Legal

Privacy Policy

Last updated: 8 April 2026  ·  Version 1.0

1. Who We Are

This website, Stackify.co.uk, is operated by Bounce Together Ltd, a company registered in England and Wales (the “Company”, “we”, “us”, or “our”).

We are registered with the Information Commissioner’s Office (“ICO”) as a data controller under the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.

If you have any questions about this policy or how we handle your data, please contact us at: hello@stackify.co.uk

2. Scope of This Policy

This Privacy Policy explains how we collect, use, store, share, and protect personal data when you:

  • Visit or use Stackify.co.uk;
  • Create an account and use our platform;
  • Connect third-party social media accounts (including Facebook and Instagram) to the platform via OAuth; or
  • Communicate with us by any means.

It applies to all users of the platform, including business owners, marketing professionals, and any other individuals who access our services.

3. Data We Collect

3.1 Account & Identity Data

When you register for an account we collect your email address and, where provided, your name and organisation details.

3.2 Usage & Platform Data

We collect data about how you use the platform, including campaigns you create, content you generate or upload, brand assets, documents, and project settings.

3.3 Social Media Account Credentials (OAuth)

Where you choose to connect a Facebook Page or Instagram Business Account to the platform via our OAuth integration, we collect and store the following on your behalf:

  • Your Meta platform user ID and display name or page name;
  • OAuth access tokens and, where applicable, refresh tokens issued by Meta (Facebook/Instagram);
  • Token expiry information.

These credentials are stored securely in our database and are used solely to perform actions on your connected social accounts at your explicit instruction. We do not access, read, or use your social media account credentials for any purpose other than carrying out the tasks you direct us to perform.

3.4 Technical & Log Data

Our hosting infrastructure and application may automatically collect IP addresses, browser type, device information, and access logs for security and diagnostic purposes.

3.5 Payment Data

Payment transactions are handled entirely by Stripe. We do not store full card numbers or payment credentials. We receive confirmation of payment status and a customer reference from Stripe.

4. Our Role: Data Controller and Data Processor

4.1 When We Act as Data Controller

For the personal data of our users (your account information, billing details, and platform usage data), Bounce Together Ltd acts as the data controller. We determine the purposes and means of processing that data in accordance with this policy.

4.2 When We Act as Data Processor

Where you connect your social media accounts to the platform and instruct us to publish, schedule, or otherwise interact with content on those accounts, Bounce Together Ltd acts as a data processor on your behalf.

In this capacity:

  • We process social media account credentials and content solely on your instructions and for the purpose of fulfilling the services you have requested;
  • We will not use those credentials or the content of your social accounts for our own purposes, nor share them with third parties except as strictly necessary to deliver the service (e.g. making authorised API calls to Meta on your behalf);
  • You, as the account holder, remain the data controller for any personal data contained within the content you instruct us to publish. You are responsible for ensuring you have the appropriate legal basis and permissions to publish that content.

5. Legal Basis for Processing

Under UK GDPR, we rely on the following legal bases:

  • Contract (Article 6(1)(b)): Processing necessary to provide the services you have signed up for, including account management, content scheduling, and social media publishing on your instruction.
  • Legitimate Interests (Article 6(1)(f)): Maintaining platform security, preventing fraud, and improving our services where this does not override your rights.
  • Legal Obligation (Article 6(1)(c)): Where we are required to process or retain data to comply with applicable law.
  • Consent (Article 6(1)(a)): Where you have given explicit consent, such as when connecting a third-party social account via OAuth. You may withdraw this consent at any time by disconnecting the account within the platform.

6. Social Media OAuth Integration

Stackify integrates with the Meta platform (Facebook and Instagram) via OAuth 2.0 to allow you to connect your Facebook Pages and Instagram Business Accounts directly to your project workspace.

