Privacy Policy

This Privacy Policy describes how DeskStack ("DeskStack," "we," "us," or "our") collects, receives, uses, stores, processes, discloses, transfers, protects, and otherwise handles Personal Information in connection with our website, hosted helpdesk platform, managed helpdesk services, customer portals, integrations, communications, connected mailboxes, and related products and services, collectively referred to as the "Service."

DeskStack provides a hosted and managed helpdesk platform for businesses. The Service enables Customers to manage support emails, tickets, messages, contacts, internal notes, attachments, workflows, automations, reporting, connected mailboxes, and related support activities.

This Privacy Policy is intended to apply globally. Privacy and data protection laws may vary depending on the jurisdiction in which you, your organization, or your End Users are located. Where applicable law requires a different treatment of Personal Information, DeskStack will process Personal Information in accordance with such applicable law.

By accessing or using the Service, creating an account, requesting a demo, subscribing to a plan, connecting a mailbox, communicating with DeskStack, or otherwise providing information to us, you acknowledge that you have read and understood this Privacy Policy.

This Privacy Policy should be read together with our Terms of Service, Data Processing Agreement, Acceptable Use Policy, Cookie Policy, Subprocessor List, order form, service agreement, or any other applicable written agreement governing your use of the Service.

1. Definitions

For purposes of this Privacy Policy, "Account Data" means Personal Information relating to a Customer, account owner, administrator, authorized user, billing contact, prospective customer, or other individual who interacts directly with DeskStack in connection with the Service. "Customer" means any business, organization, entity, sole proprietor, or other person or organization that subscribes to, accesses, administers, or uses the Service. "Customer Data" means any data, content, files, messages, emails, tickets, attachments, contact details, internal notes, metadata, reports, records, or other materials submitted to, transmitted through, stored in, generated by, accessed through, synchronized with, or processed using the Service by or on behalf of a Customer.

"End User" means any individual who communicates with, is supported by, or otherwise interacts with a Customer through the Service, including, without limitation, a Customer's customers, clients, employees, contractors, vendors, agents, or other contacts. "Personal Information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an identifiable individual, depending on applicable law. "Processing" means any operation or set of operations performed on Personal Information, including collection, receipt, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, transmission, disclosure, restriction, deletion, or destruction. "Service Provider," "Processor," or "Subprocessor" means a third party that processes information on behalf of DeskStack or our Customers.

2. Scope of this Privacy Policy

This Privacy Policy applies to information processed by DeskStack in connection with our website, hosted helpdesk platform, account registration and administration, customer onboarding and setup, email-to-ticketing services, managed hosting services, connected mailboxes, integrations, billing and payment administration, support, sales and demo requests, security, monitoring and fraud prevention, analytics and service improvement, and any other interaction with DeskStack or use of the Service.

This Privacy Policy does not apply to third-party websites, applications, services, platforms, integrations, or systems that DeskStack does not own or control, even if such third-party services are linked to, integrated with, connected to, or accessible through the Service. Customer use of third-party services is subject to the applicable third party's own terms, privacy notices, and data handling practices.

3. Individuals Covered by this Privacy Policy

DeskStack may collect and process Personal Information relating to individuals who interact with DeskStack or the Service, including, without limitation, website visitors, prospective Customers, Customers, account owners, administrators, authorized users, billing contacts, support contacts, sales contacts, marketing recipients, individuals who register for demos, webinars, events, trials, or promotional activities, personnel of Customers, suppliers, partners, contractors, service providers, and individuals who communicate with DeskStack by email, form, chat, phone, support ticket, connected mailbox, or other means.

Where DeskStack processes Customer Data on behalf of a Customer, including information relating to End Users, the Customer's privacy notice and applicable agreement with DeskStack will generally govern the Customer's collection and use of such information. End Users should direct privacy questions and requests relating to Customer Data to the relevant Customer unless applicable law requires otherwise.

4. DeskStack's Role

DeskStack may process Personal Information in different capacities depending on the nature and context of the Processing.

4.1 DeskStack as Processor or Service Provider

When a Customer uses DeskStack to receive, manage, store, organize, route, respond to, synchronize, access, or otherwise process support emails, tickets, messages, attachments, contacts, internal notes, connected mailbox data, and related Customer Data, DeskStack generally processes such Customer Data on behalf of the Customer. In that context, the Customer determines the purposes and means of Processing Customer Data and remains responsible for the content, accuracy, legality, completeness, and appropriateness of Customer Data.

