This Privacy Policy describes how Backstack ("Backstack," "we," "us," or "our"), collects, uses, shares, and protects personal information in connection with our AI Toolkit platform and services (the "Services"). This policy applies to information collected through our website, desktop and mobile applications, and related services.
Backstack provides an AI Toolkit platform that includes an MCP (Model Context Protocol) proxy/gateway, document discovery system, desktop and mobile agents that index local files, and custom tool hosting capabilities. We are committed to transparency about our data practices and protecting the privacy of our users.
Contact Information:
Backstack
Data Protection Officer: dpo@backstack.com
Account Information: When you create a Backstack account, we collect your email address, organization name, and account credentials. For enterprise customers, we may also collect billing information, company details, and authorized user information.
Configuration Data: We collect information about your MCP configurations, including external server connections you configure through our pass-through proxy, custom tool definitions you create, and organizational access control settings.
Communications: When you contact us for support, provide feedback, or communicate with our team, we collect the content of those communications and any information you choose to provide.
Document Vector Embeddings: When you use our document discovery system, our desktop and mobile agents generate mathematical representations of your documents called "vector embeddings." These embeddings are numerical representations that capture the semantic meaning of your documents to enable intelligent search and discovery. We treat vector embeddings as personal data subject to the same security protections as the underlying source documents. Vector embeddings are encrypted using AES-256 encryption at rest and TLS 1.3 encryption in transit.
File Location Data: Our agents collect metadata about files indexed on your devices, including file paths, file names, file types, file sizes, creation dates, modification timestamps, and folder structures. This metadata enables the platform to organize and retrieve documents efficiently. File location data may contain personal information (such as usernames in file paths or author names in document metadata) and is treated as personal data under this policy.
Tool Execution Logs: We collect logs of custom tool executions, including timestamps, user identifiers, tool names, execution duration, success/failure status, and error messages. These logs are used for platform operations, debugging, security monitoring, and service improvement. Execution logs are retained according to the retention periods specified in Section 6.
Usage Data: We automatically collect information about how you interact with our Services, including features accessed, API calls made, pages viewed, time spent on pages, clickstream data, browser type and version, operating system, device identifiers, and IP addresses.
Cookies and Tracking Technologies: We use cookies, web beacons, and similar technologies to collect information about your use of our Services. See our Cookie Policy (Section 11) for detailed information about the cookies we use and your choices.
Authentication Providers: If you use single sign-on (SSO) through third-party identity providers, we receive authentication information necessary to verify your identity and create your account.
Payment Processors: Our payment processors provide us with transaction confirmation and billing information necessary to maintain your subscription.
MCP Proxy Data: Our MCP proxy service acts as a pass-through gateway to external MCP servers you configure. We do not inspect, log, or store the content transmitted through the proxy. We only collect connection metadata (timestamps, connection duration, server endpoints) for operational purposes.
We use the information we collect for the following purposes:
Service Provision: To provide, maintain, and improve the Backstack Services, including document indexing and discovery, MCP proxy functionality, custom tool hosting, and organizational access control.
Communication: To send you service-related communications, including account notifications, security alerts, feature updates, and responses to your inquiries. For enterprise customers, we may send billing statements and renewal notices.
Security and Fraud Prevention: To detect, investigate, and prevent security incidents, fraudulent activity, abuse of our Services, and violations of our Terms of Service. This includes monitoring tool execution logs for anomalous behavior and analyzing usage patterns for security threats.
Product Improvement: To analyze aggregated and anonymized usage data to improve our Services, develop new features, and enhance user experience. Before using any data for product improvement, we remove all direct identifiers and apply differential privacy techniques to ensure individual users cannot be re-identified. You may opt out of having your data used for product improvement by contacting privacy@backstack.com.
Compliance: To comply with legal obligations, respond to lawful requests from public authorities, enforce our agreements, and protect our rights and the rights of our users.
Analytics: To understand how users interact with our Services, measure the effectiveness of our platform features, and generate aggregated statistics that do not identify individual users.
For users in the European Economic Area (EEA), United Kingdom, and Switzerland, our legal bases for processing personal information are:
Contractual Necessity: Processing is necessary to provide the Services you have requested under our Terms of Service, including account creation, document indexing, MCP proxy services, and custom tool hosting.
Legitimate Interests: We process certain information based on our legitimate interests in operating and improving our Services, preventing fraud and security threats, and analyzing usage patterns. We have conducted balancing tests to ensure our legitimate interests do not override your fundamental rights and freedoms.
