Scope
Website and LMS application
This policy applies to stacklehq.com and the Stackle LMS application, including access through Canvas, D2L Brightspace, Moodle, and Blackboard via LTI.
Privacy Policy
How Stackle collects, protects, and uses personal data
This policy explains what personal data Stackle collects, why it is used, how it is protected, and what institutions, educators, and learners can expect in practice.
Read the Policy
Last updated 03 March 2026
At a Glance
The operating summary before the detail.
An overview of the operating position first, followed by the detailed policy sections below.
Role
Processor for institutions, controller for direct interactions
Stackle acts as a data processor for institutions that deploy the platform and as the data controller where people interact with Stackle directly through the website or direct registration.
Contact
Privacy requests go to admin@stacklehq.com
Stackle will acknowledge privacy requests within 5 business days and respond within 30 days. The registered organisation is fully remote and based in Australia.
1. Introduction
Welcome to Stackle. We are committed to protecting your personal data and being transparent about how we collect, use, and safeguard it.
This Privacy Policy applies to the Stackle website at stacklehq.com and the Stackle LMS application, including access through Learning Management Systems such as Canvas, D2L Brightspace, Moodle, and Blackboard using LTI.
It explains what personal data we collect, why we collect it, how we protect it, and what rights you have. It applies to students, instructors, organisation administrators, and website visitors.
2. Who We Are
Stackle Pty Ltd is an Australian-registered company that provides learner portfolio and learning journal software for educational institutions.
Registered address: Australia. Stackle is a fully remote organisation. Contact email: admin@stacklehq.com.
Stackle acts as a data processor on behalf of educational organisations that deploy Stackle for their students and staff. Those organisations are the data controllers for their users' personal data. Where individuals interact with Stackle directly, including through direct registration or the website, Stackle acts as the data controller.
3. What Data We Collect
The policy distinguishes between registration data, LMS-delivered data, data collected during use, organisation contact data, and data Stackle does not collect directly.
3.1 Data Collected at Registration
| Data | Purpose |
|---|---|
| First name | Display name and personalisation |
| Last name | Display name and personalisation |
| Email address | Account identification, notifications, and password reset |
| Password | Stored only as a bcrypt hash, never in plaintext |
| Organisation title (admin only) | Configure and identify the organisation workspace |
Lawful basis: performance of a contract with you or your organisation.
3.2 Data Received via LTI Launches
| Data | Purpose |
|---|---|
| Email address | Account matching and creation |
| Full name | Display name |
| First name | Personalisation |
| Last name | Personalisation |
| Profile photo URL | Avatar display |
| LTI subject identifier (sub) | Unique user-platform binding |
| LTI roles | Access control and permissions |
| Context ID (course) | Connect courses to Stackle workspaces |
Lawful basis: performance of a contract with you or your organisation, with some elements processed under legitimate interest, such as profile photo URL.
3.3 Data Collected During Use
| Data | Purpose / Lawful Basis |
|---|---|
| Secondary email | Optional recovery or notification email you provide, processed on consent |
| Profile photo uploads | Avatar image you choose to upload, processed on consent |
| Pexels API key | Organisation or user-supplied image search integration key, processed on consent |
| Response answers | Free text, media, and other content submitted in activities, processed for contract performance |
| Usage data | IP address, browser type and version, page visit duration, and device diagnostics for security, analytics, and service improvement under legitimate interest |
| Consent status and timestamp | Record of cookie and privacy consents for legal compliance |
3.4 Organisation Contact Data
| Data | Purpose |
|---|---|
| Organisation contact name | Communication and administration with the organisation |
| Organisation contact email | Communication and administration with the organisation |
| Organisation contact phone | Communication and administration with the organisation |
3.5 Data We Do Not Collect Directly
| Data Types Not Collected | Notes |
|---|---|
| Date of birth | Not collected through the application |
| Gender, ethnicity, or nationality | Not collected through the application |
| Home address | Not collected through the application |
| End-user mobile phone numbers | Not collected through the application |
| Government identifiers | Not collected through the application |
| Financial or payment card details | Not collected directly through the application |
4. How We Collect Your Data
Direct interactions, including when you register, use Stackle, or respond to activities.
LTI launches, where your LMS passes claims such as name, email, and roles when you open Stackle via LTI.
Automated technologies that collect usage and technical data as you navigate the website and application.
Cookie consent choices, which are recorded and stored so your preferences can be honoured on return visits.
5. How We Use Your Data
Stackle uses personal data to provide, maintain, and improve the service; manage accounts and registrations; and facilitate access to the appropriate parts of the platform.
Usage data is analysed only where analytics consent has been given. Stackle uses those insights to understand usage trends, feature adoption, and engagement patterns that inform product and business planning.