The Customer is responsible for providing any required privacy notices to End Users, obtaining any required consents, authorizations, or permissions, establishing the applicable lawful basis for Processing, and responding to End User privacy requests unless otherwise expressly agreed in writing. DeskStack processes Customer Data primarily to provide, maintain, secure, support, troubleshoot, administer, and improve the Service. DeskStack does not control, verify, endorse, approve, monitor, or determine the content submitted by Customers or End Users.

4.2 DeskStack as Controller or Business

DeskStack may act as an independent controller, business, or similar role when we process information for our own business purposes. Such purposes may include, without limitation, operating our website, managing Customer accounts and subscriptions, processing billing and payments, responding to support, sales, demo, or business inquiries, sending service-related communications, securing and monitoring the Service, preventing fraud, abuse, unauthorized access, or misuse, improving, developing, and administering the Service, complying with legal, tax, accounting, corporate, or regulatory obligations, enforcing our agreements, and marketing DeskStack services where permitted by law.

5. Information We Collect

DeskStack collects information depending on how you interact with us, how your organization uses the Service, and how the Customer configures and administers its account, workspace, integrations, connected mailboxes, and connected services.

5.1 Information Provided Directly

We may collect information that you or your organization provide directly to us, including, without limitation, your name, business email address, phone number, company or organization name, job title, billing contact information, account login details, workspace name, company branding details, helpdesk setup details, support requests, demo requests, sales inquiries, feedback, survey responses, technical configuration details, files, screenshots, attachments, and any other information you choose to submit to DeskStack.

5.2 Account and Administrative Information

When you create, administer, access, or use a DeskStack account, we may collect account owner information, administrator and agent details, user roles and permissions, login records, authentication method, subscription plan, billing status, invoice history, payment status, workspace settings, connected domains, connected mailboxes, configuration preferences, usage limits, Service activity, and related metadata.

5.3 Customer Data Processed Through the Service

Customers and End Users may submit or generate Customer Data through the Service, including, without limitation, support ticket content, inbound and outbound emails, names and email addresses, phone numbers, company names, message content, attachments, internal notes, tags, priorities, statuses, assignments, ticket history, response history, timestamps, delivery metadata, source mailbox details, workflow and automation activity, and reports generated from helpdesk usage. The specific categories of Customer Data processed through the Service depend on the Customer's configuration, use case, integrations, account settings, connected services, and instructions.

5.4 Email, Mailbox, and Communication Data

If a Customer connects an email account, mailbox, forwarding address, SMTP provider, IMAP account, Microsoft 365 account, Google Workspace account, Gmail account, Outlook account, or similar email or communication service, DeskStack may process information necessary to enable email-to-ticketing, outbound messaging, routing, synchronization, authentication, reply handling, ticket creation, support workflows, and related functionality. Such information may include, without limitation, mailbox addresses, sender and recipient information, subject lines, message bodies, attachments, headers, timestamps, delivery status, reply chains, mailbox configuration details, authentication tokens or credentials where applicable, routing data, and synchronization data.

Customers are solely responsible for ensuring that they have the authority and lawful basis to connect mailboxes, process email communications, transmit information through the Service, and permit DeskStack to access or process such information for the purpose of providing the Service.

5.5 Payment and Billing Information

DeskStack may collect billing-related information, including billing name, billing email, billing address, tax information, invoice history, subscription plan, payment status, transaction identifiers, payment method type, and limited payment metadata provided by our payment processor. Payments are processed by third-party payment processors. DeskStack does not store full payment card numbers on its own systems.

5.6 Information Collected Automatically

When you visit our website or use the Service, we may automatically collect technical, diagnostic, security, and usage information, including, without limitation, IP address, browser type and version, device type, operating system, screen resolution, language settings, referring URL, pages viewed, links clicked, features used, session duration, login activity, approximate location based on IP address, error logs, diagnostic data, system performance data, audit logs, security logs, cookie identifiers, and analytics events.

5.7 Information From Third Parties

DeskStack may receive information from third parties, including payment processors, authentication providers, email providers, hosting and infrastructure providers, analytics providers, marketing platforms, customer support tools, integration partners, referral sources, security and fraud prevention services, and Customers who invite users to the Service. If you log in using a third-party identity provider, such as Google, Microsoft, or another provider, we may receive information such as your name, email address, profile image, authentication status, account identifiers, and related information made available by that provider.

