Privacy Policy

Effective Date: February 28, 2026
Last Updated: February 28, 2026

Tagstack SASU au capital de 100 euros, immatriculée au RCS de Créteil sous le numéro 100419340


This Privacy Policy explains how Tagstack ("we", "us", or "our") collects, uses, shares, and protects your personal data when you use the TagStack website at tagstack.io and related services (the "Service").

We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR), the French Data Protection Act (Loi Informatique et Libertés), and other applicable data protection laws.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

1. Data Controller

The data controller responsible for your personal data is:

Tagstack
Operated by Lucas, sole proprietor
Based in France
Email: [email protected]

For any questions or requests regarding your personal data, please contact us at [email protected].

2. Personal Data We Collect

Data You Provide

  • Account data: Email address (required for account creation)
  • Payment data: Billing information processed by Stripe (we do not store your credit card details)
  • Support data: Any information you provide when contacting us via email or live chat (Crisp)
  • Scan data: Website URLs you submit for scanning and the resulting scan data

Data Collected Automatically

  • Usage data: Pages visited, features used, scan frequency, and interactions with the Service
  • Device and browser data: IP address, browser type and version, operating system, device type, screen resolution
  • Cookies and similar technologies: Session cookies, analytics cookies, and functional cookies (see Section 7)
  • Log data: Server logs including access times, referring URLs, and error logs

Data We Do Not Collect

  • We do not collect your name, phone number, or physical address during signup
  • We do not collect sensitive personal data (racial or ethnic origin, political opinions, religious beliefs, health data, etc.)
  • We do not knowingly collect data from children under 18

3. How We Use Your Data

We process your personal data based on the following legal bases under the GDPR:

Performance of Contract (Art. 6(1)(b) GDPR)

  • Creating and managing your account
  • Providing the scanning, analysis, and reporting features
  • Processing payments and managing subscriptions
  • Delivering API and MCP access according to your plan
  • Providing customer support

Legitimate Interest (Art. 6(1)(f) GDPR)

  • Improving and optimizing the Service
  • Analyzing aggregated, anonymized usage patterns
  • Detecting and preventing fraud, abuse, and security incidents
  • Sending service-related communications (e.g., security alerts, billing notices)

Consent (Art. 6(1)(a) GDPR)

  • Analytics cookies (Google Analytics 4) — only with your consent via our cookie banner
  • Marketing communications (if you opt in)

Legal Obligation (Art. 6(1)(c) GDPR)

  • Retaining billing records as required by French tax law
  • Responding to lawful requests from authorities

4. How We Share Your Data

We do not sell your personal data. We share your data only with the following categories of recipients, and only to the extent necessary to provide the Service:

Sub-Processors

ProviderPurposeData ProcessedLocation
CloudflareHosting, CDN, database (D1), WorkersAll service dataEU
Cloudflare ZarazTag management and consentPage views, consent preferencesEU
StripePayment processingEmail, billing dataEU/US
Google Analytics 4Website analyticsUsage data, device data (anonymized)EU/US
CrispLive chat and customer supportEmail, chat messagesEU
BrevoTransactional and marketing emailsEmail addressEU
Anthropic (Claude)AI processing for MCP featuresScanned website content only (no user PII)US

Other Disclosures

We may also share your data:

  • Legal requirements: When required by law, court order, or governmental authority
  • Protection of rights: To enforce our Terms of Service or protect the rights, property, or safety of Tagstack, our users, or others
  • Business transfers: In connection with a merger, acquisition, or sale of assets (you will be notified in advance)

5. International Data Transfers

Your data is primarily stored within the European Union on Cloudflare infrastructure. However, some of our sub-processors (Stripe, Google, Anthropic) may process data in the United States.

When personal data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place:

  • EU-US Data Privacy Framework: For US-based providers that are certified under the framework
  • Standard Contractual Clauses (SCCs): As approved by the European Commission, where applicable
  • Adequacy decisions: Where the European Commission has determined a country provides adequate data protection

You may request a copy of the safeguards we use by contacting [email protected].

