PRIVACY POLICY

01 Introduction

02 Scope

03 Who we are

04 Who this policy applies to

05 Local laws and conflict

06 Other policies

07 Where we collect data from

08 Why we collect data

09 Grounds for collecting data

10 Approach to individual consent

11 Personal data of dependents

12 Using data for anything else

13 Reporting harm

14 Special personal data

15 Data minimization, accuracy

16 Transparency of the processing

17 Individual rights

18 Security and confidentiality

19 Direct marketing

20 Automated decision making

21 Transfer of personal data, p. 1

22 Transfer of personal data, p. 2

23 Transfer of personal data, p. 3

24 Transfer of personal data, p. 4

25 Overriding interest

26 Supervision of data protection

27 Training

28 Audits and compliance

29 Data protection

30 Privacy by design

31 Complaints procedure

32 Legal issues

33 Updates to this policy

34 Contacting us

We last updated this policy on September 18, 2025. You should check to see if any of the terms have changed since you last read them.

Introduction

We at Stacked aim to handle information with care. In particular, the security and confidentiality of all sensitive and private information must be safeguarded in accordance with applicable laws and regulations. This policy aims to provide a clear statement on the protection of personal data in order to provide for an adequate level of protection for customers, guests, and business partners globally.

Scope

This policy pertains to the personal data of natural persons that are, or are employed by, users, customers, visitors, employees, contractors, investors, suppliers and vendors of Stacked. This policy does not apply to any other data relating to corporate, institutional or governmental bodies except where local law determines otherwise.

These terms are binding on Stacked as a data controller and do not apply when Stacked is acting as a data processor for a third party.

Who we are

Your data is collected, stored, and managed by Stacked Platforms, Inc., a Delaware corporation with File No. 10298754. Our registered address is:

131 Continental Dr, Suite 305,
City of Newark, County of New Castle,
Delaware 19713

If you need to write to us, please refer to the contact details at the bottom of this policy.

Who this policy applies to

If you visit or use our websites or mobile apps, otherwise participate in any activity operated by Stacked, you agree to this policy and understand it applies to you. You must be at least 16 years of age to use our services, and if you’re under the age required, you must have your parent or legal guardian’s permission to use our services. Please have your parent or legal guardian read these terms with you. If you’re a parent or legal guardian, and you allow your child to use the services, then these terms apply to you and you’re responsible for managing your child’s data with us and ensuring its accuracy.

Local laws and conflict

Stacked must always comply with any applicable legislation relating to personal data. Individuals keep any rights and remedies they may have under applicable local law. Therefore, these terms apply only where it provides supplemental protection compared to local law. Some requirements are qualified by the wording “if applicable local law so requires.” if this qualifier is included in any provision and local law has a similar provision, then the stricter of these terms or local law are followed.

Other policies

These terms operate in conjunction with our terms of service which apply to Stacked worldwide. In case of conflict between these terms and our terms of service, these terms prevail. Furthermore, these terms may be complemented through other policies that are consistent with these terms. All Stacked data protection policies and notices that are not consistent with these terms or impose less restrictive requirements will be superseded by these terms.

Where we collect data from

When an individual interacts with us, signs up for a membership, registers for guest pass, or creates an online account with us, they provide us with personal information that includes their name and contact information. In some cases, we may gather additional information such as medical history or payment information. Even if you aren’t signed in to a membership, you might choose to provide us with information — like an email address to receive updates about our services.

Why we collect data

We process personal data for the following reasons: 

  • Confidential assessments and analyses. This includes collecting your data about yourself and your health history to provide recommendations and advice, limit risks, and to facilitate your wider experience at Stacked. 

  • Personalizing your experience. This includes sharing information about your health, health history, needs, goals, physiological data, biomarkers, preferences, and behavior across the Stacked ecosystem, including meditation teachers, event facilitators, and community managers, as needed, to ensure that you have a personalized and effective experience. 

  • Delivering our services. This addresses facilitating your wider experience across the Stacked ecosystem, both online on our platforms and in-person. 

  • Product development, research and improvement of Stacked products and/or services. This purpose addresses processing that is necessary for the development and improvement of Stacked products and/or services, research and development.  