6. Google API and Connected Mailbox Disclosure

If a Customer or authorized user connects a Google Workspace, Gmail, Microsoft 365, Outlook, IMAP, SMTP, forwarding address, or other email account to the Service, DeskStack may access, process, transmit, store, and display information from that connected account as reasonably necessary to provide email-to-ticketing, outbound reply, mailbox synchronization, routing, ticket creation, support workflow, troubleshooting, security, and related functionality. Such information may include mailbox identifiers, email addresses, message headers, subject lines, message bodies, attachments, timestamps, sender and recipient information, authentication tokens, synchronization metadata, and related email content.

Where DeskStack accesses information received from Google APIs, DeskStack's use and transfer of such information will be limited to providing and improving user-facing features of the Service, maintaining security, preventing abuse, troubleshooting, complying with applicable law, and other purposes permitted by applicable Google API policies. DeskStack will not use information received from Google Workspace APIs to develop, improve, or train generalized artificial intelligence or machine learning models unless expressly disclosed and permitted by applicable law and applicable platform policy. Customers remain responsible for ensuring that they have the authority and lawful basis to connect any mailbox or email account to the Service and to permit DeskStack to process email content and related information through the Service.

7. How We Use Information

DeskStack may use Personal Information for the purposes described in this Privacy Policy and for other purposes permitted by applicable law.

7.1 Providing and Operating the Service

DeskStack uses information to create and maintain accounts, provision workspaces, host Customer helpdesks, process inbound and outbound tickets, send and receive emails, route messages, synchronize connected mailboxes, enable assignments, tags, statuses, notes, automations, and workflows, provide reports and dashboards, support integrations, maintain user sessions, provide technical support, perform onboarding and setup services, and otherwise operate the Service.

7.2 Account Administration and Billing

DeskStack uses information to process subscriptions, issue invoices, manage payment status, collect amounts owed, verify account ownership, communicate about renewals, plan changes, failed payments, cancellations, and account issues, and maintain accounting, tax, audit, financial, and business records.

7.3 Communications

DeskStack may use information to respond to inquiries, send support communications, send onboarding instructions, provide product updates, send security notices, send administrative messages, send service announcements, send marketing communications where permitted by law, and request feedback.

7.4 Security, Abuse Prevention, and Service Integrity

DeskStack may use information to detect unauthorized access, prevent fraud, spam, abuse, malware, phishing, or harmful activity, monitor system activity, investigate suspicious behavior, enforce our Terms of Service, protect the rights, property, and safety of DeskStack, Customers, End Users, and others, and maintain logs for security, compliance, and operational purposes.

7.5 Improvement and Development

DeskStack may use information to understand usage patterns, troubleshoot errors, improve performance, test new features, develop product enhancements, analyze trends, maintain and improve user experience, and create aggregated, anonymized, or de-identified insights. DeskStack may use Service activity, usage metadata, diagnostic information, performance data, configuration data, and aggregated or de-identified information to operate, secure, support, analyze, improve, and develop the Service. DeskStack does not use Customer Data for advertising to End Users and will not use Customer Data to train third-party public artificial intelligence models unless expressly disclosed or agreed.

7.6 Legal, Regulatory, and Contractual Compliance

DeskStack may use information to comply with applicable laws and regulations, respond to lawful requests, maintain required records, enforce contracts, resolve disputes, defend legal claims, and comply with tax, accounting, corporate, regulatory, security, and other legal obligations.

8. Legal Bases for Processing

Where applicable law requires a legal basis for Processing, DeskStack may process Personal Information under one or more lawful bases, including performance of a contract, consent, compliance with legal obligations, legitimate business interests, protection of rights, safety, and security, Processing on behalf of Customers under their instructions, and any other lawful basis available under applicable law.

DeskStack's legitimate interests may include operating the Service, securing our systems, preventing fraud, improving our products, communicating with business users, enforcing agreements, maintaining records, developing our business, supporting Customers, and protecting DeskStack, Customers, End Users, service providers, and the public. For Customer Data, the Customer is generally responsible for determining the applicable legal basis for collecting and processing Personal Information submitted to or processed through the Service.

9. How We Disclose Information

DeskStack does not sell Personal Information in exchange for money. DeskStack may disclose information as described in this Privacy Policy, as authorized by Customers, as necessary to provide the Service, as required or permitted by applicable law, or as otherwise set out in an applicable agreement.

