Privacy Policy

Effective Date: February 19, 2026

Stakk stores all your data locally on your device. We do not collect, transmit, or store any personal information on external servers. Your IDs never leave your phone.

1. Introduction

Stakk (“the App”) is a digital ID wallet that allows you to scan, store, and present identification cards on your mobile device. This Privacy Policy explains what information we handle, how we handle it, and your rights regarding that information.

Stakk is developed and maintained by Joseph Koller (“we,” “us,” or “our”).

2. Information We Collect

We do not collect any personal information. All data created within the App is stored exclusively on your device and is never transmitted to any external server. The types of data stored locally include:

Card images (encrypted with AES-256-GCM)
Card metadata (stored in an encrypted local database)
OCR text extracted from your cards (processed entirely on-device using Google ML Kit)
Authentication data (stored as a PBKDF2-HMAC-SHA256 hash, never in plain text)
App preferences and settings

3. Permissions & Hardware Access

The App requests the following hardware permissions:

Permission	Purpose	Data Handling
Camera	Capture images of physical cards for scanning	Processed and stored on-device only; never uploaded
Biometric / Fingerprint	Authenticate you to unlock the App	OS-level only (see details below); app receives pass/fail only

Biometric Authentication Details

Stakk uses the Android BiometricPrompt API for authentication. This means:

The App never accesses, collects, or stores actual biometric identifiers such as fingerprint templates, facial geometry, or iris scans.
All biometric matching is performed entirely by the Android operating system in a secure hardware enclave.
The App only receives a pass/fail result from the operating system — it has no access to the underlying biometric data.
For purposes of the Illinois Biometric Information Privacy Act (BIPA) and similar state laws: Stakk does not collect, capture, purchase, receive through trade, or otherwise obtain any biometric identifier or biometric information.

4. Data Security

We take the security of your data seriously. Security measures include:

AES-256-GCM encryption for all stored card images and data
Encrypted local database (SQLCipher or equivalent)
Android Keystore for cryptographic key management
PBKDF2-HMAC-SHA256 hashing for PIN storage (100k iterations)
Screenshot blocking in the App switcher
Auto-lock after a configurable period of inactivity
Secure deletion of data when cards are removed

5. Data Sharing

We do not share your data with anyone. There are no external servers, no analytics services, no advertising networks, and no third-party data processors involved in the operation of Stakk. Your data stays on your device, full stop.

6. Data Retention and Deletion

Because all data is stored locally on your device, you are in full control of retention and deletion. You can:

Delete individual cards from within the App at any time
Clear OCR text from any card
Perform a full reset of the App to remove all data
Uninstall the App, which removes all associated data from your device

7. No Tracking Technologies

Stakk does not use any tracking technologies. Specifically, the App contains:

No cookies or web tracking
No analytics or telemetry SDKs
No crash reporting services
No advertising SDKs or ad networks
No device fingerprinting
No usage statistics collection

8. Children's Privacy

Stakk is not directed at children under the age of 13. Users must be at least 13 years of age to use the App. We do not knowingly collect personal information from children under 13. Because we do not collect any personal information from any user, this requirement is met by design.

If we learn that a child under 13 has used the App, we have no means of identifying them because no data is transmitted to us and no user accounts exist.

9. For California Residents

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), California residents have specific rights regarding their personal information.

Stakk does not collect, sell, or share personal information as defined by Cal. Civ. Code § 1798.100 et seq. Because no personal information is collected, there are no categories of personal information to disclose, no sales of personal information to opt out of, and no personal information shared with third parties.

10. For Users in the European Economic Area (EEA)

If you are located in the European Economic Area, the following additional information applies under the General Data Protection Regulation (GDPR):

Legal Basis: Our legal basis for processing is legitimate interest under Article 6(1)(f) GDPR — specifically, enabling local-only processing on your device for personal ID management. No data is transmitted to or processed by us.
Data Controller: Joseph Koller.
Data Subject Rights: You have the right to access, rectify, erase, and port your data. Because all data is stored locally on your device, you exercise these rights directly through the App's built-in functions (view, edit, delete cards, and full reset).
No Cross-Border Transfers: Your data never leaves your device and is never transferred to any server, in the EU or elsewhere.
Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority.

11. Google Play Data Safety

The information in this Privacy Policy is consistent with the data disclosures in our Google Play Store Data Safety section. As declared in the Play Store: Stakk does not collect or share any user data.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, the effective date at the top of this page will be updated to reflect the date of the most recent revision. We encourage you to review this policy periodically.

13. Contact

If you have questions or concerns about this Privacy Policy, please reach out through our support page. A dedicated support email will be available soon.