  • Performing agreements with customers, vendors and suppliers including making recommendations on Stacked services, communication with individuals and other parties involved in contracts and responding to requests for (further) information for customers, vendors or suppliers, dispute resolution and development;

  • Relationship management and marketing for commercial activities including processing necessary for the development and improvement of Stacked products and/or services, account management, customer service and the performance of (targeted) marketing activities in order to establish a relationship with a customer and/or maintaining as well as extending a relationship with a customer, vendor or supplier and for performing analyzes with respect to personal data for statistical and scientific purposes;

  • Business process execution, internal management and management reporting addressing activities such as addressing operational issues, managing company assets, conducting internal audits and investigations, finance and accounting, implementing business controls,, managing mergers, acquisitions and divestitures and processing personal data for management reporting and analysis;

  • Safety and security. This purpose addresses activities such as those involving safety and health, the protection of Stacked and our staff, customer, suppliers, or vendors and the authentication of staff, customer, supplier or vendor data, status, and access rights;

  • Protecting the vital interests of individuals. This is where processing is necessary to protect the vital interests of an individual, e.g., for urgent medical reasons or to prevent harm to you or someone else;

  • Compliance with legal obligations. This addresses the processing of personal data as necessary for compliance with laws, regulations and sector specific guidelines to which Stacked is subject, e.g., reporting criminal or harmful activity to law enforcement authorities or complying with a request from the police. 

Our grounds for collecting data

Furthermore, all processing of personal data must be based on one of the following grounds:

  1. an individual’s consent;

  2. that it is necessary for the performance of a contract with the individual;

  3. that it is necessary for compliance with a legal obligation to which the data controller is subject;

  4. that it is necessary to protect the vital interests of the individual or another person;

  5. that it is necessary to perform a task carried out in the public interest;

  6. that is necessary for the purposes of the data controller’s legitimate interests, except when the interests are overridden by an individual’s interests or rights.

Our approach to individual consent

When seeking an individual’s consent, Stacked will inform the individual in clear and plain language of the intended processing. Consent must be given by a statement or clear affirmative action. Where processing is undertaken at the individual’s request, the individual will have been deemed to have provided consent. If a business purpose as described above does not exist or if applicable local law so requires, Stacked shall (also) seek the individual’s consent. Additionally, Stacked shall provide simple, fast and efficient procedures that allow the individual to withdraw his consent at any time.

Personal data of dependents

We process personal data of dependents, such as a child or spouse, of individuals if:

  1. the personal data were provided with individual’s or dependent’s consent; or

  2. the processing of the data is reasonably necessary for the performance of a contract with the individual; or

  3. the processing is required or permitted by applicable local law.

Using your data for anything else

Generally, Stacked will only use personal data for the purposes for the original purpose. Processing the personal data for a secondary purpose is only permitted if the original and secondary purposes are closely related (and therefore, required) or with the consent of the individual.

A closely related secondary purpose exists provided that necessary arrangements are made for:

  1. Transfer of the personal data to an archive; or

  2. Referral to a senior supervisor in the case of complex cases or concerns; or 

  3. Personalizing your Stacked experience; or 

  4. Ethical or legal reporting requirements; or 

  5. Internal audits or investigations; or

  6. Implementation of business controls; or

  7. Statistical, historical or scientific research; or

  8. Dispute resolution or litigation; or

  9. Legal or business consulting; or

  10. Insurance or indemnity purposes.

Where the use of personal data for a secondary purpose has an adverse impact on the individual’s privacy, Stacked will take additional measures as necessary, such as a) limited access to the personal data, b) additional confidentiality requirements, c) additional security measures, d) informing the individual, or e) providing an opt-out opportunity.

Reporting harm

We have an ethical and legal obligation to report actual or suspected harm against any individual. In circumstances where we need to do so, either as a matter of policy or as required by law, we will exercise discretion as to the nature and extent of the information we share. In such circumstances, we may not necessarily inform the individual in question about our actions, as allowed by law.

Processing special personal data

As a general principle, we will not process special personal data except:

  1. with the explicit consent of the individual;

  2. where personal data have manifestly been made public by the individual;

  3. if the processing is necessary for the establishment, exercise or defense of legal claims or when courts act in their judicial capacity;

  4. if the processing is necessary to comply with an obligation of local law;

  5. if the processing is necessary to protect the individual’s vital interest, but only where it is Impossible to obtain the individual’s explicit consent first.