9.1 Service Providers and Subprocessors

DeskStack may disclose information to third-party service providers, vendors, contractors, and subprocessors who assist us in operating, securing, supporting, maintaining, and improving the Service. Such third parties may include providers of cloud infrastructure, database hosting, file storage, backups, monitoring, logging, analytics, email delivery, domain and DNS services, payment processing, billing management, customer support, security tools, authentication, error tracking, legal services, accounting services, tax services, and other professional or operational services.

Such providers may process information only as necessary to provide services to DeskStack or as otherwise permitted by applicable law and agreement. A current list of subprocessors may be made available on request or published separately. DeskStack may update its subprocessors from time to time as our business, infrastructure, vendors, and Service evolve.

9.2 Customer-Directed Disclosures

DeskStack may disclose, transmit, export, or make available information when directed, configured, authorized, or enabled by a Customer, including through integrations, connected mailboxes, forwarding rules, exports, API access, webhooks, reports, administrator actions, user permissions, or third-party tools enabled by the Customer. DeskStack is not responsible for third-party services, recipients, exports, integrations, configurations, or Customer-directed disclosures.

9.3 Legal and Compliance Disclosures

DeskStack may disclose information where we believe disclosure is reasonably necessary to comply with applicable law, comply with legal process, respond to lawful requests from public authorities, enforce our agreements, protect against fraud, abuse, or security threats, investigate violations, protect our rights, property, or safety, protect Customers, End Users, service providers, or the public, or defend against legal claims.

9.4 Business Transactions

DeskStack may disclose or transfer information in connection with a merger, acquisition, financing, reorganization, bankruptcy, sale of assets, corporate restructuring, due diligence process, transfer of business operations, or similar transaction. In such circumstances, information may be disclosed to advisors, potential buyers, investors, lenders, successors, or other relevant parties, subject to appropriate confidentiality protections where applicable.

In connection with any business transaction, Customer accounts, Account Data, Customer Data, contracts, usage records, billing records, service configurations, and related information may be among the assets transferred or disclosed, subject to applicable law and appropriate confidentiality protections where applicable.

9.5 Affiliates and Related Entities

DeskStack may disclose information to affiliates, subsidiaries, parent companies, related entities, or commonly controlled entities for purposes consistent with this Privacy Policy and applicable law.

9.6 Aggregated or De-Identified Information

DeskStack may use and disclose aggregated, anonymized, or de-identified information that does not reasonably identify an individual for analytics, benchmarking, reporting, product improvement, marketing, security, research, business planning, and other lawful business purposes.

10. Customer Data

Customers retain responsibility for Customer Data submitted to or processed through the Service. DeskStack does not control, review, verify, approve, or determine the content of Customer Data. Customers are solely responsible for the accuracy, quality, legality, completeness, and appropriateness of Customer Data, the means by which Customer Data is acquired, the lawful basis for Processing Customer Data, the provision of required notices, the obtaining of required consents, authorizations, or permissions, the handling of End User requests, and the configuration of account permissions, authorized users, connected mailboxes, domains, integrations, exports, and related settings.

Customers are responsible for ensuring that Customer Data does not violate applicable law and does not contain prohibited, unnecessary, excessive, or unlawfully collected sensitive information. Customers are further responsible for determining whether the Service is appropriate for their intended use and whether the Service satisfies any legal, regulatory, contractual, data residency, archival, retention, security, confidentiality, or industry-specific requirements applicable to them. DeskStack may access Customer Data where necessary to provide support, troubleshoot issues, maintain security, investigate abuse, comply with law, prevent harm, enforce agreements, or as otherwise permitted by applicable agreement or law.

11. Sensitive Information

DeskStack is a general business helpdesk and email-to-ticketing platform. It is not specifically designed for storing or processing highly sensitive, regulated, special-category, or restricted information unless expressly agreed in writing. Customers should not submit, request, or permit the submission of sensitive information unless they have determined that such Processing is lawful, necessary, proportionate, and appropriately protected.

Sensitive information may include, depending on jurisdiction, health information, medical records, biometric data, government identification numbers, financial account numbers, payment card data, precise geolocation information, information about children, information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, criminal offence data, confidential legal information, and regulated industry information. DeskStack disclaims responsibility for Customer submission, collection, or Processing of sensitive information in violation of our Terms of Service, applicable law, this Privacy Policy, or any applicable agreement.

