Your files.
Protected.

Your files are stored on Cloudflare R2, a globally distributed object storage platform operated by Cloudflare, Inc. Each user's data is isolated in a dedicated tenant namespace and cannot be accessed by other users.

• Files are stored in tenant-isolated namespaces on Cloudflare R2
• Authentication sessions are managed via Cloudflare D1, a serverless SQL database
• Thumbnail images are generated client-side (in your browser) and stored separately
• Photos are stored at original quality — no compression that alters color profiles

All data transmitted between your device and Stackey is encrypted using TLS (Transport Layer Security), managed automatically by Cloudflare. This applies to file uploads, downloads, search queries, and all API communication.

• In transit: TLS encryption enforced on all connections via Cloudflare edge network
• At rest: Files stored on Cloudflare R2 with server-side encryption

Access to your data is strictly controlled at every layer.

• JWT-based authentication is required for all file operations
• Google OAuth 2.0 is supported for secure sign-in
• Tenant isolation ensures no user can access another user's files
• Internal access to user data is restricted to essential personnel only

Your files are private by default. We do not read, index, or use your files for any purpose other than providing the Stackey service to you.

• Your files are never used for AI training purposes
• Your files are never shared with or sold to third parties
• Stackey does not display advertising and does not share data with advertisers
• You can delete your files at any time — deleted files are permanently removed from our servers within 30 days

Stackey is built entirely on Cloudflare's global edge network:

• Cloudflare Workers — Serverless API, deployed across 300+ locations worldwide
• Cloudflare R2 — Object storage for files and thumbnails
• Cloudflare D1 — Serverless SQL database for authentication and metadata
• Cloudflare Pages — Static asset hosting for the web application
• Automatic DDoS protection and WAF (Web Application Firewall) via Cloudflare
• Global CDN ensures fast access from anywhere in the world

You have full control over your data at all times.

• Deletion: You can delete any file at any time. Deleted files are moved to Trash and permanently removed after 30 days, or immediately via "Delete permanently"
• Download: You can download your original files at any time in their original format and quality
• Account closure: You can request complete deletion of your account and all associated data by contacting us

In the event of a security incident that affects your data, we will:

• Notify affected users as soon as possible
• Report to applicable authorities as required by law
• Provide a clear explanation of what happened and what data was affected
• Take immediate steps to contain and remediate the incident

To report a suspected security vulnerability, please email us at info@1carat.net with the subject "Security Report."

For any security-related questions or to report a vulnerability: