Last updated: March 9, 2026
SupStack is an experimental supplement research tool operated by Baher Alhakim, currently in the process of being established as a non-profit association (Verein) in Austria. We take your privacy seriously and collect only the minimum data needed to provide the service. This policy explains what we collect, why, and how it is handled.
The data controller responsible for your personal data is:
Baher Alhakim
(pending: SupStack Verein, Austria)
Email: hello@supstack.me
Once the Verein registration is complete, the association will assume the role of data controller.
When you create an account, we store your email address for authentication. We use magic link sign-in — we never see or store a password.
If you choose to fill in your health profile, we store information you provide such as age, weight, biological sex, health goals, health conditions, and medications. This data is used solely as a filter to refine which existing information is shown to you — for example, surfacing relevant safety warnings or narrowing supplement lists to match your selected goals. It functions as a refined search, not a personalization engine. No new content or individualized clinical assessments are generated from your profile. It is never used for clinical decision-making and is not shared with third parties.
Your saved supplement stack, dosage notes, and experiment check-in responses are stored in your account to provide the service. Experiment verdicts are generated locally from your self-reported data.
We use Vercel Analytics and Vercel Speed Insights to understand aggregate usage patterns and page performance. These are privacy-focused, first-party analytics tools. They do not use cookies and do not track individual users across sites. No personal data is sent to Vercel Analytics.
If you use the Telegram bot or phone agent, conversation history is stored to provide continuity. Telegram user IDs are stored for account linking. Phone call transcripts from ElevenLabs are logged for quality purposes and are not shared externally.
AI processing disclosure: Telegram and phone conversations are processed by AI language models (Anthropic Claude for text, ElevenLabs for voice). Your messages are sent to these providers in real time to generate responses. These providers may process your data under their own privacy policies. We do not use your conversations to train AI models.
We do not sell, rent, or share your personal data with third parties. We do not use your data for advertising. We do not use your health data to make clinical decisions.
Under the EU General Data Protection Regulation (GDPR), we process your data on the following legal bases:
Health-related profile data (conditions, medications) is processed under explicit consent (Art. 9(2)(a)) as a special category of data. This data is used only as a content filter and is never used for profiling, automated decision-making, or clinical purposes.
Automated decision-making (Art. 22): SupStack does not engage in automated decision-making that produces legal or similarly significant effects. Experiment verdicts are algorithmic summaries of your own self-reported data, provided for personal reflection only. They carry no legal, medical, or binding significance.
Your data is stored in Supabase (hosted on AWS infrastructure) with row-level security policies that restrict access to your own data. Authentication is handled by Supabase Auth. All data is transmitted over HTTPS.
As a beta project, we implement reasonable security measures but cannot guarantee absolute security. Do not store highly sensitive information (financial data, government IDs) in your SupStack profile.
Data breach notification: In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Austrian Data Protection Authority within 72 hours (per GDPR Art. 33) and inform affected users without undue delay (per GDPR Art. 34).
SupStack uses only essential cookies for authentication (Supabase session tokens). We do not use advertising cookies, tracking cookies, or third-party cookies. Local storage is used to save UI preferences like your supplement goal selection.
We use the following third-party services:
Each service has its own privacy policy. We only share the minimum data required for each service to function.
Some of the third-party services listed above may process your data outside the European Economic Area (EEA). Specifically:
Where data is transferred outside the EEA, these providers rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, or adequacy decisions. We only share the minimum data necessary for each service to function.
SupStack is for adults (18+) only. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with data, please contact us and we will delete it.
Under the GDPR, you have the following rights regarding your personal data:
To exercise any of these rights, contact us at hello@supstack.me. We will respond without undue delay and in any event within one month.
During beta, data may also be deleted as part of development updates. We will try to notify users before any planned data resets.
We retain your data for as long as your account is active. If you delete your account, all associated data (profile, stack, experiments, conversations) will be permanently deleted. Aggregate, anonymized analytics data may be retained.
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. The relevant authority for SupStack is:
Austrian Data Protection Authority (Datenschutzbehörde)
Barichgasse 40-42, 1030 Vienna, Austria
Website: www.dsb.gv.at
We may update this policy as the project evolves. Material changes will be noted on the What's New page. Continued use after changes constitutes acceptance.
Questions about your privacy? Contact Baher Alhakim at hello@supstack.me or via the About page.