12. Cookies and Tracking Technologies

DeskStack may use cookies, pixels, local storage, device identifiers, and similar technologies to operate, secure, analyze, and improve the Service. Such technologies may include strictly necessary cookies required for authentication, security, session management, account access, and operation of the Service; functional cookies that help remember preferences, settings, and user choices; analytics cookies that help us understand website and Service usage, troubleshoot issues, measure performance, and improve the Service; and marketing cookies that may be used to measure campaign effectiveness or deliver relevant marketing where permitted by law or with required consent.

You can control cookies through your browser settings or any cookie preference tool we make available. Some cookies are necessary for the Service to function properly. If you disable necessary cookies, parts of the Service may not work correctly. Some browsers or devices may transmit "Do Not Track" or similar signals. Because there is no consistent industry standard for responding to such signals, DeskStack may not respond to all such signals unless required by applicable law. Where legally required, DeskStack will honor applicable opt-out preference signals in accordance with applicable law and technical feasibility.

13. Artificial Intelligence, Automation, and Suggested Outputs

DeskStack may offer or later introduce artificial intelligence, machine learning, automation, ticket classification, suggested replies, summaries, sentiment detection, routing, tagging, or similar features. Such features may process Customer Data to generate outputs, recommendations, classifications, suggestions, summaries, or other automated or AI-assisted content.

Unless expressly agreed otherwise in writing, automated or AI-assisted outputs may be incomplete, inaccurate, outdated, inappropriate, unsuitable, or otherwise erroneous. Customers are responsible for reviewing outputs before relying on them, using them for business purposes, making decisions based on them, or sending them to End Users. Customers remain responsible for all decisions, communications, actions, omissions, and consequences arising from or relating to their use of automated or AI-assisted features. DeskStack does not guarantee that automated or AI-assisted outputs will be accurate, lawful, appropriate, complete, current, non-infringing, or free from error. DeskStack will not use Customer Data to train third-party public AI models unless expressly disclosed or agreed.

14. Data Retention

DeskStack retains Personal Information for as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by applicable law. Retention periods may depend on account status, subscription terms, Customer instructions, backup cycles, legal obligations, tax and accounting requirements, dispute resolution needs, security requirements, fraud prevention, operational needs, contractual obligations, and legitimate business needs.

In general, active Account Data is retained while the account is active. Closed Account Data may be retained for a reasonable period after closure for restoration, legal, security, billing, dispute, or operational purposes. Customer Data is retained according to the applicable subscription, account settings, agreement, backup cycle, Customer instructions, and legal requirements. Billing records are retained as required or permitted for tax, accounting, audit, legal, and financial purposes. Backup copies are retained for a limited period according to DeskStack's backup and disaster recovery practices before being overwritten or deleted. Security and audit logs are retained as needed for security, fraud prevention, investigations, compliance, and operational integrity. Marketing data is retained until you unsubscribe or request deletion, unless another lawful basis applies, and limited suppression records may be retained to honor opt-out requests.

Deletion from active systems may not immediately result in deletion from backups, archives, logs, legally required records, or systems where deletion is technically infeasible or commercially unreasonable, provided such information is protected and retained only as required or permitted by law.

15. Security

DeskStack uses commercially reasonable administrative, technical, and organizational safeguards designed to protect Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Such safeguards may include encryption in transit, access controls, role-based permissions, password protections, authentication controls, network security controls, firewalls, monitoring, backups, audit logs, restricted internal access, vendor review, confidentiality obligations, incident response procedures, software updates, vulnerability management, and secure configuration practices.

DeskStack may maintain a separate Security, Trust, or Technical and Organizational Measures document describing certain security practices, controls, or safeguards in more detail; however, any such document is provided for informational purposes unless expressly incorporated into a written agreement.

No method of transmission, storage, hosting, or electronic Processing is completely secure. DeskStack does not warrant or guarantee that Personal Information will be absolutely secure or that unauthorized access, hacking, data loss, disclosure, misuse, interruption, or security incidents will never occur. Customers are responsible for securing their own accounts, using strong passwords, enabling available security features, managing user permissions, removing inactive users, protecting connected mailboxes, securing their own devices and networks, ensuring authorized users comply with Customer policies, and promptly notifying DeskStack of suspected unauthorized access.