Specifically, Stacked processes racial or ethnic and criminal data in the following instances:

  1. racial or ethnic data (such as photos or videos): Stacked may take photos or videos of individuals with their consent at business events and keep these photos or videos for promotion purposes. Stacked may also process individual’s photos I) for inclusion in supplier directories, ii) for the protection of customer assets as well as Stacked and employee assets, iii) for site access and security reasons and iv) to comply with legal obligations.

  2. criminal data may be processed by Stacked to protect its interests.

Data minimization, accuracy and storage limitation

Processing of personal data by Stacked shall be guided by the principle of data minimization. This means that Stacked only processes personal data that are reasonably adequate for and relevant to the applicable purposes and not be kept longer than necessary for the purposes. Promptly after a retention period has ended, the personal data will be deleted, anonymized or transferred to an archive (unless this is prohibited by law or an applicable records retention schedule).

Stacked applies commercially reasonable efforts to keep the personal data accurate, complete and up to date. It is the individual’s responsibility to inform Stacked regarding any changes to their data.

Transparency of the processing

Stacked provides individuals, generally through privacy policies or notices, with information regarding:

  1. The identity and contact details of the Stacked company responsible for the processing and the data protection lead

  2. The categories of personal data concerned, the purposes and the grounds of the processing. 

In addition and if local law so requires, Stacked provides individuals with the following information:

  1. legitimate interests pursued by Stacked if the processing is based on this ground;

  2. where applicable, the (category of) recipients of the data;

  3. where applicable, the international transfer of the personal data to a third party;

  4. the period for which the personal data will be stored or the criteria used to determine this;

  5. the existence of data subject rights of the individual;

  6. if applicable, the existence of automated decision making including profiling.

Individual rights

Individuals have the following rights with regard to their personal data:

  1. Access to the personal data Stacked processes relating to them;

  2. Rectification of the personal data in the event that the personal data are factually inaccurate,

  3. Incomplete or irrelevant to the purposes of the processing;

  4. Deletion of the personal data in the event that the personal data are incorrect, incomplete or not processed in compliance with applicable law or these terms.

The individual should send their request to the data protection lead or any other responsible function indicated in the relevant local complaints procedures. If no contact person or contact point is indicated, the individual may send his request to Stacked using the contact details indicated in the general contact section of the local Stacked website.

Stacked will inform the individual in writing as to whether, and if so to what extent, the request will be granted, or the ultimate date on which he will be informed. The response will be provided at the latest within one month of receipt of the request. If necessary and taking the complexity and the amount of the requests into account, this period may be extended for a maximum of two months.

An individual may file a complaint if a) the response to the request is unsatisfactory, b) he has not received a response as required or c) the time period is unreasonably long and the individual’s objection to this has not resulted in a shorter period.

Stacked may deny individual’s request if a) the request relates to a large quantity of personal data or is not made sufficiently specific and the individual does not respond to a request to further specify the request, b) the request is made within an unreasonable time interval of a prior request or otherwise constitutes an abuse of rights or c) the request entails a restriction, erasure, blockage or deletion of personal data that Stacked is required by law or any other legitimate reason to retain or process. The individual will be informed of the motivation for the denial of its request.

Security and confidentiality requirements

Stacked takes appropriate commercially reasonable technical and organizational measures to protect the personal data against misuse or accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure, acquisition or access. Stacked will ensure that only authorized and trained staff members may process data.

Stacked will also ensure that a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data will be notified to the competent supervisory authority and individuals taking into account the requirements under applicable law.

Direct marketing

If Stacked processes personal data for direct marketing purposes, the individual will be informed. If applicable law so requires, Stacked will only send unsolicited commercial communication with the prior consent of the individual and offer them the opportunity to opt-out of further direct marketing communication. The individual can object to receiving marketing communications from Stacked or withdraw his consent. In that event, Stacked will take steps to immediately cease the processing for direct marketing purposes. Stacked will not knowingly use any personal data of individuals under the age of sixteen years for direct marketing.

Automated decision making, including profiling

Individuals will not be subjected to decisions that have legal consequences for them and have been taken solely on the basis of the automated processing, including profiling. Automated decision making is allowed when 1) the decision is necessary for the conclusion or execution of a contract between Stacked and the individual, 2) local law authorizes automated decision making and suitable measures are taken to safeguard the individual’s rights and freedoms or 3) the individual has given its explicit consent.