Stackle also processes data to meet legal, tax, accounting, and regulatory obligations, including maintaining records of consent where required by law.
5.1 AI-Powered Content Summarisation
| Provider | Location | Notes |
|---|---|---|
| OpenAI (GPT) | United States | Also used by Stackle for support conversations |
| Anthropic (Claude) | United States | Organisation-supplied key, optional and opt-in |
| Google (Gemini) | United States | Organisation-supplied key, optional and opt-in |
| DeepSeek | China | Organisation-supplied key, optional and opt-in |
Only content text from activities or packages is sent to enabled AI providers. Names, email addresses, and LTI identifiers are not included. AI providers do not use this data to train their models. API keys are stored encrypted per organisation.
5.2 Security, Fraud, and Abuse Prevention
| Processor / Service | Purpose |
|---|---|
| Cloudflare and Google reCAPTCHA | Bot detection and DDoS protection using IP addresses, browser fingerprints, and session data |
| Stripe | Payment security and fraud prevention where applicable |
| Laravel Nightwatch | Error and performance monitoring for alerting and troubleshooting |
Lawful basis: legitimate interest in maintaining a secure and reliable service.
6. How We Store and Protect Your Data
Stackle's production environment is hosted on Laravel Cloud using Amazon Web Services in the Asia-Pacific (Sydney) region, so the primary data location is Australia.
Access to personal data is limited to authorised personnel who need it to perform their role, and security controls are layered across hosting, authentication, monitoring, and transport.
Database hosting on AWS RDS MySQL with AES-256 encryption at rest.
File storage on AWS S3 with encryption at rest.
Content delivery through AWS CloudFront.
AWS WAF for rate limiting and bot control.
HTTPS with TLS 1.2+ enforced on all connections.
Secure credentials and MFA for staff, plus mandatory 2FA for administrator accounts.
Optional TOTP app-based 2FA or email-based 2FA for users, with encrypted secrets at rest.
Rate limiting on login, 2FA, and API endpoints.
reCAPTCHA Enterprise and AWS WAF bot controls.
Laravel Nightwatch, Discord alerts, and local log files for monitoring and forensic review.
To date, no data breaches have been reported or identified in the policy text.
7. Cookies and Consent
Cookies are small text files placed on your device that collect standard internet log information and visitor behaviour information.
Stackle states that it uses cookies to identify and manage user sessions, protect against CSRF and other security threats, support LTI launches and iframe embedding, remember login preferences where you opt in, and measure usage patterns where you consent to analytics.
Cookies are set with Secure = true where required.
Most cookies are marked HttpOnly to reduce exposure to client-side scripts.
SameSite is set to None for cookies required in cross-site iframe contexts, combined with HTTPS.
A custom PruneLargeCookies middleware automatically prunes non-essential cookies that exceed size thresholds.
Users can reopen cookie preferences at any time using the Cookie Settings control, and can also configure their browser to refuse or delete cookies. Disabling essential cookies prevents Stackle from functioning correctly, especially for LTI-based access through an LMS.
7.1 Cookie Categories
| Category | Default State | User-Controlled |
|---|---|---|
| Essential | Always on | No, toggle disabled |
| Functional | Off | Yes |
| Analytics | Off | Yes |
7.2 Cookie Consent Banner
| Button | When Visible | Effect |
|---|---|---|
| Essential Only | Always | Sets functional = off and analytics = off |
| Accept All | Always | Sets functional = on and analytics = on |
| Save Preferences | When the manage preferences panel is expanded | Saves individual category toggles |
Consent choices are stored in a first-party cookie named stackle_cookie_consent with a 365-day expiry. The banner does not reappear on return visits, and a Cookie Settings button remains available in the application. Google Tag Manager is only injected dynamically after analytics consent is given.
7.3 Cookies We Use
| Cookie / Group | Provider | Purpose |
|---|---|---|
| stackle_session | Stackle | Session identification and state management |
| XSRF-TOKEN | Stackle | CSRF protection token |
| ltibundle | Stackle | LTI authentication context |
| stackle_lti_resume | Stackle | LTI session resumption in iframe contexts |
| stackle_cookie_consent | Stackle | Stores cookie consent preferences for 365 days |
| remember_web_[hash] | Stackle | Persistent login, only when you choose Remember me |
| _ga, _ga_VHX33327GZ, _gid | Google Analytics via Google Tag Manager | Measure page views and usage patterns after consent |
| __cf_bm, _cfuvid | Cloudflare | Bot management and DDoS protection |
| GRECAPTCHA | Google reCAPTCHA | Bot detection on login and registration |
| __stripe_mid, __stripe_sid | Stripe | Fraud prevention and session security where Stripe is used |
8. Data Retention, Marketing, and Data Sharing
Stackle retains personal data only for as long as necessary to fulfil the purposes for which it was collected, including service delivery and legal obligations. When data is no longer required, Stackle applies secure deletion or anonymisation protocols.