16. Security Incidents

If DeskStack becomes aware of a security incident involving Personal Information, we will investigate and take steps we consider appropriate under the circumstances, which may include containment, mitigation, remediation, and notification. Where legally required, DeskStack will notify affected Customers, individuals, regulators, or other parties in accordance with applicable law.

Customers are responsible for providing accurate and current contact information so DeskStack can communicate security-related notices. DeskStack is not responsible for delays or failure to notify caused by inaccurate, outdated, unavailable, or non-functioning Customer contact information.

17. International Transfers and Data Location

DeskStack is intended to operate as a global SaaS offering. DeskStack and its service providers may access, store, process, transfer, and disclose information in multiple countries, including countries other than where you, your organization, or your End Users are located. These countries may have privacy, security, government access, and data protection laws that differ from those in your jurisdiction.

Where legally required, DeskStack may rely on transfer mechanisms such as contractual safeguards, data processing agreements, standard contractual clauses, adequacy decisions, transfer impact assessments, Customer instructions, consent, or other lawful mechanisms. DeskStack does not claim participation in any cross-border data transfer certification framework unless expressly stated in a separate notice published by DeskStack. Unless expressly agreed in writing, DeskStack does not guarantee that Customer Data will be stored or processed only in a specific country, province, state, region, or data center. Customers are responsible for determining whether their use of the Service satisfies their own data residency, localization, cross-border transfer, regulatory, contractual, industry-specific, archival, or internal policy requirements.

18. Subprocessors

DeskStack may use subprocessors to provide infrastructure, hosting, storage, payment, monitoring, logging, email delivery, analytics, support, security, authentication, backup, and other services. DeskStack may update its subprocessors from time to time. A list of subprocessors may be made available on request or published separately.

By using the Service, Customers authorize DeskStack to engage subprocessors as reasonably necessary to provide, secure, support, maintain, and improve the Service, subject to applicable contractual commitments.

19. Privacy Rights

Depending on your location and applicable law, you may have certain rights regarding your Personal Information, which may include the right to request confirmation of whether DeskStack processes your Personal Information, request access to Personal Information, request correction of inaccurate or incomplete Personal Information, request deletion or erasure of Personal Information, request restriction or limitation of Processing, object to certain Processing, request portability of Personal Information in a structured and commonly used format, withdraw consent where Processing is based on consent, opt out of certain marketing communications, opt out of certain sales, sharing, targeted advertising, or profiling where applicable, appeal a privacy request decision where required by law, or lodge a complaint with a competent privacy or data protection authority.

To exercise rights, contact DeskStack at privacy@deskstack.app. DeskStack may require information reasonably necessary to verify your identity, authority, and request before taking action. DeskStack may reject, limit, charge a reasonable fee for, or decline requests where permitted by law, including where requests are excessive, repetitive, unfounded, legally restricted, technically infeasible, commercially unreasonable, or where retention or Processing is necessary for security, legal, contractual, fraud prevention, accounting, operational, dispute resolution, or legitimate business purposes. Where permitted by law, additional copies of information may be subject to a reasonable fee. For Customer Data, DeskStack may direct the request to the relevant Customer because the Customer generally controls such data. DeskStack aims to acknowledge privacy inquiries within a reasonable period and respond within the timeframe required by applicable law.

Where permitted by applicable law, an individual may authorize another person or entity to submit a privacy request on the individual's behalf. DeskStack may require proof that the requester has been authorized to act on behalf of the individual and may require the individual to verify their identity directly with DeskStack. DeskStack may decline to honor a request where it cannot reasonably verify the identity of the individual, the authority of the authorized agent, or the connection between the requested information and the individual.

20. End User Requests

If you are an End User of one of our Customers, such as a person who emailed or contacted a company using DeskStack, you should direct privacy requests to that Customer. DeskStack processes Customer Data primarily on behalf of Customers. DeskStack may not have a direct relationship with End Users and may not be able to verify, access, correct, delete, restrict, export, or otherwise act on Customer Data without instructions from the relevant Customer.

If you contact DeskStack directly about Customer Data, DeskStack may ask you to contact the relevant Customer, forward your request to the Customer, request additional information, decline to act without Customer authorization, or act only as required by applicable law.

