Privacy Policy

VI Stack is operated by [FULL LEGAL NAME OF SOLE PROPRIETOR], a sole proprietor (autónomo) registered in Spain, NIF [NIF], with registered address at [REGISTERED ADDRESS, SPAIN].

For all data protection matters you can contact us by email at james@vistack.io or by post at the address above. We do not operate a dedicated Data Protection Officer (DPO) as we do not meet the thresholds under Article 37 GDPR.

This policy describes how we collect, use, and protect personal data when you visit vistack.io or use the VI Stack platform (collectively, the “Service”). It is governed by the EU General Data Protection Regulation (GDPR), the Spanish Organic Law 3/2018 on Personal Data Protection and the Guarantee of Digital Rights (LOPDGDD), and other applicable Spanish and EU privacy law.

We collect personal data in the following categories:

a) Data you provide directly

• Account data: email address and, if provided, first name. Managed via our authentication provider Clerk.
• Waitlist submissions: email address and optional first name when you submit the waitlist form on the public landing page.
• Member-generated content: the messages you send during coaching sessions, your investing philosophy and risk framework outputs (Block 1), your curated company universe (Block 2), your research notes and verdicts (Block 3), your live positions and review notes (Block 4), and any other content you enter into the Service.
• Communications: emails or other messages you send us.

b) Data we collect automatically

• Usage and traffic data: page views, referrer URLs, country, device type, and browser data collected via Vercel Web Analytics. This data is privacy-first by design: no cookies are set, no personally identifying information is collected, and no cross-site tracking is performed.
• Technical session data: authentication session tokens (managed via Clerk session cookies), required to keep you signed in.
• IP address hash (waitlist): when you submit the waitlist form we compute a SHA-256 hash of your IP address for anti-abuse purposes. We never store the raw IP address.

c) Data we do NOT collect

• We do not collect or process payment card data. When billing is enabled in a future version of the Service, it will be handled by a PCI-compliant payment processor and this policy will be updated.
• We do not collect special categories of personal data (Article 9 GDPR) such as health, biometric, religious, or political data.
• We do not knowingly collect personal data from children under the age of 18.

We process your personal data for the following purposes and on the following legal bases (Article 6 GDPR):

We rely on the following third-party service providers (“data processors” in GDPR terms) to operate the Service. We have or will execute Data Processing Agreements (DPAs) with each as required by Article 28 GDPR:

Several of our processors are based in the United States. When personal data is transferred outside the European Economic Area, we rely on the EU Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for the transfer, supplemented by the technical and organisational measures each processor implements.

Where a processor is certified under the EU-US Data Privacy Framework, we rely on that adequacy decision in addition to SCCs.

We retain your personal data only for as long as necessary for the purposes set out in this policy:

• Account data: for the duration of your account, plus up to 30 days after deletion for backup and audit purposes.
• Member-generated content: same as account data. You can delete specific content from within the Service at any time.
• Waitlist data: until you ask us to remove you, or until 24 months from your last interaction with us, whichever comes first.
• Transactional email logs: 30 days, for deliverability and abuse-prevention purposes.
• Usage and analytics data: aggregated and retained per Vercel Web Analytics' retention policy (typically 30 days for free-tier accounts).
• Records required for legal compliance (e.g. tax records): for the period required by Spanish law, typically up to 6 years.

As a data subject under the GDPR and LOPDGDD, you have the following rights:

• Right of access (Art. 15): obtain a copy of the personal data we hold about you.
• Right to rectification (Art. 16): correct inaccurate or incomplete data.
• Right to erasure / “right to be forgotten” (Art. 17): request deletion of your personal data, subject to our legal retention obligations.
• Right to restriction (Art. 18): limit the processing of your data in certain circumstances.
• Right to data portability (Art. 20): receive your personal data in a structured, machine-readable format.
• Right to object (Art. 21): object to processing based on our legitimate interests.
• Right to withdraw consent (Art. 7(3)): withdraw any consent you have given at any time, without affecting the lawfulness of processing before withdrawal.
• Right to lodge a complaint with a supervisory authority. In Spain this is the Agencia Española de Protección de Datos (AEPD).

To exercise any of these rights, email us at james@vistack.io. We will respond within one month, as required by Article 12(3) GDPR.

We use the minimum number of cookies required to operate the Service:

• Authentication cookies set by Clerk to keep you signed in. These are strictly necessary and do not require consent under EU law.
• No analytics cookies. Vercel Web Analytics, which we use, does not set cookies and does not perform cross-site tracking.
• No advertising cookies. We do not run advertising on the Service.

Because we set only strictly-necessary cookies, we are not required under EU law to display a cookie consent banner. If this changes (for example, if we introduce an analytics provider that uses cookies), we will add the appropriate consent flow.

We implement appropriate technical and organisational measures to protect your personal data, including:

• TLS encryption for all data in transit.
• Database-level Row-Level Security (RLS) on all tables.
• Restricted access to production systems on a need-to-know basis.
• Encryption at rest for sensitive credentials stored in the database.
• Continuous monitoring of our infrastructure providers for vulnerabilities.

We may update this policy from time to time. When we make material changes, we will notify you by email (if you have an account) and update the “Last updated” date at the top of this page. Continued use of the Service after such notice constitutes acceptance of the updated policy.

For privacy questions, data subject requests, or any other matter related to this policy, contact us at:

[FULL LEGAL NAME OF SOLE PROPRIETOR]
NIF: [NIF]
[REGISTERED ADDRESS, SPAIN]
james@vistack.io