Transfer of personal data to third-party controllers

Stacked shall only transfer personal data to a third-party controller if the transfer serves a) the legitimate purposes for which the personal data is processed and b) the transfer is compatible with the purpose for which the personal data were initially collected. Stacked shall enter into a written agreement with the third-party controller.

Transfer of personal data to data processors

If Stacked uses a data processor, Stacked will ensure that this processor:

  1. provides adequate technical and organizational measures to protect the personal data against loss or any form of unlawful processing;

  2. only processes personal data on the instructions of the relevant Stacked company that acts as a data controller; and

  3. only enlists a sub processor with the prior written consent of the Stacked company acting as the data controller. 

The responsibility toward the individual for the compliance of a processor engaged by the Stacked company with a processor agreement lies with Stacked.

Transfer of personal data to third-party processors

The Stacked company acting as data controller will enter into a written contract with the third-party processor or provide a power of attorney to another Stacked company or employee to do so on its behalf. The contract will include at least the following obligations:

  1. processing in accordance with the documented instructions from and for the purposes authorized by Stacked;

  2. confidentiality of the personal data by the third-party processor and its duty to impose confidentiality on persons authorized to process the personal data;

  3. appropriate security measures by third-party processor to protect the personal data and assist Stacked in complying with its obligations with respect to security;

  4. enlist sub processors only with the prior written authorization of Stacked and impose on the sub processor the same obligations as imposed on the third-party processor under the written contract whereas the initial processor remains fully liable to Stacked for the performance of sub processor’s obligations;

  5. assist Stacked in complying with its obligations to respond to individual’s rights, such as right of access and rectification;

  6. Stacked’s right to review compliance by the third-party processor with its obligations under the processor agreement;

  7. promptly informing Stacked of any actual or suspected security breaches;

  8.  taking adequate remedial measures as soon as possible in the event of any actual or suspected security breach and promptly providing Stacked with all relevant information and assistance as requested by Stacked;

  9. deletion or return of (copies of) personal data to Stacked upon its request after the end of the provision of data processing services unless applicable law requires storage.

Transfer of personal data to a third party in a country that does not provide an adequate level of protection

The transfer personal data to a third party in a country that does not provide an adequate level of protection is only permitted if one of the following applies:

  1. contract between Stacked and the relevant third party that provides for safeguards at a similar level of protection as that provided by these terms or the contract shall conform to any model contract requirements under applicable local law, if any; or

  2. third party has been certified under any other program that is recognized as providing an “adequate” level of protection; or

  3. binding corporate rules implemented by the third party, an approved code of conduct, an approved certification mechanism or a similar transfer control mechanism which provide adequate safeguards under applicable law. Prior to transfer, these terms may be approved by data protection authorities.

An incidental transfer may also take place if it is absolutely necessary for:

  1. Performance of a contract with the individual or to take necessary steps at the request of the individual prior to entering into a contract;

  2. The conclusion or performance of a contract concluded in the interest of the individual between Stacked and a third party; or

  3. To protect a vital interest of the individual; or

  4. The establishment, exercise or defense of legal claims; or

  5. To satisfy a pressing need to protect an important public interest (prior approval of the data protection lead is required and suitable measures must be taken to safeguard the legitimate interests of the individual); or

  6. If the transfer is required or permitted by any law or regulation to which the relevant Stacked company is subject (prior approval of the data protection lead is required and suitable measures must be taken to safeguard the legitimate interests of the individual).


In the event that none of the above measures are in place or if local law so requires, Stacked shall (also) request an individual’s consent for the transfer of personal data to a third party located in a country without an “adequate” level of protection. Prior to this request, Stacked shall inform the individual as to the a) purpose of the transfer, b) identity of the transferring Stacked company, c) identity of the (categories of) third parties to which personal data will be transferred, d) categories of data, e) country to which personal data will be transferred and f) the fact that personal data will be transferred to a country without an “adequate” level of data protection.

Overriding interest

An overriding interest may exist where the processing is necessary in the interest of a) the protection of the legitimate business interests of Stacked or the continuity of Stacked business operations, b) preventing or investigating (including cooperating with law enforcement) suspected or actual violations of law; or otherwise protecting or defending the rights or freedoms of Stacked, its employees or other persons. Setting aside obligations of Stacked or rights of individuals based on an overriding interest, requires approval by our data protection team.