21. Marketing and Service Communications

DeskStack may send marketing communications to prospective or existing Customers where permitted by applicable law. You may opt out of marketing emails by using the unsubscribe link in the applicable email or by contacting privacy@deskstack.app. Opting out of marketing communications will not prevent DeskStack from sending transactional, administrative, legal, billing, account, security, support, product, operational, renewal, maintenance, suspension, or service-related communications. Such service-related communications are necessary for the administration, security, performance, and delivery of the Service and generally cannot be opted out of while an account remains active, except by discontinuing use of the Service or closing the applicable account, subject to the applicable agreement.

Where permitted by applicable law, DeskStack may use advertising, analytics, remarketing, custom audience, lookalike audience, or similar tools provided by third-party advertising platforms. In connection with such activities, DeskStack may use or disclose limited identifiers, such as business email addresses, device identifiers, cookie identifiers, or similar information, which may be hashed or otherwise protected where supported, for the purpose of measuring advertising effectiveness, reaching relevant business audiences, suppressing existing customers from campaigns, or promoting DeskStack services. Where required by law, DeskStack will obtain consent or provide applicable opt-out rights for such activities.

22. No Sale of Personal Information

DeskStack does not sell Personal Information in exchange for money. Some privacy laws define "sale," "sharing," or similar terms broadly. To the extent any activity is considered a sale, sharing, targeted advertising, or similar Processing under applicable law, DeskStack will provide required notices and choices where required.

DeskStack does not knowingly sell or share Personal Information of children.

23. Third-Party Services, Integrations, and Modules

The Service may allow Customers to connect third-party services, including email providers, authentication providers, productivity tools, analytics tools, storage providers, communication platforms, or other integrations. DeskStack is not responsible for the privacy, security, availability, functionality, compliance, performance, or practices of third-party services.

If DeskStack makes available a marketplace, directory, integration library, module, add-on, connector, application, or third-party extension, the privacy practices applicable to such offering may depend on whether the offering is provided by DeskStack or by a third party. Third-party applications, modules, integrations, and services are governed by the applicable third party's own terms, privacy notices, and data handling practices. Customers are responsible for reviewing, approving, enabling, configuring, and monitoring any third-party integration, module, application, or service before using it with the Service.

24. Public, Shared, or Multi-User Areas

If the Service includes public, shared, collaborative, or multi-user areas, any information submitted to those areas may be visible to other authorized users of the same Customer workspace or to other parties depending on Customer configuration.

Customers are responsible for managing workspace permissions, roles, user access, exports, and visibility settings.

25. Account Closure and Deletion

Customers may request account closure or deletion in accordance with the applicable Terms of Service or customer agreement. After account termination, DeskStack may retain information as necessary to complete billing, provide transition support, comply with law, resolve disputes, prevent fraud or abuse, enforce agreements, maintain backups, preserve security logs, satisfy tax, accounting, or legal obligations, and protect legitimate business interests.

DeskStack is not responsible for Customer failure to export Customer Data before account termination unless otherwise expressly agreed in writing.

26. Business Continuity, Backups, and Disaster Recovery

DeskStack may maintain backups for operational, security, business continuity, and disaster recovery purposes. Backups may include Customer Data and Account Data. Backup data may not be immediately deleted when data is deleted from active systems. Backups are generally overwritten or deleted according to applicable backup schedules.

DeskStack does not guarantee that any specific data can be restored unless expressly agreed in writing.

27. Children's Privacy

DeskStack is intended for business use and is not directed to children. DeskStack does not knowingly collect Personal Information from children under the age required by applicable law. If DeskStack learns that it has collected Personal Information from a child without appropriate consent, it will take reasonable steps to delete such information.

Customers are responsible for ensuring they do not use the Service to collect or process information from children unless legally permitted and appropriately authorized.

28. Regional Privacy Notices

Depending on where you are located, additional regional terms may apply.

For individuals in the European Economic Area, United Kingdom, and Switzerland, applicable data protection laws may provide rights of access, correction, deletion, restriction, objection, portability, withdrawal of consent, and complaint. Where DeskStack acts as a processor, the Customer is generally the controller and is responsible for handling requests from End Users.

Where Canadian privacy law applies, DeskStack handles Personal Information in accordance with applicable private-sector privacy principles, including accountability, limiting collection, limiting use and disclosure, safeguards, openness, access, and correction.