Consent: For optional features, marketing communications, and non-essential cookies, we process information based on your explicit consent. You may withdraw consent at any time by contacting privacy@backstack.com or adjusting your cookie preferences.
Legal Obligation: We process information when necessary to comply with applicable laws, regulations, legal processes, or governmental requests.
We do not sell, rent, or trade your personal information. We share information only in the following limited circumstances:
Service Providers: We engage trusted third-party service providers to perform functions on our behalf, including:
All service providers are contractually obligated to protect your information, use it only for the specified purposes, and comply with applicable data protection laws. We maintain a current list of subprocessors at backstack.com/subprocessors and will provide 30 days advance notice of any changes.
Organizational Access: For enterprise accounts, authorized administrators within your organization may have access to user activity, tool execution logs, and organizational data as configured by your workspace settings.
Business Transfers: If Backstack is involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will notify you of any change in ownership or use of your personal information.
Legal Requirements: We may disclose information when required by law, legal process, litigation, or governmental request, or when we believe disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or comply with legal obligations.
Aggregated Data: We may share aggregated, anonymized information that cannot reasonably be used to identify you, including usage statistics, platform performance metrics, and industry trend analyses.
We retain your information only as long as necessary to provide the Services and fulfill the purposes described in this Privacy Policy, subject to the following retention periods:
Account Data: Retained while your account is active and for 90 days after account closure, except as required for legal or compliance purposes.
Vector Embeddings and File Metadata: Retained for 6 months from the date of last indexing or until you request deletion, whichever occurs first. Upon request, we will delete vector embeddings and file metadata immediately (within 5 business days).
Tool Execution Logs: Retained for 6 months for operational and security purposes, then automatically deleted unless retention is required for legal or compliance reasons.
MCP Configuration Data: Retained while your account is active and for 30 days after account closure to facilitate account reactivation.
Anonymized Analytics Data: Aggregated, anonymized data used for product improvement may be retained indefinitely as it cannot be associated with any individual user.
Backup Systems: Deleted data may persist in backup systems for up to 180 days following standard backup rotation cycles, after which it is permanently deleted.
Legal Hold: Data subject to legal hold, regulatory investigation, or litigation is retained until the hold is lifted or the matter is resolved.
You may request immediate deletion of your data at any time by contacting privacy@backstack.com. We will comply with deletion requests within 5 business days, except for data we are legally required to retain.
We implement comprehensive technical and organizational security measures to protect your information from unauthorized access, disclosure, alteration, and destruction:
Encryption: All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.3 or higher. Vector embeddings and file location data receive the same encryption protections as underlying document content.
Access Controls: We employ role-based access control (RBAC), multi-factor authentication (MFA), and the principle of least privilege to limit access to personal information. Access is granted only to authorized personnel who require it to perform their job functions.
Infrastructure Security: Our platform is hosted on enterprise-grade cloud infrastructure with network segmentation, firewalls, intrusion detection systems, DDoS protection, and web application firewalls (WAF).
Monitoring and Logging: We maintain comprehensive security logs, monitor for suspicious activity, conduct regular vulnerability scans, and perform annual penetration testing by independent security firms.
Incident Response: We maintain a formal incident response plan and security incident management procedures. We are working toward SOC 2 Type I certification and have implemented controls designed to meet Trust Services Criteria for security, availability, and confidentiality.
Employee Training: All employees receive regular security awareness training and are bound by confidentiality obligations.
Limitations: Despite our safeguards, no electronic transmission or storage system is completely secure. We cannot guarantee absolute security, but we continuously work to enhance our security posture and respond promptly to any identified vulnerabilities.
Depending on your location, you may have the following rights regarding your personal information:
Access: Request access to the personal information we hold about you.
Correction: Request correction of inaccurate or incomplete information.
Deletion: Request deletion of your personal information, subject to legal retention obligations.
Export: Request a copy of your data in a portable, machine-readable format.
To exercise these rights, contact us at privacy@backstack.com. We will respond to requests within 30 days.
Right to Restriction: Request restriction of processing in certain circumstances (e.g., while we verify accuracy of data).
Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.
Right to Withdraw Consent: Withdraw consent for processing based on consent at any time, without affecting the lawfulness of processing before withdrawal.
Right to Lodge a Complaint: File a complaint with your local data protection authority. For EEA users, see the list of supervisory authorities at edpb.europa.eu. For UK users, contact the Information Commissioner's Office (ICO) at ico.org.uk.
