Privacy Policy

NSTACK Enterprises LLC ("NSTACK," "we," "us," or "our") is committed to protecting the privacy of our clients, partners, and website visitors. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you visit our website at nstack.ai, use our platform, or engage with our applied AI services.

NSTACK provides enterprise AI solutions for financial services firms, including wealth management, insurance, asset management, and customer experience platforms. This policy applies to all personal data processed through our services, whether you are a prospective client, an active client, or a visitor to our website.

By accessing or using our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our services.

Information You Provide Directly

• Contact information (name, email address, phone number, job title, company name)
• Account credentials and authentication data
• Communications you send to us (inquiries, support requests, feedback)
• Business information provided during engagement scoping and onboarding
• Payment and billing information processed through secure third-party providers

Information Collected Automatically

• Device information (browser type, operating system, device identifiers)
• Usage data (pages visited, features used, session duration, click patterns)
• Log data (IP address, access times, referring URLs)
• Performance metrics and error reports

Client Platform Data

When clients use the NSTACK platform, we may process data on behalf of our clients as a data processor. This data is governed by our enterprise service agreements and data processing addenda, not this Privacy Policy. Our clients are the data controllers for their end-user data.

We use the information we collect for the following purposes:

• Service Delivery: To provide, maintain, and improve our AI platform and applied AI services
• Communication: To respond to inquiries, provide support, and send service-related notifications
• Business Operations: To process transactions, manage accounts, and fulfill contractual obligations
• Security: To detect, prevent, and respond to security incidents, fraud, and abuse
• Analytics: To understand how our services are used and to improve user experience
• Compliance: To comply with legal obligations, regulatory requirements, and industry standards
• Marketing: To send relevant communications about our services, with your consent where required

We do not sell your personal information. We do not use client data to train general-purpose AI models. Client data processed through our platform is used solely for the purpose of delivering the contracted services.

We may share your information in the following circumstances:

• Service Providers: With trusted third-party vendors who assist in operating our platform (cloud infrastructure, analytics, payment processing), bound by confidentiality agreements
• Legal Requirements: When required by law, regulation, legal process, or governmental request
• Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, with appropriate notice
• With Consent: When you have given explicit consent to share your information
• Aggregated Data: We may share anonymized, aggregated data that cannot reasonably identify you

We do not share client platform data with third parties except as necessary to deliver contracted services, and only under strict data processing agreements.

We retain personal information for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required or permitted by law. Specific retention periods depend on the type of data and our legal obligations.

• Account data is retained for the duration of the business relationship plus any legally required retention period
• Client platform data is retained and deleted in accordance with the terms of our enterprise service agreements
• Website analytics data is retained for up to 24 months
• Marketing communications preferences are retained until you opt out

Upon termination of a client engagement, we will delete or return all client data within the timeframe specified in the applicable service agreement, typically within 30 days.

We implement industry-standard technical and organizational measures to protect your information, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls (RBAC) with least-privilege principles
• Regular security assessments, penetration testing, and vulnerability scanning
• SOC 2 Type II compliance for our platform infrastructure
• Multi-factor authentication for all administrative access
• Incident response procedures with defined escalation paths
• Employee security training and background checks

While we strive to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

NSTACK is headquartered in the United States. If you are accessing our services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States or other jurisdictions where our service providers operate.

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission, and we assess the data protection laws of recipient countries.

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information, subject to legal retention requirements
• Portability: Request your data in a structured, machine-readable format
• Objection: Object to processing of your personal information for certain purposes
• Restriction: Request restriction of processing in certain circumstances
• Withdraw Consent: Where processing is based on consent, withdraw that consent at any time

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days, or as required by applicable law.

California Residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know what personal information is collected, the right to delete, and the right to opt out of the sale or sharing of personal information. We do not sell personal information.

EEA, UK, and Swiss Residents (GDPR)

If you are located in the EEA, UK, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) including the rights listed above. Our legal bases for processing include contract performance, legitimate interests, consent, and legal obligations.

As an AI platform provider, we are committed to transparency about how artificial intelligence is used in our services:

• Client Data Isolation: Each client's data is logically isolated. We do not commingle data across client environments.
• No Cross-Client Training: We do not use one client's data to train models for other clients or for general-purpose AI development.
• Model Transparency: We provide documentation about the AI models deployed in client environments, including their capabilities and limitations.
• Human Oversight: Our AI systems are designed with human-in-the-loop controls for critical decision-making processes.
• Output Ownership: AI-generated outputs produced using client data belong to the client, as specified in our service agreements.
• Bias Monitoring: We implement monitoring and testing procedures to identify and mitigate potential bias in AI outputs.

We use cookies and similar tracking technologies to enhance your experience on our website:

• Essential Cookies: Required for basic website functionality (session management, security)
• Analytics Cookies: Help us understand how visitors interact with our website (page views, navigation patterns)
• Preference Cookies: Remember your settings and preferences (theme, language)

We do not use advertising or behavioral tracking cookies. You can control cookie preferences through your browser settings. Disabling certain cookies may affect website functionality.

Our website and platform may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you interact with.

Key third-party service categories we use include cloud infrastructure providers, analytics services, communication tools, and payment processors. Each is bound by data processing agreements that require them to protect your information.

Our services are designed for business use and are not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete that information promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on our website with a revised effective date. For enterprise clients, we will provide direct notice of material changes through your designated contact.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

If you have questions about this Privacy Policy, wish to exercise your data rights, or have concerns about our data practices, please contact us:

We aim to respond to all privacy-related inquiries within 30 days.