Privacy Policy

This Privacy Policy describes how STACKBOOST LLC, a New York limited liability company doing business as Stateable(“Stateable,” “we,” “us”), collects, uses, discloses, and protects personal information when you sign up for or use the Stateable platform, APIs, and related services (the “Service”), or otherwise interact with us. Our marketing website at stateable.io has a separate Privacy & Cookie Notice that covers website analytics and advertising cookies; this policy governs the Service (the application).

This policy is one of two privacy documents:

• This Privacy Policy covers personal information about you — the customer signing up, the Authorized Users who log in, and visitors to our marketing site.
• The handling of Customer Data you upload (including Nonpublic Personal Information of policyholders, insureds, and other consumers) is governed by Section 7 of our Terms of Service and, where executed, our Data Processing Addendum. For NPI uploaded through the Service, you (the Customer) are the controller / financial institution and we are the service provider. Sections 6–9 of this policy describe what that means in practice.

2.1 Information you give us.

• Account information: name, email address, company/agency name, job title or role, password (stored only as a bcrypt hash, never in plaintext).
• Billing information: plan selection, billing email, billing address, tax ID (where provided). Payment card details go directly to Stripe, Inc. through its hosted checkout — we never see or store full card numbers, only the last 4 digits and card brand that Stripe returns to us for receipts.
• Communications: anything you send us via support email, in-app chat, demo bookings, or sales conversations.
• Profile and preferences: your time zone, language, notification settings, theme, and other in-app preferences.
• Referral Program information: if you participate in the Refer & Earn / Partner Program, the display name or business name you use as a referrer, the U.S. state you operate from, your referral code(s), and the attestations you make when enrolling (e.g., that you are referring software and not soliciting insurance).
• Payout information: the bank, card, or other payout details you provide to receive commissions, collected and held by our payment processor (Stripe) through its connected-account onboarding. We receive payout status and limited account metadata from Stripe, not your full financial credentials.
• Tax information: the taxpayer identification number and tax certification you provide on an IRS Form W-9 (U.S.) or Form W-8 (non-U.S.), collected through Stripe’s connected-account onboarding for tax reporting (Form 1099) and backup-withholding compliance. This is collected when required, before your first payout; Stateable does not store raw taxpayer identification numbers in its own systems.

2.2 Information we collect automatically.

• Usage and device information: IP address, browser type and version, operating system, device identifiers, referring URLs, pages viewed, features used, timestamps, and similar telemetry. We use this for security, abuse prevention, performance monitoring, and product improvement.
• Cookies and similar technologies: session cookies (for authentication and CSRF protection — strictly necessary), preference cookies, and limited analytics cookies. See Section 11.
• Logs: application and security logs that include IP, user identifier, request path, status, and similar fields. Retained per Section 8.

2.3 Information from third parties.

• OAuth providers (Google, Microsoft Entra ID): if you sign in with an OAuth provider, we receive your name, email address, and a stable account identifier from that provider, used to authenticate you.
• Stripe: subscription status, invoice history, and (for receipts) card brand and last 4 digits.
• Stripe (payouts): for Program participants, identity-verification status, connected-account status, and payout/transfer results returned to us by Stripe when we pay commissions.
• Email providers (Resend, AWS SES): delivery, bounce, and complaint events for transactional email we send to you.
• Carriers and CRMs (where you authorize an integration): information necessary to fetch the data you’ve asked us to ingest. The scope and method depend on the integration you enable.

2.4 Customer Data. You and your Authorized Users upload commission statements and related documents to the Service. These typically contain Nonpublic Personal Information (“NPI”) of policyholders, insureds, applicants, and other consumers, including names; policy numbers; premium amounts; commission amounts; account numbers; product / plan identifiers; and (less commonly) addresses, dates of birth, Social Security numbers, and other sensitive identifiers that appear on certain carrier statements. We treat this data as Customer Data under our Terms of Service and as NPI under the Gramm-Leach-Bliley Act (“GLBA”), 15 U.S.C. §§ 6801–6809, and the implementing Safeguards Rule, 16 C.F.R. Part 314. Sections 6–9 of this Privacy Policy describe how we handle it.

