Privacy Policy

Last updated: March 9, 2026

Who we are

Supastack is operated by Kill The Dragon GmbH, Dürergasse 3 / TOP 4 / HOF, 1060 Vienna, Austria. We are the data controller for the personal data processed through this service.

Contact: lets@killthedragon.com

What we collect

  • Account data. Email address, name, and hashed password when you register.
  • Content data. Text, images, and videos you create and publish through Supastack.
  • Platform connections. Your social accounts are connected via Ayrshare, our publishing partner. Ayrshare holds the platform OAuth tokens — we store only a reference key to your Ayrshare profile.
  • Usage data. Actions within the app (publishing, scheduling, analytics views) for audit logging.
  • Analytics data. Performance metrics fetched from connected platforms to calculate your Stack Score.
  • Technical data. IP address, browser type, and device info from server logs. No tracking cookies.

Why we process it

  • To provide and operate the Supastack service (contract performance).
  • To authenticate you and keep your account secure.
  • To publish content to your connected social platforms on your behalf.
  • To calculate Stack Score and display analytics.
  • To run content safety checks before publishing.
  • To maintain audit logs for team accountability.

Third-party services

  • Ayrshare (USA). Social media API for publishing and analytics. Your content is sent to Ayrshare to execute publishes. Ayrshare also holds the OAuth tokens for your connected social accounts.
  • Neon (PostgreSQL). Database hosting. Data transfer safeguards apply under EU Standard Contractual Clauses where applicable.
  • Vercel (USA). Application hosting and serverless functions. Requests may be processed in the US or EU depending on edge routing.
  • OpenAI (USA). Content safety checks (optional, team setting). Post text may be sent for moderation scoring. OpenAI API data is not used for model training.

Data retention

  • Account data: kept while your account is active. Deleted within 30 days of account deletion.
  • Content data: kept while your account is active. Published items are stored until you delete them.
  • Analytics data: kept for 12 months. You can export before expiry.
  • Audit logs: kept for up to 2 years, then automatically purged.
  • Server logs: kept for 30 days.

Your rights (GDPR)

You have the right to access, correct, delete, or export your personal data. You can also object to processing or request restriction. To exercise any of these rights, email lets@killthedragon.com.

If you believe your rights have been violated, you may file a complaint with the Austrian Data Protection Authority (Datenschutzbehörde, www.dsb.gv.at).

International data transfers

Some of our service providers (Ayrshare, Vercel, OpenAI) are based in the United States. Where personal data is transferred outside the EU/EEA, we rely on EU Standard Contractual Clauses or equivalent safeguards to ensure adequate protection of your data.

Cookies & local storage

Supastack does not use tracking cookies, advertising cookies, or third-party analytics scripts. We use browser local storage to keep you signed in (authentication token). This data stays on your device and is cleared when you log out.

Changes

We may update this policy from time to time. Changes will be posted on this page with an updated date. For significant changes, we will notify you via email.