Back to DeskStack
Privacy & Data

Your data, kept the way
we’d want ours kept.

DeskStack is built for solo and freelance recruiters. The data you put in is your book of business — we treat it like that. Here’s exactly what we collect, why, and what control you have over it.

Last updated: June 21, 2026

1. What data we collect

We collect only what we need to run your workspace:

  • Account details — your name, email address, and password hash (we never store plaintext passwords).
  • Sourcing data — candidates and clients you save, including the contact details (email, phone, current role, company) returned by our enrichment providers when you spend a credit.
  • Pipeline activity — interviews, notes, stage changes, and files you upload to candidate or client records.
  • Email sequencing data — the sequences you author, the contacts you enroll, the rendered subjects and bodies of sent messages, and the status returned by our email provider.
  • Billing metadata — your subscription tier and Stripe customer ID. We never see or store your card number.
  • Basic telemetry — server logs that include IP, user agent, and the route accessed. Used for debugging and abuse detection only.

2. How email sequencing works

When you enroll a candidate or client in a sequence, DeskStack sends the emails on your behalf through Resend — a transactional email service. The technical details:

  • From address. Every sequence email is sent from outreach@updates.deskstack.net using DeskStack’s authenticated domain (SPF + DKIM signed). This keeps deliverability strong and protects your personal address from being burned.
  • Reply-To address. The Reply-To header is set to your account email, so when a candidate or client hits reply, the response lands directly in your inbox — not ours.
  • Content. Subjects and bodies are rendered from the templates you wrote, with merge tags resolved against the saved contact record. We do not edit, append to, or scan the body content.
  • Logs. For each send we store the recipient, subject, a body preview, the provider message ID, and the send status. This is the audit trail you see inside the sequence’s activity view.
  • Unsubscribes. Every recipient can opt out at deskstack.net/unsubscribe. Once a recipient unsubscribes, DeskStack blocks all future sequence sends to that address across every workspace and auto-unenrolls them from any active sequence.

3. Third-party services we use

DeskStack relies on a small number of trusted sub-processors. None of them receive your data for their own marketing purposes:

  • Resend — sends outbound sequence emails on our behalf from updates.deskstack.net. Resend processes the recipient address, subject, body, and headers required to deliver the message.
  • Stripe — processes paid subscriptions (Gold and Platinum). Card data is collected directly by Stripe’s hosted checkout and never touches our servers.
  • Totalum — the underlying database and file storage platform that hosts your workspace data.
  • Enrichment providers — when you spend a credit to enrich a candidate or client, we query our enrichment partners and store only the fields returned for that specific record.

4. Your rights and choices

You can, at any time:

  • Access the data we hold on you — most of it is visible right inside the app.
  • Export your candidates, clients, and pipeline as CSV from the relevant list view.
  • Correct any inaccurate field on a candidate, client, or account record from the in-app editor.
  • Delete your account and all associated workspace data by emailing contact@deskstack.net. We remove your records within 30 days.
  • Unsubscribe from sequence emails sent via DeskStack at deskstack.net/unsubscribe. The opt-out is global across all DeskStack senders.

If you’re in the EU/EEA or UK, you also have the rights described in GDPR/UK GDPR, including the right to object and the right to lodge a complaint with your local supervisory authority.

5. How long we keep your data

  • Workspace records (candidates, clients, sequences, logs) — retained for as long as your account is active.
  • After account deletion — removed from primary databases within 30 days. Encrypted backups roll off within 90 days.
  • Sequence email logs — retained for 24 months to support deliverability monitoring and dispute resolution, then purged.
  • Unsubscribe records — retained indefinitely. We keep your opt-out on file forever so we never accidentally email you again.
  • Billing records — retained for the period required by tax and accounting laws (typically 7 years).

6. Security

Workspace data is encrypted in transit (TLS 1.2+) and at rest. Access is limited to a small number of engineers on a need-to-know basis. Passwords are hashed with a modern algorithm — never stored or transmitted in plaintext. We log administrative access.

No system is perfectly secure. If you discover a vulnerability, please report it to contact@deskstack.net — we’ll work with you in good faith.

7. International transfers

DeskStack and its sub-processors operate primarily in the United States and the European Union. By using DeskStack you understand that data may be processed in jurisdictions outside the one you live in. Where required by law we rely on Standard Contractual Clauses with our sub-processors.

8. Children

DeskStack is a B2B product for professional recruiters. We do not knowingly collect data from anyone under 16. If you believe a child has signed up, email contact@deskstack.net and we’ll remove the account.

9. Changes to this policy

We may update this policy as the product evolves. Material changes will be announced in-app or by email at least 14 days before they take effect. The “last updated” date at the top always reflects the current version.

10. Contact us

Questions, data requests, or privacy concerns — write to contact@deskstack.net. A human reads every message.

Received an email you don’t want?
You can opt out of all DeskStack-relayed sequence emails in one click at deskstack.net/unsubscribe. No login required.