Supervision of data protection and responsibilities

Every employee at Stacked is responsible and accountable for compliance and implementation of these terms and reports directly to a line manager who makes regular reports for the Stacked management team. Stacked HQ, located in Delaware, has the responsibility for cooperating with, acting as contact point for the data protection supervisory authorities and as a contact point for any data subjects globally.

Training

Stacked staff members who have access to personal data receive information and instructions in order to properly implement these terms. Staff members with permanent or regular access to sensitive data are trained and informed on the handling and protection of data in connection with these terms. Attending training courses, which are to be repeated at regular intervals, is mandatory for staff members.

Audits and compliance

The Stacked internal audit department evaluates and reports on compliance with these terms on a regular basis. In the event of non-compliance, the relevant audit professional will work with the relevant data protection lead and Stacked HQ to take remediation measures. The audit professional will track the progress of these measures. The audit covers all aspects of these terms and shall be carried out in the course of the regular activities of audit or at the request of Stacked HQ. Stacked HQ can also request an audit conducted by an external auditor.

The competent data protection authorities can conduct an audit of a participating Stacked company itself or have it conducted by an accredited independent auditor. Such an official audit is limited exclusively to compliance by the participating Stacked company.

Data protection and security impact assessment

In the event the personal data is likely to present a high degree of risks to the rights and freedoms of individuals, Stacked will carry out an assessment of the impact of an envisaged processing. This assessment will include an assessment of the risks to the rights and freedoms of individuals, the measures envisaged to address the risks, safeguards, security measures and mechanisms to ensure the protection of the personal data and compliance with these terms.

Privacy by design

Stacked shall adopt internal policies and shall implement appropriate measures that meet the principles of data protection by design and by default. This means:

  1. implementation of appropriate technical and organizational measures and procedures at the time of the determination of the means and at the time of the processing itself in order to comply with these terms;

  2. implementation of mechanisms for ensuring that only those personal data are processed which are necessary for each specific purpose, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms must ensure that personal data are not accessible to an indefinite number of individuals.

Complaints procedure

Individuals can file a complaint in the event Stacked does not comply with these terms or violates their rights under applicable law. The local complaints procedure shall ensure the initiation of an investigation and ensure the involvement of the appropriate data protection lead. If appropriate, a consultation with a government authority that has jurisdiction over a particular matter about the measures to be taken will take place.

Stacked shall inform the individual within one month after the receipt of the complaint either I) of its position as to the complaint and any action taken or to be taken by Stacked or ii) when the individual will be informed of its position, which date shall be no later than one month thereafter. If necessary, extension of this period is possible for a maximum of two months. Stacked will inform the individual as to the extended period.


Complaint may also be escalated with Stacked HQ if:

  1. the resolution by the appropriate business unit is unsatisfactory;

  2. the individual has not received a response as described above;

  3. the time period provided to the individual is unreasonably long and individual’s objection has not resulted in a shorter period in which he will receive a response;

  4. the response is unsatisfactory.

Legal issues

These terms shall be governed by and interpreted in accordance with Delaware law and complaints shall be supervised by the Delaware Department of Justice.

Any complaints or claims of an individual concerning supplemental rights under these terms shall be directed to the local Stacked legal entity or directly to Stacked’s HQ. 

Individuals can choose to file complaints or claims concerning supplemental rights with the local competent supervisory authority or with the Delaware Department of Justice. Individuals can choose to lodge claims before a competent court in Delaware.

Additional safeguards, rights or remedies under these terms are granted by and enforceable against Stacked corporations or the local Stacked entity. Stacked is only liable for direct damages suffered by an individual resulting from a violation of these terms. Where individuals can demonstrate that they have suffered damage and establish facts which show that it is likely that the damage has occurred because of a breach of these terms, Stacked will have to prove that the relevant Stacked company was not responsible for the breach of these terms.

Updates to this policy

We change this privacy policy from time to time. We always indicate the date the last changes were published and we offer access to archived versions upon request for your review. If changes are significant, we’ll provide a more prominent notice (including, for certain services, a written notification of intended changes).

Contacting us

If you need to contact us, you can do so by email or post.


Send us an email:

privacy@withstacked.com


Write to us in the post:

Legal & Compliance

Stacked Platforms, Inc.

1111B S Governors Ave, STE 39416

Dover, DE 19904

United States of America