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy:

  • Active accounts: Your data is retained for as long as your account is active
  • Deleted accounts: Your data is deleted within 30 days of account deletion, except for data we must retain for legal compliance
  • Billing records: Retained for 6–7 years as required by French tax law
  • Inactive free accounts: Accounts with no activity for 12 months may be deactivated and data may be deleted
  • Analytics data: Aggregated analytics data (non-identifiable) may be retained indefinitely
  • Support conversations: Retained for up to 24 months after the last interaction

7. Cookies and Tracking Technologies

We use cookies and similar technologies to provide, secure, and improve the Service. We obtain your consent before placing non-essential cookies via our cookie consent banner, powered by Cloudflare Zaraz.

Strictly Necessary Cookies

These cookies are essential for the Service to function and cannot be disabled:

  • Session cookies: Maintain your login state and session security
  • CSRF tokens: Protect against cross-site request forgery attacks
  • Consent preferences: Remember your cookie consent choices

Analytics Cookies (Consent Required)

  • Google Analytics 4: Helps us understand how visitors interact with the Service (pages visited, time on site, navigation patterns). Data is anonymized and we do not enable Google advertising features. You can opt out at any time via the cookie banner or your browser settings.

Functional Cookies (Consent Required)

  • Crisp.chat: Enables the live chat widget and remembers your chat history for a better support experience

Managing Cookies

You can manage your cookie preferences at any time by:

  • Using the cookie consent banner when it appears
  • Adjusting your browser settings to block or delete cookies
  • Using browser extensions that block tracking

Please note that disabling certain cookies may affect the functionality of the Service.

8. Your Rights Under GDPR

Under the GDPR and French data protection law, you have the following rights regarding your personal data:

  • Right of access (Art. 15): You can request a copy of the personal data we hold about you
  • Right to rectification (Art. 16): You can ask us to correct inaccurate or incomplete data
  • Right to erasure (Art. 17): You can request deletion of your personal data ("right to be forgotten")
  • Right to restrict processing (Art. 18): You can ask us to limit how we process your data
  • Right to data portability (Art. 20): You can receive your data in a structured, machine-readable format
  • Right to object (Art. 21): You can object to processing based on legitimate interest
  • Right to withdraw consent (Art. 7): You can withdraw consent at any time (this does not affect the lawfulness of processing before withdrawal)

How to Exercise Your Rights

To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days, as required by the GDPR. We may ask you to verify your identity before processing your request.

Right to Lodge a Complaint

If you believe that we have not handled your data correctly, you have the right to lodge a complaint with a supervisory authority. In France, the relevant authority is:

CNIL (Commission Nationale de l'Informatique et des Libertés)
3 Place de Fontenoy, TSA 80715
75334 Paris Cedex 07, France
Website: www.cnil.fr

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS/HTTPS
  • Encryption at rest: Data stored in our databases is encrypted at rest on Cloudflare infrastructure
  • Access controls: Access to personal data is restricted to authorized personnel only
  • Secure authentication: We use magic link and Google OAuth authentication — we do not store passwords
  • Regular security reviews: We regularly review and update our security practices
  • Cloudflare protection: DDoS protection, WAF, and bot management via Cloudflare

While we take reasonable steps to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

10. Children's Privacy

The Service is not intended for children under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at [email protected] and we will delete the data promptly.

11. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party services you access through our Service.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements.

  • Material changes: We will notify you by email at least 30 days before the changes take effect
  • Minor changes: We will update the "Last Updated" date at the top of this page

Your continued use of the Service after changes take effect constitutes your acceptance of the updated Privacy Policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Tagstack
Privacy inquiries: [email protected]
General support: [email protected]
Website: tagstack.io

By using Tagstack, you acknowledge that you have read and understood this Privacy Policy.