Does TravelStacks sell my data?

No. We do not sell or share data with marketing brokers, advertising networks, or third-party data aggregators. Data is shared only with airline portals, regulators, and required service providers (payment processor, email, SMS) to file your claim.

Where is my data stored?

On US infrastructure: Vercel for application hosting, Neon for database, Stripe for payments, Clerk for authentication, Resend for email, Telnyx for SMS. All providers are US-based and SOC 2 Type II compliant.

Can I delete my data after my claim is closed?

Yes. Email privacy@travelstacks.com to request full deletion. We honor CCPA and GDPR deletion rights subject to legal retention (tax records require 7 years; anything beyond that is deleted on request).

How long do you keep my claim data?

Active claims: until closure plus 2 years. Closed claims are anonymized after 2 years. Payment records retained 7 years for tax compliance. Account data retained until account deletion request.

What happens to my data if there is a breach?

We notify affected users within 72 hours per CCPA and GDPR. State attorneys general and EU DPAs are notified per applicable timelines. Forensic report and remediation measures are shared with affected users.

Do you collect Social Security Number?

No. SSN is not required for any claim. We collect only the minimum data needed to file your claim with the airline and regulators.

Can I see what data you have about me?

Yes. Email privacy@travelstacks.com to request access. We respond within 30 days with a complete summary of all data we hold about you, in machine-readable format if you prefer.

← Back to blog

TipsApril 29, 2026•9 min read

TravelStacks Privacy Policy Explained: What We Do With Your Data

Q: Do you use my data for marketing?

Only if you opt in to marketing emails. We do not run Google Ads remarketing or Facebook Pixel on user PII. Analytics is limited to aggregate page-view data via Google Analytics 4.

Loren Castillo

Founder, TravelStacks

TravelStacks privacy policy data handling is built around a simple principle: collect only what is needed to file your flight compensation claim, store it on US infrastructure, and never sell or share it for marketing purposes. This guide explains the specific data we collect, why each piece is necessary for the claim, how long we keep it, and your rights to access, correct, or delete it.

TravelStacks Privacy Policy Data: The Plain-Language Summary

TravelStacks privacy policy data handling follows three principles: collect only the minimum required to file your claim, store it on US infrastructure (Vercel and Neon, both US-based), and never sell or share it with marketing brokers. This page explains the specific categories of data we collect, why each piece is needed, who we share it with (only the airline and regulators), and your rights under California Consumer Privacy Act (CCPA) and the GDPR equivalents for EU users.

Your data is the claim file. We treat it like the regulators do. Boarding passes, FIDS photos, payment method evidence, and contact details are necessary to file. Nothing else is collected.

What We Collect and Why

›
Name, email, phone: required to file a claim with the airline and to communicate updates. Carrier portals require these fields.
›
Flight details (booking reference, flight number, dates, airports): required to identify the disrupted flight in the carrier's system.
›
Payment method details (last 4 digits, payment processor): required to verify your refund eligibility under 14 CFR Part 260 (refund must go to original payment method).
›
Boarding pass, FIDS photo, carrier emails (uploaded): required as evidence for claim filing.
›
Bank account or card details for receiving payout: required only if you opt for direct payment routing through TravelStacks.
›
Optional: passport for international claims, travel insurance policy details, employer information for business claims: only when relevant to the specific claim.

What We Do Not Collect

›
Social Security Number (not needed for any claim).
›
Driver's license number (not needed unless required by a specific regulatory body for verification, which is rare).
›
Browsing history outside of the claim filing flow.
›
Location data beyond the airport codes you provide.
›
Marketing preferences (we do not run marketing campaigns based on individual data).
›
Health or disability information unless you proactively provide it for accommodations.

Where Your Data Is Stored

TravelStacks runs on US infrastructure:

›
Application hosting: Vercel (US-based, SOC 2 Type II compliant).
›
Database: Neon PostgreSQL (US-based).
›
Email: Resend (US-based, SOC 2 Type II compliant).
›
SMS: Telnyx (US-based, 10DLC carrier registered).
›
Payment processing: Stripe (US-based, PCI DSS Level 1 compliant).
›
Authentication: Clerk (US-based, SOC 2 Type II compliant).

No data is sent to third-party advertising networks. We do not run Google Ads remarketing or Facebook Pixel on user PII. Analytics is limited to aggregate page-view data via Google Analytics 4.

Third-Party Processors and What They See

›
Airline portals (American, United, Delta, etc.): receive your name, contact info, flight details, evidence files. Necessary to file the claim.
›
DOT and national enforcement bodies (CAA, AESA, LBA): receive your name, flight details, and complaint narrative on escalation.
›
Stripe: receives payment processor data to handle refund routing and service fee collection.
›
Clerk: handles authentication; sees email and login state.
›
Resend: sends transactional email; sees email address and message content.
›
Telnyx: sends SMS notifications; sees phone number and message content.
›
No marketing data brokers: we do not share with Acxiom, Experian, or similar.

How Long We Keep Your Data

›
Active claim: data is retained until claim closure plus 2 years (matches the typical statute of limitations for related claims).
›
Closed claim: anonymized after 2 years; PII deleted unless required by tax or legal hold.
›
Account data: retained until account deletion request.
›
Payment records: retained 7 years for tax compliance.
›
Marketing emails (you opted in): retained until unsubscribe.
›
Anonymized analytics: retained indefinitely (aggregate, no PII).

Your Rights Under CCPA and GDPR

›
Right to access: request a copy of all data we hold about you. Email privacy@travelstacks.com.
›
Right to correct: request corrections to inaccurate data.
›
Right to delete: request deletion of all PII, subject to legal retention requirements.
›
Right to data portability: receive your data in machine-readable format.
›
Right to opt out of sale: we do not sell data, so this is automatic. You can confirm via privacy@travelstacks.com.
›
Right to non-discrimination: exercising privacy rights does not affect claim filing.

How We Handle Data Breaches

1
Detection: continuous monitoring on all infrastructure providers (Vercel, Neon, Stripe, Clerk).
2
Containment: any detected breach triggers immediate access revocation and forensic investigation.
3
Notification: affected users notified within 72 hours per CCPA and GDPR requirements.
4
Remediation: full forensic report and corrective measures documented and shared with affected users.
5
Regulatory: state attorney general and EU DPA notified per applicable timelines.

Get Started With Confidence

Privacy is a baseline, not a feature. Your data is what makes your claim file. We treat it accordingly. For more on the actual claim process, see from claim to cash: the exact TravelStacks process explained, is TravelStacks legit: how we work, and the EU261 passenger rights pillar. Start a claim.

Think your flight qualifies?

Check in 30 seconds. Free to find out.

Check my flight