Scope
Applies to Stackle access directly and through LMS integrations
The GDPR policy covers direct access to Stackle and access through learning management systems such as Canvas, D2L Brightspace, Moodle, and Blackboard.
GDPR Policy
How Stackle applies GDPR data protection
This policy explains how Stackle collects personal data, the lawful bases for using it, the controls around storage and cookies, and the rights available to individuals.
Read the Policy
Last updated 16 February 2026
At a Glance
The policy structure, minus the document wrapper.
A practical view of Stackle's GDPR position, from collection and lawful use through retention, cookies, and individual rights.
Processing
Operational use is separated from optional AI processing
The document distinguishes core service delivery, security, and account management from opt-in AI summarisation that runs only when organisations enable their own provider keys.
Rights
Data protection requests route through admin@stacklehq.com
The policy outlines the rights of access, rectification, erasure, restriction, objection, and portability, and directs GDPR questions and requests to Stackle's published contact address.
1. Introduction
This GDPR policy explains the categories of personal data Stackle collects, how that data is collected, how and why it is used, how it is stored and protected, and which rights individuals can exercise under the General Data Protection Regulation.
The policy applies whether Stackle is accessed directly or through a learning management system such as Canvas, D2L Brightspace, Moodle, or Blackboard. It positions privacy, transparency, and data protection as part of the way the platform is designed and operated.
2. What Data We Collect
The document separates personal data into registration data, LTI-provided data, additional data collected during use, organisation contact data, and data categories Stackle does not collect directly through the application.
2.1 Personal Data Collected at Registration
| Data | Purpose |
|---|---|
| First name | Display name and personalisation |
| Last name | Display name and personalisation |
| Email address | Account identification, notifications, and password reset |
| Password | Stored only as a bcrypt hash for authentication, never in plaintext |
| Organisation title (admin registrations only) | Configure and identify the organisation workspace |
Primary lawful basis: performance of a contract with you or your organisation.
2.2 Personal Data Received via LTI Launches
| Data | Purpose |
|---|---|
| Email (email) | Account matching and creation |
| Full name (name) | Display name |
| First name (given_name) | Personalisation |
| Last name (family_name) | Personalisation |
| Profile photo URL (picture) | Avatar display under legitimate interest |
| LTI subject identifier (sub) | Unique user-platform binding identifier |
| LTI roles | Access control and permissions mapping |
| Context ID (course) | Connect courses to Stackle workspaces |
Primary lawful basis: performance of a contract with you or your organisation, with some elements processed under legitimate interest.
2.3 Additional Data Collected During Use
| Data | Purpose / Basis |
|---|---|
| Secondary email | Optional recovery or notification email processed on consent |
| Profile photo upload | Avatar image you choose to upload, processed on consent |
| Pexels API key | Organisation or user-provided image-search integration key, processed on consent |
| Response answers | Free text, media, and other submitted content processed for core educational service delivery |
| Usage data | IP address, browser and visit diagnostics processed for security, performance, analytics, and service improvement |
| Consent status and timestamp | Maintains a record of GDPR-related consents under legal obligation |
2.4 Organisation Contact Data
| Data | Purpose |
|---|---|
| Organisation contact name | Communication and administration with the organisation |
| Organisation contact email | Communication and administration with the organisation |
| Organisation contact phone | Communication and administration with the organisation |
2.5 Data Stackle Does Not Collect Directly
| Data Type | Notes |
|---|---|
| Date of birth | Not collected directly through the application |
| Gender, ethnicity, and nationality | Not collected directly through the application |
| Home address | Not collected directly through the application |
| End-user mobile phone numbers | Not collected directly through the application |
| Government identifiers | Not collected directly through the application |
| Financial or payment card details | Not collected directly through the application |
3. How We Collect Your Data
Direct interactions when you register for an account, use Stackle, or respond to activities and prompts inside the platform.
LTI launches from your LMS, where the LMS passes claims such as name, email, and roles when Stackle is opened from the course environment.
Automated technologies and interactions that capture technical, equipment, and browsing data as you move through the website and application.
4. How We Use Your Data
The policy groups Stackle's data use into service delivery, account management, usage analysis, AI-powered summarisation, security and abuse prevention, and compliance with legal obligations.
Operationally, personal data is used to provide and maintain the service, personalise account access, verify eligibility, troubleshoot issues, optimise performance, and understand usage patterns that inform product and roadmap decisions.
The policy also states that certain data is retained or processed to meet legal, tax, accounting, and regulatory obligations, including maintaining consent records and responding appropriately if a data breach were ever to occur.
4.1 Service delivery, maintenance, and product improvement.
4.2 Account management, registrations, subscriptions, and identity checks.
4.3 Usage analysis to understand trends, feature popularity, and engagement patterns.
4.5 Security, fraud, and abuse prevention using services such as Cloudflare, reCAPTCHA, Stripe, Laravel Nightwatch, and Discord alerts where applicable.