When you initiate a connection:

  • You are redirected to Meta’s authorisation page where you grant Stackify the specific permissions required to manage and publish to your account;
  • Upon authorisation, Meta issues us a secure access token. We store this token encrypted in our database and use it exclusively to act on your instructions within the platform;
  • We request only the permissions necessary to deliver the service: page management, content publishing, and basic account information;
  • You can revoke our access at any time, either by disconnecting the account within the Stackify platform, or directly through your Facebook or Instagram account settings. Upon deauthorisation, we will deactivate the associated credentials in our system.

Access tokens are subject to Meta’s own terms of service and platform policies. We are not responsible for changes to Meta’s API, permissions model, or data practices.

7. How We Use Your Data

We use the data we collect to:

  • Provide, operate, and improve the Stackify platform;
  • Authenticate your identity and maintain the security of your account;
  • Execute content publishing and scheduling tasks on connected social accounts at your instruction;
  • Process payments and manage your subscription;
  • Send transactional communications (e.g. account verification, service updates);
  • Comply with legal obligations.

We do not sell your personal data. We do not use your data for automated profiling or for advertising purposes.

8. Data Sharing & Third Parties

We share personal data only where necessary:

  • Supabase: Our database and authentication infrastructure provider. Data is stored on servers within the EU/EEA. Supabase acts as a data processor under a data processing agreement.
  • Stripe: Payment processing. Stripe is an independent data controller for card and payment data under their own privacy policy.
  • Meta (Facebook / Instagram): When you connect a social account, we make API calls to Meta on your behalf using your authorised credentials. No additional personal data is shared with Meta beyond what is required to fulfil those API requests.
  • Google (Generative AI): We use Google’s Generative AI API to assist with content generation features. Content you submit for generation may be processed by Google’s infrastructure. Please review Google’s API terms and privacy documentation for further information.

We do not share data with any other third party except where required by law or with your explicit consent.

9. Data Retention

We retain your personal data for as long as your account is active and for a period thereafter as required by law or legitimate business need (typically no more than 7 years for financial records, in line with HMRC requirements).

Social media access tokens are retained until you disconnect the account, the token expires, or you close your Stackify account. Deauthorisation signals received from Meta will immediately deactivate the associated token in our system.

Upon account deletion, we will delete or anonymise your personal data within 30 days, unless retention is required by law.

10. International Transfers

Your data is primarily stored within the UK and EU. Where data is transferred outside of the UK/EEA (for example, through third-party service providers), we ensure that appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs).

11. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

  • Right of Access: You can request a copy of the personal data we hold about you.
  • Right to Rectification: You can ask us to correct inaccurate or incomplete data.
  • Right to Erasure: You can ask us to delete your personal data where there is no compelling reason for us to continue processing it.
  • Right to Restriction: You can ask us to restrict processing of your data in certain circumstances.
  • Right to Data Portability: You can request your data in a structured, commonly used, machine-readable format.
  • Right to Object: You can object to processing based on legitimate interests.
  • Right to Withdraw Consent: Where processing is based on consent (e.g. social account connections), you may withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at hello@stackify.co.uk. We will respond within one month in accordance with UK GDPR requirements.

If you are not satisfied with our response, you have the right to lodge a complaint with the ICO at ico.org.uk/make-a-complaint.

12. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. These include encrypted data storage, HTTPS-only communication, access controls, and regular security reviews.

OAuth access tokens are stored in our secured database and are never exposed in client-side code or transmitted in URLs in their complete form.

No method of transmission over the internet is 100% secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the ICO as required by law.

13. Cookies

We use strictly necessary cookies to maintain your authenticated session and to support the OAuth flow (including short-lived, server-set cookies used during social account connection). We do not use tracking cookies, advertising cookies, or third-party analytics cookies without your consent.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email or by a prominent notice within the platform. The “Last updated” date at the top of this page reflects the most recent revision.

Continued use of the platform after changes take effect constitutes your acceptance of the updated policy.

15. Contact Us

Bounce Together Ltd
Trading as Stackify at Stackify.co.uk
Registered in England & Wales
ICO Registered
Email: hello@stackify.co.uk

← Back to home