Privacy Policy

Effective date: March 21, 2026

Last updated: March 21, 2026

REMstack ("we," "us," "our") is operated by Maksim Mezhigurskii, enskild firma registered in Sweden. This Privacy Policy explains how we collect, use, and protect your personal data when you use remstack.io (the "Platform").

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Data Controller

The data controller for the Platform is:

  • Name: Maksim Mezhigurskii
  • Business form: Enskild firma, Sweden
  • Email: help@remstack.io
  • Website: remstack.io

2. What Data We Collect

Account Data

  • Email address
  • Username / display name
  • Password (hashed, we never store plaintext passwords)
  • Account creation date

Practice Data (provided by you)

  • Dream journal entries
  • Practice session logs (techniques, supplements, results, timestamps)
  • Protocol settings and preferences
  • Notes and tags

Sleep Data (with your consent)

  • Data synced from wearable devices (e.g., Polar) including sleep stages, REM windows, heart rate variability
  • This data is only collected when you explicitly connect a device

Technical Data (collected automatically)

  • IP address (anonymized)
  • Browser type and version
  • Device type
  • Pages visited and time spent
  • Referral source

Analytics Data

We use privacy-friendly analytics (without cookies) to understand how the Platform is used. This data is aggregated and cannot identify individual users.

3. How We Use Your Data

We use your data to:

  • Provide the Platform: Display your dashboard, track progress, generate analytics and correlations
  • Improve the Platform: Understand usage patterns, fix bugs, develop new features
  • Communicate with you: Send account-related notifications, respond to support requests
  • Generate aggregated statistics: Create anonymous, aggregated insights across all users (e.g., "which techniques have the highest success rate"). Individual users are never identifiable in aggregated data.

Legal Basis for Processing (GDPR)

| Purpose | Legal Basis | |---------|------------| | Providing the Platform | Performance of contract (Art. 6(1)(b)) | | Analytics | Legitimate interest (Art. 6(1)(f)) | | Communications | Legitimate interest (Art. 6(1)(f)) | | Sleep data sync | Your explicit consent (Art. 6(1)(a)) | | Marketing emails | Your explicit consent (Art. 6(1)(a)) |

4. What We Do NOT Do With Your Data

  • We do not sell your personal data to third parties
  • We do not share your individual practice data with other users (unless you choose to make it public)
  • We do not use your data for advertising or ad targeting
  • We do not share your data with data brokers
  • We do not use your personal data to train AI models without your explicit consent

5. Data Sharing

We share data only with:

| Service | Purpose | Data Shared | |---------|---------|-------------| | Digital Ocean | Infrastructure | All data (encrypted) | | Cloudflare | CDN, security | IP address, request data | | Stripe | Payment processing (future) | Email, payment details | | Polar | Sleep data sync (optional) | Authentication tokens |

All third-party processors are GDPR-compliant and process data under data processing agreements.

6. Data Storage & Security

  • Location: Your data is stored on servers in the European Union (GCP europe-north1, Hamina, Finland)
  • Encryption: Data is encrypted in transit (TLS/HTTPS) and at rest
  • Access: Only the Platform operator has access to the database
  • Passwords: Stored using industry-standard hashing (never in plaintext)
  • Backups: Regular encrypted backups

7. Data Retention

  • Account data: Retained for as long as your account is active. Deleted within 30 days of account deletion.
  • Practice data: Retained for as long as your account is active. Deleted within 30 days of account deletion.
  • Technical/analytics data: Retained in anonymized form for up to 24 months.
  • Backup data: Purged within 90 days of account deletion.

8. Your Rights (GDPR)

Under GDPR, you have the following rights:

  • Right of access: Request a copy of all personal data we hold about you
  • Right to rectification: Request correction of inaccurate data
  • Right to erasure ("right to be forgotten"): Request deletion of your personal data
  • Right to data portability: Request your data in a machine-readable format (JSON)
  • Right to restrict processing: Request that we limit how we use your data
  • Right to object: Object to processing based on legitimate interest
  • Right to withdraw consent: Withdraw consent for optional data processing (e.g., sleep data sync, marketing emails) at any time

How to Exercise Your Rights

  • Delete your account: Use the account deletion feature in Platform settings, or email us
  • Export your data: Use the data export feature in Platform settings, or email us
  • Other requests: Email us at help@remstack.io

We will respond to all requests within 30 days as required by GDPR.

9. Cookies

The Platform uses only essential cookies required for authentication and session management. We do not use tracking cookies, advertising cookies, or third-party cookies for analytics.

If we introduce non-essential cookies in the future, we will implement a cookie consent mechanism before setting them.

10. Children

The Platform is not intended for anyone under the age of 18. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 18, we will delete it promptly.

11. International Data Transfers

Your data is stored and processed within the European Economic Area (EEA). If data is ever transferred outside the EEA, we will ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses).

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email or through the Platform. The "Last updated" date at the top reflects the most recent revision.

13. Supervisory Authority

If you believe we are processing your data unlawfully, you have the right to lodge a complaint with a supervisory authority. In Sweden, this is:

Integritetsskyddsmyndigheten (IMY)

14. Contact

For any privacy-related questions or requests:

  • Email: help@remstack.io
  • Website: remstack.io