We use the information described in Sections 2.1–2.3 to:

• Provide the Service: create and authenticate your account, deliver the features of your Plan, persist your preferences, send transactional notices (billing receipts, security alerts, password resets, magic links).
• Bill you: process subscriptions and renewals through Stripe, manage trials, send invoices and receipts, collect on past-due amounts.
• Support you: respond to your support requests, debug issues, and (with your permission, e.g., a “help me with this” support request) impersonate your account temporarily for troubleshooting.
• Secure the Service: detect and respond to fraud, abuse, credential stuffing, brute-force attacks, and other security events.
• Improve the Service: understand which features are used, find performance bottlenecks, identify bugs, and prioritize roadmap. We use aggregated and de-identified data for analytics whenever feasible — we do not need to identify individual users to count clicks.
• Communicate with you: send service announcements (you cannot opt out of these while you have an account), and — only if you opt in — newsletters, product updates, and marketing.
• Operate the Referral Program: attribute referrals, calculate and pay commissions, screen for eligibility (including state), prevent referral fraud and self-referrals, and meet tax-reporting obligations.
• Comply with law: respond to lawful requests from regulators or courts, enforce our Terms, and protect our rights.

We do not use your personal information for advertising, do not sell it, do not engage in cross-context behavioral advertising, and do not “share” personal information for behavioral advertising as the term is defined under the California Consumer Privacy Act, as amended by the CPRA (“CCPA/CPRA”). (One narrow, cautionary exception: we treat referral-attribution disclosure to a commission-earning referrer as a CCPA “sale” — see Section 5.9.) The Service does not run third-party advertising or analytics trackers; cookies on our marketing website (stateable.io) are addressed in a separate notice. We do not knowingly collect personal information from children under 13.

For users protected by laws that require a legal basis (e.g., GDPR, UK GDPR, certain U.S. state laws), our bases are:

We share personal information only as described below.

5.1 Service providers (“Subprocessors”). We engage trusted vendors to provide infrastructure and tooling. They process personal information on our behalf, under written contracts that limit them to the purposes we specify and require appropriate security. Our Subprocessors fall into these categories:

• Cloud infrastructure, hosting, and storage — including managed databases, secrets management, and encryption-key management;
• Payment processing, subscription billing, and Referral Program commission payouts (Stripe Connect);
• Transactional email delivery (magic links, receipts, notifications);
• Customer support messaging;
• Content delivery and DDoS protection.

A current, named list of Subprocessors is available on request from privacy@stateable.io (and in our Data Processing Addendum), and is kept up to date as Subprocessors change. We remain responsible for our Subprocessors’ performance.

5.2 Carriers, CRMs, and integrations you enable. If you connect a third-party integration (e.g., a carrier portal, a CRM, an export destination), we will exchange information with that integration as needed to perform the integration you set up. That third party’s use of the data is governed by its own terms and privacy policy.

5.3 AI providers (only if you turn on AI Features and only with your own key). If you enable AI Features and connect a third-party AI provider (such as Anthropic, OpenAI, or Google) using your own API key, the data you select for AI processing is sent directly to that provider under your account with that provider, governed by that provider’s terms and privacy policy. Stateable does not control whether the AI provider retains, logs, or trains on that data — that is between you and the AI provider.

5.4 Legal, safety, and fraud. We may disclose information when we have a good-faith belief that disclosure is necessary to (a) comply with applicable law or valid legal process, (b) enforce our Terms or protect our rights, property, or safety (or those of our customers, users, or the public), or (c) detect, prevent, or address fraud, security, or technical issues. Where legally permitted, we will give you advance notice so you can seek a protective order or other remedy.

5.5 Corporate transactions. If we are involved in a merger, acquisition, financing, reorganization (including the planned reincorporation of STACKBOOST LLC as a Delaware corporation), bankruptcy, or sale of all or part of our assets, personal information may be transferred to the resulting or acquiring entity. We will notify you of any change in ownership or use of your personal information.

5.6 With your direction or consent. We will share information with other third parties when you direct us to or otherwise consent.

5.7 What we do not do.

• We do not sell personal information for money. (Out of caution, we treat one narrow disclosure — referral attribution to a commission-earning referrer — as a CCPA “sale” and provide an opt-out; see Section 5.9.)
• We do not share personal information for cross-context behavioral advertising.
• We do not use Customer Data to train, fine-tune, or evaluate machine-learning models.
• We do not disclose Customer Data containing NPI to any party except as needed to perform the Service for you, as required by law, or with your written direction.

5.8 Referral Program data sharing. If you participate in the Refer & Earn / Partner Program, or if you sign up using someone’s referral code or link, we share limited information to operate the Program:

• To the referrer (you, when you refer): we tell you that a signup or conversion is attributable to your referral code or link, and we show you Program metrics such as the number of referred accounts, their status, and your commission earnings. We do not share the referred customer’s confidential business information, the contents of their account, or any Customer Data / NPI with you. The referred customer’s business or organization name is visible to the referrer for attribution purposes.
• To the referred customer (you, when referred): we may indicate that a referral discount was applied and, where relevant, who referred you.
• To Stripe: we share the information needed to onboard your connected account and pay your commissions (Section 5.1).

