, SCCs / DPF
PlausibleCookieless analytics, public pages onlyEU-hosted

7. Publishing means public

A page you publish is on the open web: it can be crawled by search engines, cached, and shared as a preview card on social platforms. Unpublishing removes it from MyStack immediately, but copies cached elsewhere — a search index, a chat app's link-preview cache — may persist for a while outside our control.

8. Retention

We keep your data until you delete it. Deleting your account is immediate and permanent — there is no soft-delete limbo. Database backups age out on our provider's normal cycle. (Whether a minimal record of past consent may be retained after account deletion, for our own legal defensibility, is a question we're parking for a formal legal review before we scale up; today, your consent log is deleted along with everything else.)

9. Your rights

  • Access / portability.The "download my data" button in settings gives you a complete JSON export.
  • Rectification. Edit anything yourself, any time, in the dashboard editors.
  • Erasure. The delete-account button in settings.
  • Objection, restriction, complaint. Email us, or contact the CNPD directly.

10. No profiling, no ads

We don't build profiles of you, we don't make automated decisions about you, we don't run ads, and we never sell your data.

11. Minors

MyStack is for adults. You must be 18 or older to use it.

12. Changes to this policy

This policy is versioned. If we make a material change, we'll announce it on the site, not just quietly edit this page.

Last updated 4 July 2026 · questions to hello@mystack.bio