Skip to main content

Privacy Policy

Last updated: February 2026

1. Introduction

Liftstack ("we", "us", or "our") operates the Liftstack platform at liftstack.net. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our service.

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the California Consumer Privacy Act (CCPA).

2. Information We Collect

Account information

When you register, we collect:

  • Username
  • Email address
  • Password (stored as a cryptographic hash — we never store your plaintext password)
  • Marketing communication preference (opt-in/opt-out)

Workspace and campaign data

When you use the platform, we store:

  • Workspace names and membership information
  • Snippet content (subject lines, hero blocks, CTAs) you create
  • Campaign configuration and assignment records
  • Analytics results generated by our Bayesian analysis engine

Subscriber data from integrations

When you connect an email service provider (Klaviyo, Customer.io, or Iterable), we receive and process data about your subscribers on your behalf. This data may include:

  • Subscriber email addresses and profile identifiers
  • Profile attributes and segment membership (used for audience sync and stratified assignment)
  • Engagement events — clicks, opens, conversions, and unsubscribes — including URLs, timestamps, and user-agent strings

We process this subscriber data solely to provide the A/B testing service you have configured. We act as a data processor for this data — you remain the data controller and are responsible for having a lawful basis (such as legitimate interest or consent) to share your subscribers' data with Liftstack. See section 6 for details on our processor obligations.

We also write a single JSON property (lf_assignments) back to subscriber profiles in your ESP to enable variant rendering in your email templates. This property contains only variant assignment identifiers — no personal data.

Technical data

We automatically collect limited technical data to ensure the service operates correctly:

  • Error reports (via Sentry) — these may include request metadata but do not include personal data
  • Server logs for security and debugging purposes

3. How We Use Your Information

We use your information to:

  • Provide the service — run A/B tests, generate analytics, and manage your campaigns
  • Authenticate and secure your account — verify your identity and prevent unauthorised access
  • Process payments — manage your subscription via our payment processor
  • Send product updates — only if you have opted in to marketing communications
  • Monitor errors and improve the service — identify and fix bugs via error tracking

4. Legal Basis for Processing (GDPR)

Under the GDPR and UK GDPR, we process your data on the following bases:

  • Contract performance — processing necessary to provide the service you have signed up for
  • Legitimate interest — error monitoring and service improvement, where these interests are not overridden by your rights
  • Consent — marketing communications, which you can opt out of at any time via your account settings

5. Cookies and Tracking

We use only strictly necessary cookies:

  • Session cookie — keeps you logged in. This is a signed cookie that does not contain personal data.
  • CSRF cookie — protects against cross-site request forgery attacks.

We do not use analytics cookies, advertising cookies, or any third-party tracking pixels. Because our cookies are strictly necessary for the functioning of the service, no cookie consent banner is required.

6. Third-Party Services and Data Processing

We share data with the following third-party providers only as necessary to operate the service:

  • Stripe — payment processing. Stripe receives your billing information directly. See Stripe's Privacy Policy.
  • Sentry — error monitoring. Receives technical error data only; we have disabled the collection of personal data. See Sentry's Privacy Policy.
  • Email service providers (Klaviyo, Customer.io, Iterable) — we connect to these platforms at your direction to sync audience data, write profile properties, push email templates, and receive engagement events.

Our role as data processor

When you connect an ESP integration, Liftstack acts as a data processor (under GDPR) or service provider (under CCPA) for your subscribers' personal data. This means:

  • We process subscriber data only on your instructions and solely to provide the A/B testing service
  • We do not sell, rent, or share subscriber data with third parties for their own purposes
  • We do not use subscriber data for our own marketing, profiling, or analytics beyond what is necessary to operate the service for you
  • We store subscriber data using encryption at rest and in transit
  • We restrict access to subscriber data to personnel who need it to operate the service
  • We will delete or return subscriber data upon termination of your account, in accordance with section 7

If you require a formal Data Processing Agreement (DPA) for compliance purposes, please contact us at [email protected].

Sub-processors

Subscriber data processed through Liftstack may be stored or transmitted via the following sub-processors:

  • Railway — application hosting and database infrastructure
  • Your connected ESP (Klaviyo, Customer.io, or Iterable) — we read from and write back to your ESP account at your direction

7. Data Retention

Your account data

We retain your account data (username, email, preferences) for as long as your account is active. If you delete your account or request data erasure, we will remove your personal data within 30 days, except where retention is required by law.

Subscriber data from integrations

Audience snapshots, engagement events, and assignment records are retained for the lifetime of the associated campaign. When a campaign is deleted or your workspace is closed, associated subscriber data is removed within 30 days. You may also request early deletion of subscriber data by contacting us.

Analytics data

Aggregated analytics results (conversion rates, variant performance, Bayesian posteriors) are retained for the lifetime of your workspace. These results do not contain individual subscriber personal data.

8. Your Rights

Under GDPR / UK GDPR

You have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — correct inaccurate or incomplete data
  • Erasure — request deletion of your personal data
  • Data portability — receive your data in a structured, machine-readable format
  • Restrict processing — request that we limit how we use your data
  • Object — object to processing based on legitimate interest
  • Withdraw consent — withdraw consent for marketing communications at any time via your account settings

Under CCPA (California residents)

You have the right to:

  • Know — request disclosure of the personal information we collect, use, and share
  • Delete — request deletion of your personal information
  • Opt out of sale — we do not sell your personal information
  • Non-discrimination — exercise your rights without receiving discriminatory treatment

To exercise any of these rights, contact us at [email protected].

9. International Data Transfers

Your data may be processed in the United States and the European Economic Area. Where data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, including standard contractual clauses approved by the relevant authorities.

10. Children's Privacy

Liftstack is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the platform. We encourage you to review this page periodically.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at [email protected].