Legal
Privacy Policy
Effective: April 1, 2026
Last updated: April 1, 2026
This Privacy Policy explains how 1carat International Co., Ltd. ("we," "our," or "Stackey") collects, uses, and protects information in connection with the Stackey cloud file management service at stackey.me.
| Company | 1carat International Co., Ltd. |
| Address | 17-2 4F Nihonbashi Kabutocho, Chuo-ku, Tokyo 103-0026, Japan |
| Representative | Michi Mochizuki, CEO |
| Phone | +81-3-6555-5088 |
| Email | Contact |
| Privacy Contact | Michi Mochizuki |
We collect the following types of information when you use Stackey:
- Account information: email address, hashed password, and name provided at sign-up.
- Billing information: payment card details processed and stored by Stripe — we never store full card numbers on our servers.
- Uploaded files and metadata: files you upload and the AI-generated metadata associated with them (file name, document type, date, amount, summary, etc.).
- Access logs: IP address, browser type, referring URL, and timestamps for security and reliability purposes.
- Support communications: the content of messages you send us via email or contact form.
If you connect third-party services (Google Drive, Dropbox, OneDrive), we store authentication tokens on your behalf. We only access the files you explicitly import into Stackey.
We use the information we collect only for the following purposes:
- Providing and improving the Stackey service
- Creating and managing your account
- Running AI analysis to automatically name, categorize, and thumbnail your files
- Processing subscription payments and managing billing
- Sending essential service communications (downtime notices, Terms updates, etc.)
- Responding to support requests
- Detecting and preventing fraud, abuse, and security threats
- Complying with legal obligations
We do not use the contents of your files for marketing or model training, and we never sell your data to third parties.
We do not share your personal information with third parties except in the following circumstances:
- With your consent — when you explicitly authorize a data sharing action.
- Sub-processors — vendors who help us operate the service (see Section 05).
- Legal requirements — when required by law, court order, or government authority.
- Protection of rights — when necessary to protect the safety of persons or property.
We have never sold user data and have no intention of doing so.
To deliver our service, we rely on the following trusted sub-processors. Each is bound by appropriate data processing agreements.
| Anthropic | AI analysis of file content (Claude API) — United States |
| Stripe | Payment processing — United States |
| Cloudflare | File storage and CDN (R2 / Workers) — Global |
| Google | Google Drive OAuth import — United States |
For details on how each sub-processor handles data, please refer to their respective privacy policies.
We use cookies and similar technologies for the following purposes:
- Session management: keeping you signed in during your session.
- Preferences: remembering your interface settings.
- Anonymous analytics: understanding how the service is used in aggregate to improve it.
You can disable cookies in your browser settings. Some features may not function correctly if cookies are disabled.
We do not use cookies for behavioral advertising or cross-site tracking.
We retain your information only as long as necessary for the purposes described in this Policy.
- Account & file data: retained while your account is active; permanently deleted within 30 days of account closure.
- Billing records: retained for 7 years as required by Japanese accounting law.
- Access logs: retained for 90 days.
- Support messages: retained for 1 year after resolution.
We take the security of your data seriously and implement the following measures:
- All data in transit is encrypted with TLS/HTTPS
- Passwords are hashed using industry-standard algorithms — we never store plaintext passwords
- Files are stored encrypted at rest on Cloudflare R2
- API keys and credentials are managed server-side and never exposed to the client
- Access to user data is restricted to personnel on a need-to-know basis
- Regular security reviews are conducted
In the event of a data breach that affects your personal data, we will notify you and applicable authorities as required by law.
Depending on your location, you may have the following rights regarding your personal data:
- Access: request a copy of the personal data we hold about you.
- Correction: ask us to correct inaccurate data.
- Deletion: request deletion of your data (you can also delete your account directly from your account settings).
- Portability: receive your data in a machine-readable format.
- Objection: object to certain types of processing.
To exercise any of these rights, please contact us using the details in Section 11. We will respond within a reasonable timeframe and may ask you to verify your identity before processing your request.
We may update this Privacy Policy from time to time. When we do:
- For material changes, we will notify you by email or via an in-app notice.
- For minor changes, we will update the "Last updated" date at the top of this page.
- Continued use of the service after changes are posted constitutes acceptance of the updated Policy.
If you have any questions about this Privacy Policy or wish to exercise your rights, please reach out:
© 2026 1carat International Co., Ltd. All rights reserved.
This policy is governed by the laws of Japan.