1. INFORMATION WE COLLECT

We collect information you provide directly to us:

• Contact information — name, email, and company name when you book a pentest or contact us
• Payment information — processed securely via Stripe (we never store your full payment details)
• Project details — target domains/IPs, website URLs, agent types, and scope information required to perform security assessments
• Communication data — emails, DMs, and call notes from consultations

2. HOW WE USE YOUR INFORMATION

• To deliver website penetration testing and AI agent security audit services
• To communicate about your engagement and deliverables
• To send you security findings and remediation guidance
• To comply with legal and regulatory obligations (including EU AI Act Article 29)
• To improve our services and client experience

3. DATA SECURITY

As a cybersecurity professional with 10+ years of experience, I implement industry-leading security measures:

• 256-bit SSL encryption for all data transfer
• Dedicated, isolated pentest environment for client assessments
• No storage of client API keys or credentials after testing
• Access controls on all internal systems
• Regular security audits of my infrastructure

🔐 PENTEST & AUDIT DATA

For clients who engage penetration testing services for websites or AI agents:

• All client data is handled on a dedicated, isolated pentest laptop
• Audit reports are encrypted and shared via secure channels (email or encrypted link)
• Client data is deleted 90 days after project completion unless retention is required by law
• I never retain client credentials, API keys, or sensitive system information after testing
• Findings are shared only with authorized client representatives

4. DATA STORAGE LOCATION & TRANSFERS

Client engagement data — including vulnerability findings, reports, scope details, and communications — is stored on infrastructure located within the European Union. Stack of Truths uses EU-based servers (Netherlands) to ensure all client data remains under Dutch and EU jurisdiction, fully compliant with GDPR Chapter V (Articles 44–49) on international data transfers.

No client data is stored or processed outside the EU. In the event of temporary infrastructure maintenance, data remains within EEA borders. By engaging our services, you acknowledge this storage arrangement as meeting the adequacy requirements under GDPR Article 45.

5. EU AI ACT COMPLIANCE

Stack of Truths operates in full compliance with the European Union Artificial Intelligence Act (Regulation (EU) 2024/1689). As an AI security testing provider based in The Netherlands, we adhere to:

• Article 13 — Transparency: Clients are fully informed about testing methodologies and AI system capabilities
• Article 14 — Human Oversight: Every finding is manually validated — no fully automated decisions
• Article 15 — Cybersecurity: All AI systems tested against robustness and accuracy standards
• Article 43 — Conformity Assessment: Our audit reports can be used as evidence of compliance

We do not test or support AI systems engaged in prohibited practices under Article 5 (subliminal manipulation, social scoring, real-time biometric identification, etc.). If discovered, we reserve the right to terminate the engagement and report to the relevant supervisory authority.

6. YOUR RIGHTS (GDPR & CCPA)

Under GDPR (Regulation (EU) 2016/679) and the EU AI Act, you have the right to:

• Access — request a copy of your data
• Correct — update inaccurate information
• Delete — request removal of your data (right to be forgotten)
• Opt-out — unsubscribe from communications
• Portability — receive your data in a structured format
• Object — object to processing of your data
• Human review — request human oversight of AI-based decisions

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or the relevant EU AI Act supervisory authority.

For privacy requests, DM @StackOfTruths on X or email pedrojose@stackoftruths.com.

7. DATA RETENTION

We retain your information only as long as necessary to provide services or comply with legal obligations:

• Client engagement records: 7 years (tax/legal requirements)
• Pentest reports and findings: 90 days after project completion, then securely deleted
• Communication emails/DMs: 2 years
• Invoices and payment records: 7 years

8. THIRD-PARTY SERVICES

We use trusted third-party services:

• Stripe — payment processing for pentest services
• Hostinger — website hosting
• Tailscale — secure remote access for infrastructure
• X (Twitter) — social media presence and client communication

Each service has its own privacy policy and data handling practices. Note: We do not use Calendly for bookings — all consultations start with a DM or email first.

9. CONFIDENTIALITY

All pentest findings, reports, and client information are treated as strictly confidential. I do not:

• Share client identities or findings without written permission
• Publish case studies without explicit client consent
• Discuss client engagements publicly

An NDA can be signed before any engagement upon request.

10. COOKIES

Our website uses essential cookies for functionality. No tracking or analytics cookies are used.

11. CHANGES TO THIS POLICY

We may update this privacy policy occasionally. The latest version will always be posted here with the effective date.

12. CONTACT & SUPERVISORY AUTHORITY

For privacy questions or requests:

• X: @StackOfTruths
• Email: pedrojose@stackoftruths.com
• Address: Keurenplein 41, 1069CD Amsterdam, Netherlands

Supervisory Authority (EU AI Act & GDPR):
Autoriteit Persoonsgegevens (AP)
Bezuidenhoutseweg 30, 2594 AV Den Haag, Netherlands
www.autoriteitpersoonsgegevens.nl

KVK: 94992266 | Location: Amsterdam, Netherlands | EU AI Act & GDPR Compliant