Privacy Policy

1. Who we are

AllStak is operated from the Kingdom of Saudi Arabia and provides a unified observability platform (error tracking, logs, distributed tracing, infrastructure metrics, alerting). For the purposes of applicable data-protection law, AllStak is the controller of the personal data of its account holders (you and your teammates), and a processor of the telemetry your applications send to us on behalf of your end users — see our Data Processing Addendum.

2. What data we collect

Account data

• Name, email, locale, profile photo URL (if you signed in via Google OAuth).
• Authentication identifiers (external OAuth provider ID, hashed refresh-token references).
• Organization membership and role within your tenant.
• Billing identifiers tied to your subscription (we do not store full card numbers).

Telemetry data (events your apps send)

• Error reports, log lines, traces, spans, performance measurements, infrastructure metrics, request samples.
• An automated sanitizer on the ingest path scrubs fields and values whose keys match common secret patterns (passwords, OTP, MFA, API keys, bearer tokens, cookies, card numbers, IBAN, national IDs, CVV, etc.) before they are written to storage.
• You are still responsible for not deliberately attaching personal data to events. We recommend keeping payload shapes free of end-user PII at the SDK boundary.

Usage & technical data

• IP address and geolocation. If your organization sets privacy_mode = strict, city and region are dropped and only the country is retained.
• Browser, OS, device class for dashboard sessions.
• Audit-log entries for sensitive actions (logins, role changes, API-key rotation).

3. How we use it

• To run the observability service you signed up for — ingest, query, alert, and surface telemetry.
• To authenticate and authorize you and enforce tenant isolation.
• To detect abuse and protect platform security (rate limits, anomaly detection, audit trails).
• To bill your subscription and produce invoices.
• To communicate operational notices (incidents, security disclosures, policy changes). We do not send marketing email without explicit opt-in.

4. Legal bases (GDPR)

• Contract — providing the service, billing, customer support.
• Legitimate interest — security, abuse prevention, basic product analytics computed on aggregate server-side metrics, and website analytics through Google Tag Manager.
• Consent — only where required, e.g. marketing email or future non-essential cookie categories.
• Legal obligation — when responding to lawful requests from competent authorities.

5. Who we share it with

We do not sell personal data. We share it only with the sub-processors necessary to operate the service (infrastructure, payments, email delivery). The current list of sub-processors is in the Data Processing Addendum. We disclose data to authorities only when required by Saudi law or a binding legal order.

6. How long we keep it

• Account data: as long as your account exists. Within 30 days of account deletion, account records are irreversibly removed except for what we are legally required to retain (e.g. invoices).
• Telemetry: per your plan's configured retention window. Data older than the window is purged on a rolling basis.
• Audit logs: 12 months by default.

7. Where the data lives

AllStak runs production in two regions: Kingdom of Saudi Arabia (KSA) and Germany (EU). Your organization is automatically assigned to the region nearest your signup origin — Saudi and broader MENA customers land in KSA, EEA/UK customers land in Germany. Once assigned, your telemetry and account data do not cross between regions as part of normal operation. Sub-processors that process data outside your assigned region (e.g. transactional email) are listed in the DPA together with the applicable transfer mechanism.

8. How we secure it

• TLS in transit. Encryption at rest for databases and object storage.
• Tenant isolation enforced at the application layer: every authorized request is scoped through organization_members; cross-tenant access is blocked at the controller layer.
• Authentication via cookie-based JWT with refresh rotation; sessions are scoped to the active organization.
• Security response headers (CSP, Referrer-Policy no-referrer, restrictive Permissions-Policy).
• Secrets and credentials are encrypted before being written. Plain secret values are never returned to the dashboard once saved.
• Automated telemetry sanitizer scrubs likely secrets out of incoming events at ingest.

9. Your rights

Under PDPL (KSA) and GDPR (EU/EEA/UK), you can request to:

• Access the personal data we hold about you.
• Rectify inaccurate data.
• Delete your account and associated personal data.
• Restrict or object to certain processing.
• Receive your data in a portable format.
• Withdraw any consent you previously gave.
• Lodge a complaint with your local data-protection authority (in KSA: SDAIA).

Most rights can be exercised inside the dashboard (account settings → export / delete account). For anything you cannot self-serve, email [email protected]; we respond within 30 days.

10. California (CCPA / CPRA)

California residents have the right to know what personal information we collect, to delete it, to correct it, to opt out of any “sale” or “sharing” of it, and to non-discrimination for exercising these rights. AllStak does not sell or share personal information for cross-context behavioral advertising. To exercise these rights, contact [email protected] or use the dashboard self-serve tools described above.

11. Children

AllStak is a B2B observability tool and is not directed to children under 18. We do not knowingly collect personal data from children. If you believe we have, contact us and we will delete it.

12. Changes to this policy

We update the version and effective date at the top whenever we make material changes. For changes that require renewed consent, we will prompt you the next time you sign in.

13. Contact

Data Protection Officer: [email protected].