Stackle states that it does not send direct marketing to students, authors, or participants within the platform and does not use individual user contributions in marketing materials. Aggregated and anonymised statistics may be used to understand interactions, showcase performance, or highlight feature adoption.
Stackle does not sell personal data. It shares data only with the organisation that deploys the workspace, with trusted service providers that are necessary to deliver the service, for legal compliance, or as part of a business transfer where notice would be provided.
8.1 Key Retention Periods
| Data Category | Retention Period |
|---|---|
| Core account data (name, email, authentication) | Duration of active account plus 90-day grace period after account closure |
| Student learning data with personal identifiers | 10 years from the date of collection |
| Consent records (privacy and cookie) | 7 years |
| Organisation contact data | Duration of contract plus 7 years |
| Security and audit logs | 12 months active, 7 years archived |
| Temporary 2FA email codes | Until used or expired, maximum 15 minutes |
For a full Data Retention Policy, Stackle directs requests to admin@stacklehq.com.
8.2 Third-Party Data Processors
| Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Hosting, database, and file storage | Australia (ap-southeast-2) |
| Laravel Cloud | Managed application infrastructure | Australia via AWS |
| Cloudflare | CDN, DDoS protection, and WAF | Global |
| Google (reCAPTCHA, Analytics, Tag Manager) | Bot detection and consent-gated analytics | United States |
| Stripe | Payment security where applicable | United States |
| Laravel Nightwatch | Application monitoring and error tracking | United States |
| OpenAI (GPT) | AI content summarisation when enabled, plus support conversations | United States |
| Anthropic (Claude) | AI content summarisation when enabled | United States |
| Google (Gemini) | AI content summarisation when enabled | United States |
| DeepSeek | AI content summarisation when enabled | China |
9. International Transfers and Children's Privacy
Stackle's primary storage is in Australia, but some third-party providers operate outside Australia. The policy states that Stackle takes reasonable steps to ensure international recipients handle personal data consistently with the Australian Privacy Principles and applicable data protection laws.
For EU and UK users, Stackle relies on applicable transfer mechanisms such as standard contractual clauses or adequacy decisions where personal data is transferred outside the EEA or UK.
Where an organisation enables an AI provider, content text from the platform may be processed in that provider's operating country. The policy places responsibility on organisation administrators to assess cross-border transfer risks before enabling those providers.
Stackle is used within educational institutions and may process data relating to minors. It states that it does not knowingly collect data directly from children under 13 without the involvement of an educational institution acting as the data controller. Institutions deploying Stackle for underage students are responsible for ensuring appropriate consents and notifications are in place under local law.
10. Rights, Data Breaches, and Contact
If a data breach affects personal data, Stackle states it will investigate promptly, notify affected individuals where required under the Australian Notifiable Data Breaches scheme, and notify relevant authorities and affected EU or UK individuals where applicable under GDPR.
The Stackle website and platform may contain links to third-party websites or services. Stackle's policy applies only to Stackle, and users should review the privacy policies of any third-party site they visit.
The policy is kept under regular review. When material changes are made, Stackle updates the Last Updated date and notifies users through the application or email where the changes are significant. This version supersedes the previous version dated April 2021.
Privacy questions and rights requests should be sent to admin@stacklehq.com with the subject line: Privacy Request - [your name or organisation].
10.1 Australian Privacy Act Rights
| Right | Description |
|---|---|
| Access | Access personal data held by Stackle |
| Correction | Correct inaccurate or incomplete personal data |
| Complaint | Make a complaint about Stackle's handling of personal data |
10.2 GDPR Rights for EU and UK Users
| Right | Description |
|---|---|
| Access | Receive copies of your personal data |
| Rectification | Request correction of inaccurate data |
| Erasure | Request deletion of personal data under certain conditions |
| Restrict processing | Request limits on how personal data is used |
| Object | Object to certain processing activities |
| Data portability | Request transfer of data to another organisation or directly to you |
| Withdraw consent | Withdraw consent at any time where processing relies on consent |
Stackle states it will acknowledge requests within 5 business days and respond within 30 days. Privacy requests go to admin@stacklehq.com.
10.3 Appropriate Authorities
| Jurisdiction | Authority / Contact |
|---|---|
| Australia | Office of the Australian Information Commissioner (OAIC), www.oaic.gov.au, phone 1300 363 992 |
| European Union / UK | Contact the relevant supervisory authority in your country of residence. In the UK this is the Information Commissioner's Office at www.ico.org.uk. |