4.6 Compliance with legal and regulatory requirements, including consent records and breach response obligations.
4.4 AI-Powered Content Summarisation
| Provider | Location | Notes |
|---|---|---|
| OpenAI (GPT) | United States | Available for summarisation via organisation-supplied API key |
| Anthropic (Claude) | United States | Available for summarisation via organisation-supplied API key |
| Google Gemini | United States | Available for summarisation via organisation-supplied API key |
| DeepSeek | China | Available for summarisation via organisation-supplied API key |
Only content text from activities or packages is sent to enabled AI providers. Names, email addresses, and other identity data are not included in those calls. The policy states providers are not used for model training and that API keys are stored per organisation for this feature only.
5. How We Store and Protect Your Data
The policy describes a multi-layered security model designed to reduce unauthorised access, disclosure, alteration, or destruction of personal data.
Stackle's production environment is described as running on Laravel Vapor with Amazon Web Services in the Asia-Pacific (Sydney) region. The policy pairs that hosting model with encryption, authentication controls, rate limiting, bot protection, and monitoring systems.
5.1 AWS RDS MySQL with encryption at rest, AWS S3 for file storage, CloudFront for static delivery, AWS WAF for rate limiting and bot control, and HTTPS with TLS 1.2+ for transport encryption.
5.2 Secure login credentials, administrator 2FA enforcement, optional TOTP and email-based 2FA for users, encrypted 2FA secrets, rate limiting, reCAPTCHA Enterprise, and AWS WAF bot controls.
5.3 Monitoring through Laravel Nightwatch, Discord alerting, and local log files for forensic review and anomaly detection.
As stated in the policy, no data breaches had been reported or identified as of that version.
6. Data Retention and 7. Marketing
The policy states that Stackle retains personal data only for as long as necessary to provide the requested services, satisfy legal, tax, and accounting obligations, resolve disputes, and support appropriate account lifecycle handling.
Core account data is retained while an account is active and for a reasonable period afterwards unless an applicable right to erasure is exercised. Temporary two-factor authentication email codes and expiry timestamps are cleared after use or expiry, and when data is no longer required the policy calls for secure deletion or anonymisation.
On marketing, the document states that Stackle does not engage in direct marketing to participants or authors within the ecosystem. It permits the use of aggregated and anonymised usage statistics for understanding interactions, illustrating system performance, or highlighting feature adoption, provided those statistics cannot be traced back to an identifiable individual.
It also states that individual answers, comments, and other user-created contributions are treated as personal input and are not used directly in marketing materials.
8. Cookies
The policy explains that cookies are small text files placed on a device to collect standard internet log information and visitor behaviour information. Stackle says it uses cookies and similar technologies to manage sessions, support authentication, protect against CSRF and related threats, support LTI launches and iframe embedding, remember opt-in login preferences, and compile aggregate interaction data.
The document also outlines cookie security measures such as Secure and HttpOnly flags where appropriate, SameSite=None where cross-site iframe contexts require it, and middleware that prunes large non-essential cookies when thresholds are exceeded.
8.3 Cookie Categories Referenced in the Policy
| Category | Examples | Purpose |
|---|---|---|
| First-party essential | stackle_session, XSRF-TOKEN, lti_bundle, stackle_lti_resume | Session identification, CSRF protection, and LTI context support |
| First-party functional | remember_web_{hash} | Persistent login when a user chooses Remember me |
| Third-party analytics | _ga, _ga_VHX33327GZ, _gid | Measure page views and usage patterns subject to consent requirements |
| Third-party security | __cf_bm, _cfuvid, _GRECAPTCHA | Bot management and security checks |
| Third-party payment | __stripe_mid, __stripe_sid | Fraud prevention and session security where Stripe is used |
The policy notes that no cookie consent banner was implemented at the time of writing and identifies analytics-cookie consent as an area for improvement under GDPR and ePrivacy requirements.
9. Rights and Contact
The GDPR policy lists the rights of access, rectification, erasure, restriction of processing, objection to processing, and data portability. It directs anyone wanting to exercise one of those rights to contact Stackle using the contact details in the document.
It also states that Stackle's privacy practices apply only to Stackle and that users should review the privacy policies of other websites or services they visit through links from the site or platform.
The document says the GDPR policy is kept under regular review, that updates will be placed on the relevant web page or provided to organisations as appropriate, and that the version reflected here was last updated on 16 February 2026.
The published contact address for GDPR questions and requests is admin@stacklehq.com. If concerns are not addressed satisfactorily, the policy says individuals may contact the Information Commissioner's Office or the appropriate data protection authority in their country of residence.