Certain United States state privacy laws may provide additional rights, including rights to confirm whether Personal Information is processed, access Personal Information, correct inaccurate Personal Information, delete Personal Information, obtain a portable copy of Personal Information, opt out of sales, sharing, targeted advertising, or certain profiling, limit certain uses or disclosures of sensitive Personal Information, appeal privacy request decisions, and exercise rights without unlawful discrimination. Where such laws apply to DeskStack, DeskStack will respond to applicable requests in accordance with applicable law and may verify the requester's identity and authority before taking action.

California residents may have specific rights under California privacy laws, including rights to know, access, delete, correct, opt out of certain sales or sharing, limit certain uses of sensitive Personal Information, and not be discriminated against for exercising privacy rights. DeskStack does not sell Personal Information in exchange for money and does not knowingly sell or share Personal Information of children.

29. Changes to this Privacy Policy

DeskStack may update, revise, or replace this Privacy Policy from time to time at its discretion. When DeskStack updates this Privacy Policy, changes become effective when posted unless otherwise stated.

If changes are material, DeskStack may provide additional notice through the Service, by email, website notice, or other reasonable means where required by law. Continued use of the Service after the effective date of an updated Privacy Policy constitutes acknowledgment of the updated Privacy Policy.

30. Contact Information

If you have questions, concerns, complaints, or requests regarding this Privacy Policy or DeskStack's handling of Personal Information, you may contact DeskStack at:

• Email: privacy@deskstack.app
• Security: security@deskstack.app
• Legal: legal@deskstack.app

31. Limitations, Responsibilities, and Reserved Rights

To the maximum extent permitted by applicable law, DeskStack shall not be responsible or liable for any Personal Information, Customer Data, content, files, communications, attachments, or other materials submitted, transmitted, stored, processed, disclosed, exported, or otherwise handled by Customers or End Users in violation of applicable law, this Privacy Policy, the Terms of Service, any applicable agreement, or any Customer obligation. Customers remain solely responsible for the legality, accuracy, quality, completeness, appropriateness, collection, submission, configuration, use, disclosure, retention, and deletion of Customer Data, including any Personal Information contained therein.

Customers are solely responsible for configuring and maintaining account settings, access permissions, connected mailboxes, integrations, exports, forwarding rules, user roles, administrator privileges, authentication practices, third-party services, and any other settings or configurations made available through or in connection with the Service. DeskStack shall not be responsible for unauthorized access, disclosure, loss, alteration, deletion, or misuse of information resulting from Customer misconfiguration, weak or compromised credentials, shared passwords, compromised email accounts, insecure devices, third-party integrations, Customer-directed disclosures, exports, forwarding rules, or failure by Customer or its authorized users to follow reasonable security practices.

Customers are solely responsible for determining whether the Service is appropriate for their intended use and whether the Service satisfies any legal, regulatory, contractual, industry-specific, data residency, archival, retention, confidentiality, security, or internal compliance requirements applicable to Customer, its End Users, or Customer Data. Unless expressly agreed in writing, DeskStack does not represent, warrant, or guarantee that the Service will satisfy any Customer-specific compliance, regulatory, data residency, industry, archival, or operational requirement.

DeskStack reserves the right to suspend, restrict, disable, limit, or terminate access to the Service, in whole or in part, where DeskStack reasonably believes that continued access, Processing, storage, transmission, use, or disclosure of information may create legal, security, operational, reputational, compliance, financial, or business risk. DeskStack may preserve, retain, disclose, or process information where reasonably necessary to comply with applicable law, enforce agreements, investigate abuse, prevent fraud, maintain security, resolve disputes, protect legal rights, respond to legal process, or protect DeskStack, Customers, End Users, service providers, or the public.

DeskStack may use aggregated, anonymized, or de-identified information for analytics, benchmarking, reporting, product improvement, security, marketing, research, business planning, and other lawful business purposes, provided such information does not reasonably identify an individual. DeskStack does not guarantee that any Customer Data can be restored after deletion, cancellation, suspension, termination, backup expiration, account closure, or other loss of access unless expressly agreed in writing. Customers are responsible for maintaining their own copies, exports, and backups of Customer Data where such responsibility belongs to the Customer under the applicable agreement.

DeskStack may update, modify, replace, or discontinue operational practices, subprocessors, infrastructure, hosting environments, security measures, data handling processes, technical features, integrations, and service configurations from time to time, provided such changes are made in accordance with applicable law and any applicable agreement. Nothing in this Privacy Policy shall limit DeskStack's rights, remedies, defenses, or protections under the Terms of Service, applicable agreements, or applicable law.