We will respond to GDPR requests within 30 days, with possible extension to 60 days for complex requests. We do not charge a fee for most requests unless they are manifestly unfounded, excessive, or repetitive.
Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you in the preceding 12 months, including the sources, business purposes, and categories of third parties with whom we share information.
Right to Delete: Request deletion of your personal information, subject to certain exceptions (e.g., completing transactions, security purposes, legal compliance).
Right to Correct: Request correction of inaccurate personal information.
Right to Opt-Out: We do not sell or share personal information for cross-context behavioral advertising. If our practices change, we will provide a "Do Not Sell or Share My Personal Information" link.
Right to Limit Use of Sensitive Personal Information: If we use sensitive personal information beyond what is necessary to provide services, you may limit such use.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
Authorized Agents: California residents may designate an authorized agent to submit requests on their behalf by providing written authorization.
Appeal Rights: If we deny your request, you have the right to appeal by contacting privacy@backstack.com.
To exercise CCPA rights, submit a request at privacy@backstack.com or use our privacy request portal at backstack.com/privacy-request. We will verify your identity before processing requests and respond within 45 days (with possible 45-day extension).
CCPA Data Categories Collected (Last 12 Months):
We collect this information for the business purposes described in Section 3. We share information with service providers as described in Section 5.
Backstack is based in the United States. If you access our Services from outside the United States, your information will be transferred to, stored, and processed in the United States and other countries where our service providers operate.
For EEA, UK, and Swiss Users: We rely on the following mechanisms for international data transfers:
Standard Contractual Clauses (SCCs): We have implemented the European Commission's Standard Contractual Clauses (2021 version) with our service providers that process data outside the EEA. Copies of our SCCs are available upon request at privacy@backstack.com.
Data Privacy Framework: For transfers to the United States, we and certain service providers may participate in the EU-U.S. Data Privacy Framework (DPF) and UK Extension to the EU-U.S. DPF.
Transfer Impact Assessments: We have conducted Transfer Impact Assessments (TIAs) to evaluate risks associated with international transfers and implemented supplementary safeguards including encryption, access controls, and contractual protections.
Supplementary Measures: In addition to SCCs, we implement technical measures including end-to-end encryption, pseudonymization, and data minimization to protect data transferred internationally.
In the event of a data breach that is reasonably likely to result in risk to your rights and freedoms, we will:
GDPR (EEA/UK/Swiss Users): Notify the relevant supervisory authority within 72 hours of becoming aware of the breach. If the breach presents a high risk to your rights and freedoms, we will also notify you directly without undue delay.
CCPA (California Residents): Notify affected California residents and the California Attorney General as required by law.
Other Jurisdictions: Comply with applicable state and federal breach notification laws.
Notification Content: Breach notifications will describe the nature of the breach, categories of data affected, approximate number of individuals affected, likely consequences, measures taken to address the breach, and recommended steps to protect yourself.
We maintain detailed incident response procedures and conduct regular breach response drills to ensure we can meet notification timelines.
We use cookies, web beacons, local storage, and similar technologies to collect information about your use of our Services. Cookies are small text files stored on your device that enable certain functionality and help us understand how you interact with our platform.
Strictly Necessary Cookies (No Consent Required):
Analytics Cookies (Consent Required):
Functional Cookies (Consent Required):
Marketing Cookies (Consent Required):
We do not currently use marketing or advertising cookies. If this changes, we will update this policy and obtain your consent.
Our Services are not directed to children under the age of 13 (or 16 in the EEA), and we do not knowingly collect personal information from children. If you are under the relevant age, do not use our Services or provide any information to us. If we learn that we have collected information from a child without parental consent, we will delete that information promptly. If you believe we may have information about a child, contact us immediately at privacy@backstack.com.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other operational needs. We will notify you of material changes by:
We encourage you to review this Privacy Policy periodically. Your continued use of the Services after the effective date of changes constitutes acceptance of the updated policy. If you do not agree with the changes, you may terminate your account as described in our Terms of Service.
Material changes include modifications to data collection practices, purposes of use, sharing with third parties, retention periods, or your rights under this policy.
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Email: privacy@backstack.com
Data Protection Officer: dpo@backstack.com
Mail:
Backstack
Privacy Department
6813 W Lone Cactus Dr
Arizona, United States
For EEA/UK Users:
If you are located in the EEA or UK and have questions about international data transfers or your GDPR rights, you may contact our Data Protection Officer at dpo@backstack.com. We will respond to inquiries within 30 days.