Back

Privacy Policy

Effective date: March 24, 2026 · Last updated: March 24, 2026

This Privacy Policy describes how Policy Stack ("Company," "we," "us," or "our") collects, uses, stores, and shares information when you use the Service. By using Policy Stack, you agree to the practices described here.

1. Information We Collect

Account Information

  • Name, email address, and plan selection
  • Role (consumer or advisor), firm name, and optional profile fields
  • Google account profile information (if you sign in with Google)
  • Experience level selection (beginner, intermediate, or advanced)

Financial Data

  • Insurance policy details (carrier, policy number, premium amounts, cash values, death benefits)
  • Policy loan information (balances, interest rates, restoration schedules)
  • Capital deployment records (amounts, returns, cash flows, valuations)
  • Promissory notes and payment records
  • Financial goals and progress tracking
  • Saved tool scenarios (debt sequencer, income stacker, and other calculator inputs)

All financial values are encrypted at rest using AES-256-GCM field-level encryption via Supabase Vault. This means individual financial fields are encrypted in the database, not just the disk they reside on.

Documents

  • Uploaded files (annual statements, policy illustrations, loan confirmations) stored in encrypted Supabase Storage with household-scoped access controls and signed URLs with 1-hour expiry

AI Interaction Data

  • Chat messages you send to the AI assistant (encrypted at rest)
  • AI-generated responses and weekly insight content
  • Feedback you provide on AI insights
  • Document images submitted for OCR extraction

Billing Information

Payment details (credit card numbers, billing addresses) are collected and processed entirely by Stripe. We store only your Stripe customer ID, subscription status, and invoice history — never your card number or full billing details.

Automatically Collected

  • Usage data: pages visited, features used, session duration, and interaction events
  • Device and browser data: IP address, browser type, operating system, and device identifiers
  • Log data: server logs including request timestamps, errors, and performance data
  • Authentication session data (managed by Supabase)
  • Activity log entries (what actions you take within the app, for your own audit trail)

Browser Local Storage

We store your theme preference and tool calculator inputs in your browser’s local storage so they persist between visits. This data never leaves your device.

2. How We Use Your Information

We use your information to:

  • Create and maintain your account
  • Provide, operate, and improve the Service
  • Process payments and manage subscriptions
  • Power AI features (chat assistant, OCR document extraction, weekly insights)
  • Respond to support requests
  • Send transactional emails (confirmation, receipts, collaboration invitations)
  • Send product updates and announcements (opt out anytime)
  • Maintain an activity log for your own audit purposes
  • Enable collaboration features when you invite a partner
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations
  • Analyze usage patterns to improve features and performance

We do not sell your personal information. We do not use your financial data to train machine learning models without your explicit consent.

3. How We Share Your Information

3.1 Service Providers

Supabase — Database, authentication, and storage infrastructure

All your account data, financial records, and uploaded documents are stored on Supabase infrastructure (PostgreSQL on AWS, US region). Supabase manages authentication sessions and provides row-level security ensuring you can only access your own data.

Stripe — Payment processing and subscription management

Handles all billing, subscription management, and payment collection. We send Stripe your email address to create a customer record. Stripe stores and processes your payment method — we never see or store your full card details.

OpenRouter — AI model routing

Routes AI requests to language models (currently Anthropic Claude and Google Gemini). When you use AI features, relevant data is sent to OpenRouter, which forwards it to the appropriate model provider. OpenRouter does not retain input data for training. See openrouter.ai/privacy.

Resend — Transactional and product email delivery

Sends collaboration invitation emails and optional weekly AI insight emails on our behalf. Receives recipient email addresses and email content.

Google — Authentication (optional)

If you choose “Sign in with Google,” Google provides your email and basic profile to Supabase for account creation. Google Fonts (Inter, Lora) are self-hosted by our application at build time and are not loaded from Google’s servers at runtime.

Vercel — Application hosting and edge delivery

Hosts the Policy Stack web application and serves static assets.

3.2 Advisor-User Relationships

If you are a consumer connected to an advisor on Policy Stack, your advisor may access data you have explicitly shared through the platform’s collaboration features. You control this access.

  • Seat assignment: When an advisor seats you, they receive read-only access to your policy, loan, deployment, and goal data. You consent to this data sharing when you accept the seat invite.
  • Connections: You can disconnect from an advisor at any time. Revocation is immediate — the advisor loses access to your data as soon as you disconnect.
  • Team members:Advisor team members may view your data through the advisor’s connections and seats. Team members have portal-only access and cannot modify your data.

3.3 Smart List and Workflow Data Processing

Advisors may use Smart Lists to query across their connected and seated clients’ policy and financial data to segment clients. This data is not shared externally and powers advisor-facing notifications only.

Advisor Workflows evaluate client signals (anniversary dates, engagement metrics, financial thresholds) to generate advisor-facing notifications. No client-facing emails are sent by workflows.

3.4 Legal Requirements

We may disclose information if required by law, court order, or government request, or to protect the rights, property, or safety of Policy Stack, its users, or the public.

3.5 Business Transfers

If Policy Stack is acquired or merges with another entity, your information may transfer as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

3.6 With Your Consent

We may share your information for other purposes with your explicit consent.

4. Data Storage and Security

4.1 Storage

Data is stored in Supabase-managed infrastructure hosted on AWS in the United States. Sensitive financial data fields (policy numbers, cash values, loan amounts, deployment amounts) are encrypted at rest using AES-256-GCM.

4.2 Security Measures

  • Field-level encryption: All financial values encrypted at rest using AES-256-GCM
  • Row-level security: Every database query enforces RLS policies — you can only access your own data
  • Transport encryption: All data in transit encrypted via TLS 1.2+
  • AI message encryption: Chat messages to and from the AI assistant are encrypted at rest
  • Multi-factor authentication: Optional TOTP-based MFA available in account settings
  • Minimal access: We do not use a service-role database bypass except for account deletion
  • Regular reviews: Security reviews and dependency updates

No method of transmission or storage is 100% secure.

