Stacked

Data Practices

PRIVACY POLICY

Short version: we collect as little as we can, we don't sell anything, and we use Netlify + Google Analytics. The long version below spells out the specifics.

Effective May 1, 2026

TL;DR. We collect your email when you subscribe to our newsletter. We log anonymized click + page-view data (with hashed IPs, not raw) so we can understand which pages are useful and which affiliate links are being clicked. We use Google Analytics. We do not sell or rent your data. You can unsubscribe or request deletion at any time.

1. Who we are

This Privacy Policy applies to Stacked (stacked-hq.com). Contact us anytime at jon@stacked-hq.com.

2. What we collect

Information you give us directly

  • Email address— when you subscribe to the newsletter from any page with a signup form. We also capture which page the signup came from (e.g. “homepage”, “blog/best-places-to-buy-peptides”) so we know which content is converting.
  • Questionnaire responses— when you use the Stack Builder, we process your answers (goals, experience, budget, constraints) to generate a personalized stack recommendation. We don't link these responses to your identity unless you also subscribe.

Information we collect automatically

  • Anonymized IP hash — we take your IP address, salt it with a secret, and SHA-256-hash it before storing. Stored hashes cannot be reversed to the original IP. We use these hashes to detect abuse patterns (e.g. a single origin submitting 100 subscriptions) without retaining the raw identifier.
  • User-agent string — the browser/OS identifier your browser sends with every request. We log this for bot filtering and compatibility diagnostics. Stored truncated to 1,000 characters.
  • Affiliate click events— when you click a “Shop” button, we record which vendor and which peptide, the source page (e.g. “price/bpc-157”), plus the IP hash + user-agent above. We use this to understand which pages drive revenue and to reconcile vendor commission statements. These click events are not linked to your email address.
  • Server logs — our hosting provider (Netlify) retains standard HTTP access logs for operational purposes (debugging, abuse detection, security).

Information our analytics collect

  • We use Google Analytics 4 for aggregate traffic analysis. Google Analytics sets cookies and collects standard web-analytics data (page views, referrers, device type, session duration). See Google's privacy policy for specifics on their data handling. You can opt out by installing the Google Analytics Opt-Out browser extension.

Information we explicitly don't collect

  • Raw IP addresses (we only store the salted hash)
  • Payment information of any kind
  • Real names, addresses, phone numbers
  • Health data, medical records, prescription details
  • Biometric data

3. How we use your data

  • Send the Stacked newsletter (new tools, price drops, vendor coverage) to subscribers
  • Deliver personalized stack recommendations when you use the Stack Builder
  • Understand which pages and tools are useful so we can invest in more of what works
  • Detect abuse (spam signups, scraping, affiliate fraud) — the hashed IP + user-agent are the primary signals
  • Reconcile vendor affiliate commission reports with our own click logs
  • Respond to your questions and support requests
  • Comply with legal obligations

We do not sell, rent, or share your email address with third parties for marketing purposes. Ever.

4. Cookies and tracking technologies

See our dedicated Cookie Policy for specifics on which cookies we and our vendors set. In short: a small number of essentials for the Site to work, plus Google Analytics for aggregate traffic patterns. Amazon Associates and the research-peptide vendors you click through to may set their own cookies on their domains — that's governed by their policies, not ours.

5. Third parties that process data on our behalf

  • Netlify — web hosting, edge functions, database (Netlify DB, powered by Neon). Data centers in the United States. See Netlify's Privacy Notice.
  • Google Analytics 4 — web analytics. Cookies + aggregate traffic data. See Google's Privacy Policy.
  • Amazon Associates— we participate in Amazon's affiliate program; Amazon sets its own cookies at amazon.com when you click an Amazon affiliate link. See Amazon's Privacy Notice.
  • Research-peptide vendors— when you click a vendor's “Shop” button, you leave the Site. That vendor's privacy policy governs anything they collect. We do not share your email with any vendor.

6. Data retention

  • Newsletter subscribers — kept until you unsubscribe. After unsubscribe, we retain a minimal record of the unsubscribe (email + timestamp) so we can honor your preference and not re-enroll you in future exports.
  • Affiliate click events — retained for up to 24 months for commission reconciliation, then deleted or aggregated.
  • Server logs— kept per Netlify's standard retention schedule (typically 30 days).
  • Google Analytics data— subject to Google's retention settings; we use the default 14 months for user-level data.

7. Your rights

Depending on your jurisdiction, you may have rights to access, correct, delete, or restrict processing of your personal data, plus the right to data portability and the right to object to processing.

  • Unsubscribe — every newsletter email includes an unsubscribe link that works in one click. You can also email us at jon@stacked-hq.com and we'll handle it manually.
  • Delete my data — email jon@stacked-hq.com with your request. We'll respond within 30 days.
  • California residents have additional rights under CCPA/CPRA including the right to know and the right to delete. We do not sell personal data; we do not knowingly process the personal data of California residents under 16.
  • EU / UK / Swiss residents have rights under GDPR / UK GDPR. Our lawful basis for processing is legitimate interest (site analytics, abuse detection) and consent (the newsletter).

8. Children's privacy

Stacked is not directed at children. We do not knowingly collect personal data from anyone under 18. If you believe a child has submitted information to us, email jon@stacked-hq.com and we'll delete it.

9. International data transfers

Stacked is operated from the United States. If you access the Site from outside the US, your data will be transferred to, stored in, and processed in the United States, which may have different data-protection laws than your jurisdiction. By using the Site you consent to this transfer.

10. Security

We use reasonable administrative, technical, and physical safeguards to protect the data we collect — TLS everywhere, salted-hash IP storage, limited employee access, and reputable infrastructure providers (Netlify, Neon). No online service is 100% secure; we can't guarantee absolute protection, but we take data handling seriously.

11. Changes to this policy

We may update this Privacy Policy as the Site evolves. Material changes will be announced via the Stacked newsletter and reflected in the “Effective” date at the top. Your continued use of the Site after an update means you accept the revised policy.

12. Contact

Questions, deletion requests, or concerns about how we handle your data? Email jon@stacked-hq.com. We read every email and respond within a few business days.