Back to home

Privacy Policy

Last updated: May 2026

Summary

Namestack works without an account. If you choose to sign in with Google, we store a small amount of data so your saved workspace defaults persist across devices. You can view, export, or delete everything we hold on you at any time from your account page.

Who runs this site

Namestack is operated by the Namestack team. You can reach the controller at support@offstack.com for any privacy request.

What we collect, and why

When you sign in with Google:

  • Google account identifier (sub) — identifies you across sign-ins. Legal basis: contract (required to provide the service).
  • Email — identifies your account. Legal basis: contract.
  • Display name & profile picture URL — shown in your navbar and account page. Optional. You can clear these from your account page while keeping the account. Legal basis: legitimate interest.
  • Account timestamps (created, last sign-in) — for account management. Legal basis: legitimate interest.

When you save workspace defaults (TLD set, prefixes, suffixes):

  • The TLD list, prefix string, and suffix string, loaded into the workspace when you click “Use saved default”. Optional, clear them from the account page. Legal basis: legitimate interest.

We do not store: IP addresses (beyond short-lived rate-limit counters), Google access or refresh tokens, search history, domain-check results, or anything outside the fields listed above.

Cookies

We set two cookies, both strictly necessary, no banner required:

  • ns_session — signed JWT identifying your session. 30-day expiry, HttpOnly, SameSite=Lax.
  • ns_oauth_state — CSRF nonce during Google sign-in. 10-minute expiry, HttpOnly, SameSite=Lax.

Your browser also stores a theme preference and workspace state in its own local storage. That data never leaves your device.

Who we share data with

Two processors, both contractually bound to handle data only on our instructions:

  • Google, for sign-in. Scopes requested: email + profile only. See Google's privacy policy.
  • Cloudflare, hosts the site, database, edge functions, and the Workers AI model that ranks names against your brief. When you use the AI generator, your brief text is sent to the Workers AI embedding model (@cf/baai/bge-small-en-v1.5) and discarded after the request completes; we do not store the brief, the model output, or any tie between you and either. Cloudflare's Data Processing Addendum includes Standard Contractual Clauses for international transfers.

We do not sell or rent personal data, and we do not use it for advertising or profiling.

Analytics

We use Cloudflare Web Analytics, cookieless and aggregated. No individual users are tracked and no profiles are built.

How long we keep your data

As long as your account exists. When you delete your account from the account page, your user record and every saved default are removed immediately and irreversibly.

Your rights

Under GDPR, UK GDPR, and similar laws elsewhere, you have the right to:

  • Access your data, shown on the account page and available as a JSON export.
  • Rectification, email and name come from Google; update them there.
  • Erasure, delete your account from the account page; hard-delete, no grace period.
  • Portability, the “Export my data” button downloads everything we hold as JSON.
  • Object to processing, delete your account to withdraw consent entirely.
  • Complain to your local supervisory authority. In the EU, find yours at edpb.europa.eu/members. In the UK, contact the ICO.

Email support@offstack.com for any request we can't resolve through the account page.

Changes to this policy

Material changes are announced at the top of this page with a new “Last updated” date. Non-material clarifications may be made without notice.

Contact

Questions? Reach us at support@offstack.com.