4.3 Data Retention

We retain account data for as long as your account is active. After account closure, data is retained for a 30-day grace period, then permanently deleted. Uploaded documents are automatically deleted after 30 days (or per applicable data retention requirements). Billing records are retained for 7 years per legal requirements.

You can permanently delete your account at any time from Settings > Profile > Danger Zone. Account deletion removes your profile, policies, snapshots, deployments, loans, goals, documents, AI messages, and all associated data. Activity log entries are retained after account deletion with your user ID removed (anonymized) for system integrity purposes.

5. AI Features and Data Processing

Policy Stack uses third-party AI models via OpenRouter to power document extraction, the AI Assistant, and AI Insights.

When you use these features:

  • Relevant content (document text, your questions, contextual policy data) is transmitted to OpenRouter, which routes it to the appropriate model provider
  • Neither OpenRouter nor the underlying model providers use API inputs to train generative models
  • We do not send unnecessary personal identifiers to the API
  • AI outputs are illustrative only and do not constitute financial advice

See our AI Usage Policy for full detail on AI feature scope and limitations.

6. Your Rights and Choices

6.1 Access and Correction

Update your account information at any time through account settings. Contact support@policystack.co for corrections not available in-app.

6.2 Data Export

Export your financial data at any time through the Export feature in account settings.

6.3 Account Deletion

Request deletion by contacting support@policystack.co or use the Danger Zone in account settings. Requests are processed within 30 days, subject to retention requirements in Section 4.3.

6.4 Marketing Emails

Opt out at any time via the unsubscribe link in any email or through notification preferences in account settings. Transactional emails cannot be disabled while your account is active.

6.5 California Residents (CCPA/CPRA)

California residents have the right to:

  • Know what personal information we collect and how it is used
  • Delete your personal information (via account deletion in Settings)
  • Correct inaccurate personal information
  • Opt out of sale or sharing — we do not sell or share your personal information for cross-context behavioral advertising
  • Non-discrimination — we will not discriminate against you for exercising your rights

Contact support@policystack.co. We will respond within 45 days.

6.6 EEA/UK Residents (GDPR)

If you are located in the European Economic Area or United Kingdom, our legal basis for processing your data is:

  • Contract performance — processing necessary to provide the service you signed up for
  • Legitimate interest — maintaining security, preventing fraud, improving the service
  • Consent — for optional features like AI insights emails (which you can disable at any time)

You have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data (“right to be forgotten”)
  • Restrict or object to processing
  • Data portability (export your data via Settings > Export Data)
  • Withdraw consent at any time for consent-based processing
  • Lodge a complaint with your local data protection authority

Your data is transferred to and processed in the United States. By using Policy Stack, you acknowledge this transfer. We rely on our service providers’ data protection measures (including Standard Contractual Clauses where applicable) to safeguard international transfers.

7. Cookies

7.1 What Are Cookies

Cookies are small text files placed on your device. We use cookies and similar technologies (local storage, session tokens) to operate and improve the Service.

7.2 Types of Cookies We Use

Strictly Necessary — Required for the Service to function. Cannot be disabled.

CookiePurposeDuration
sb-auth-tokenSupabase authentication sessionSession
csrf-tokenCross-site request forgery protectionSession

Functional — Remember your preferences.

CookiePurposeDuration
ps-themeUI theme preference1 year
ps-onboardingOnboarding completion state1 year

Analytics — Understand how the Service is used. Privacy-respecting; no individual fingerprinting or ad network sharing.

CookiePurposeDuration
_ps_sessionAnonymous session analytics30 days

7.3 What We Do Not Do

  • No advertising cookies
  • No data shared with ad networks
  • No third-party tracking pixels

7.4 Managing Cookies

Control cookies through your browser settings. Disabling strictly necessary cookies will prevent the Service from functioning. Opt out of analytics cookies through your account privacy settings.

8. Collaboration and Shared Access

You may invite a partner (spouse, business partner, or advisor) to access your account via the Collaboration feature. When accepted, your partner gets full read and write access to your policy, loan, deployment, and goal data. You can revoke partner access at any time from Settings.

9. Children’s Privacy

The Service is not directed to children under 18. We do not knowingly collect information from children under 18. Contact support@policystack.co immediately if you believe we have done so.

10. Third-Party Links

The Service may link to third-party sites. We are not responsible for their privacy practices.

11. Changes to This Policy

Material changes will be communicated at least 14 days before taking effect. The “last updated” date reflects the most recent revision.

12. Contact Us

For privacy questions, data requests, or concerns:

Policy Stack
Email: support@policystack.co
policystack.co/privacy

Policy Stack

Policy Stack helps whole life banking practitioners track, model, and manage their banking system with full clarity, integrity, and control.

Product

  • Features
  • Pricing
  • Advisor Directory
  • Changelog

Resources

  • Help Center
  • WL Practitioner Tech Stack
  • Best WL Banking Software
  • WL Glossary
  • Community

Legal

  • Privacy Policy
  • Terms of Service
  • Refund Policy
  • AI Usage Policy
  • Advisor Agreement
  • Security
  • Contact

The Infinite Banking Concept® and Becoming Your Own Banker® are registered trademarks of Infinite Banking Concepts, LLC. Policy Stack is independent of and is not affiliated with, sponsored by, or endorsed by Infinite Banking Concepts, LLC or the Nelson Nash Institute. Policy Stack helps whole life banking practitioners track, model, and manage their banking system with full clarity, integrity, and control.

© 2026 Policy Stack. All rights reserved.