Referral attribution data is used only to run the Program and is not “shared” for cross-context behavioral advertising. Disclosing attribution to a referrer (who earns a commission) is treated as a “sale” under California law (Section 5.9), with a Do-Not-Sell/Share choice and GPC honoring. See our Referral & Partner Program Agreement for how the Program works.

5.9 Referral attribution is treated as a “sale” under California law. When we tell a referrer that a signup is attributable to them, we disclose limited personal information (that an identifiable business contact signed up) to a third party — the referrer — who benefits commercially (a commission). Under the CCPA as amended by the CPRA, a disclosure of personal information for “valuable consideration” can be a “sale” (though not a “share,” since it is not for cross-context behavioral advertising). Because the CCPA’s business-to-business exemption expired on January 1, 2023, the individual who signs up (if a California resident) is protected even though the customer is a business.

Out of caution, Stateable treats this attribution disclosure as a “sale.” Accordingly we (a) minimize what is disclosed to referrers — attribution and high-level status only, not unnecessary personal information — and (b) provide a “Do Not Sell or Share My Personal Information” choice, honor opt-out requests, and recognize Global Privacy Control signals.

When you upload commission statements and related documents to the Service, you remain in control. We handle that data as your service provider, not as a controller of our own.

• Use limitation. We use Customer Data, including any NPI in it, only to provide and improve the Service for you, secure the Service, comply with law, and enforce our Terms.
• No marketing to consumers. We do not market to, profile, or otherwise contact any policyholder, insured, applicant, or other consumer identified in Customer Data.
• No re-identification. We do not attempt to re-identify de-identified Customer Data.
• No combination across customers. We do not combine your Customer Data with other customers’ Customer Data or with data from other sources, except as necessary to perform the Service for the specific Customer that provided it.
• Carrier/agency confidentiality. Customer Data is your Confidential Information under our Terms.

This section reflects our obligations under GLBA’s “service provider” framework (16 C.F.R. § 313.13), state insurance privacy laws (including NAIC Model Regulation 672 and adoptions in New York, California, Massachusetts, and other states), and the “service provider” / “processor” definitions under CCPA/CPRA and analogous state privacy laws.

We maintain a written information security program that meets or exceeds the GLBA Safeguards Rule and includes administrative, technical, and physical safeguards reasonably designed to protect personal information. Our program includes:

• Encryption. TLS 1.3 in transit; AES-256 at rest for databases, object storage, and backups.
• Access controls. Least-privilege access, role-based access controls, multi-factor authentication for administrative access, audit logging of privileged actions.
• Network and infrastructure security. Hosted on AWS in the U.S.; private subnets for data stores; VPC isolation; firewalled network ingress/egress; secrets in AWS Secrets Manager / KMS, never in source code.
• Application security. Code review, dependency scanning, vulnerability management, secure SDLC, periodic penetration testing.
• People and process. Background checks where lawful, security training, signed confidentiality obligations, vendor risk reviews.
• Monitoring and response. Centralized logging, anomaly detection, an incident response plan, on-call rotation.

Our SOC 2 Type II examination is underway (currently in its observation period). Documentation describing our safeguards program is available to customers under NDA on request to security@stateable.io, and the SOC 2 Type II report will be made available under NDA once issued.

No system is perfectly secure. If we become aware of a confirmed unauthorized acquisition, access, use, or disclosure of personal information, we will notify affected customers without undue delay (and in any event within 72 hours of confirmation), and will reasonably cooperate with any required notifications under applicable law.

Depending on where you live, you may have rights under laws including the CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah), and similar laws in other states; GDPR / UK GDPR (EEA / UK); PIPEDA / Quebec Law 25 (Canada); and others.

Subject to applicable law and verification of your identity, you may request to:

• Access the personal information we hold about you;
• Correct inaccurate personal information;
• Delete personal information (subject to legal exceptions, e.g., billing records);
• Port your personal information in a portable format;
• Opt out of marketing emails (use the unsubscribe link in any marketing email);
• Withdraw consent where processing is based on consent;
• Object to or restrict processing in certain cases;
• Lodge a complaint with a supervisory authority.

We do not “share” personal information for cross-context behavioral advertising, and with one narrow exception we do not “sell” personal information as those terms are defined under CCPA/CPRA. The exception: out of caution, we treat referral-attribution disclosure to a commission-earning referrer as a “sale” (Section 5.9). For that disclosure we provide a “Do Not Sell or Share My Personal Information” choice, process opt-out requests within 15 business days, and honor Global Privacy Control (GPC)browser signals. (Advertising cookies on our marketing website, stateable.io, and the related opt-out, are covered by that site’s separate Privacy & Cookie Notice.)

To exercise any right, email privacy@stateable.io or write to the address in Section 14. We will respond within the timeframe required by applicable law (typically 30–45 days). We will not discriminate against you for exercising any right.

Authorized agents (California). California residents may use an authorized agent to make a request, with a signed written authorization or proof of power of attorney.

Customer Data requests. If you are a consumer (e.g., a policyholder) seeking to exercise rights regarding NPI that appears in commission statements uploaded by an insurance agent or agency, please contact the agent or agency directly — they are the controller of that data and we are their service provider. We will refer such requests to the relevant Customer when received.

We are based in the United States, and our infrastructure is hosted in the U.S. If you access the Service from outside the U.S., you understand that your information will be transferred to, stored in, and processed in the United States. The U.S. has data-protection laws that may differ from those in your country.

For users in the EEA, UK, or Switzerland: where required, we rely on the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent transfer mechanisms. Contact privacy@stateable.io for a copy of the applicable transfer documentation.

We use cookies and similar technologies for:

• Strictly necessary purposes (authentication, CSRF protection, load balancing) — these cannot be disabled;
• Preference storage (theme, language) — set when you change a preference;
• Limited analytics to understand product usage in aggregate.

The Service does not use third-party advertising cookies or tracking pixels for cross-site behavioral advertising. Advertising and analytics cookies on our marketing website (stateable.io) — and the controls to opt out of them — are addressed in that site’s separate Privacy & Cookie Notice, not here.

You can control cookies through your browser settings. Disabling strictly-necessary cookies will prevent the Service from functioning.

California (CCPA/CPRA). In the past 12 months, we collected the following categories of personal information from California residents (categories per Cal. Civ. Code § 1798.140):

• Identifiers (name, email, account ID, IP address)
• Customer records (billing information)
• Commercial information (subscription history)
• Internet/network activity (usage logs)
• Geolocation (approximate, derived from IP)
• Professional/employment information (job title, company)
• Inferences (limited, for security and product improvement)

For Customer Data uploaded through the Service, we may also receive categories of personal information about other individuals (policyholders, insureds), which we process strictly as a service provider to the Customer.

We collect this information for the business and commercial purposes described in Section 3. We disclose it for business purposes to the Subprocessors listed in Section 5.1. We do not share personal information for cross-context behavioral advertising, and we do not sell personal information except that, out of caution, we treat referral-attribution disclosure as a “sale” (Section 5.9) and provide the corresponding opt-out. We retain personal information for the periods described in Section 8. California residents have the rights described in Section 9, including the right to know, delete, correct, and opt out of sale/sharing. To exercise these rights, see Section 9.

Other states. Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws have analogous rights, exercisable through the contact in Section 14. We do not engage in profiling that produces legal or similarly significant effects.

Insurance-specific state privacy laws. For information processed in our service-provider role (Customer Data), our handling complies with the NAIC Insurance Information and Privacy Protection Model Act (Model 670), the Privacy of Consumer Financial and Health Information Regulation (Model 672), and adopted state versions, including:

• New York 23 NYCRR Part 500 (DFS Cybersecurity Regulation) and Insurance Law Article 21
• California Insurance Code §§ 791 et seq. and the California Insurance Information and Privacy Protection Act
• Massachusetts 201 CMR 17.00 (Standards for the Protection of Personal Information of Residents of the Commonwealth)

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days’ prior notice by email to the address on file for your account or by in-product notice. Non-material changes (clarifications, formatting, contact-info updates) take effect on posting. The “Last updated” date at the top reflects the most recent change. Your continued use of the Service after the effective date of a change constitutes acceptance.

Questions, requests, or complaints?

STACKBOOST LLC (d/b/a Stateable)
Privacy: privacy@stateable.io
Security: security@stateable.io
Mail: Attn: Legal, 85 Delancey Street, PH 1, New York, NY 10002
Web: stateable.io

If you are not satisfied with our response, you may have the right to lodge a complaint with a supervisory authority in your jurisdiction (for EEA/UK residents: your local data protection authority; for California residents: the California Privacy Protection Agency).