Privacy Policy

Effective Date: February 1, 2026 | Last Updated: February 1, 2026

Introduction

This Privacy Policy ("Policy") describes how GullStack Trust, doing business as "SuperTool" and "Augment Advertise" ("Company," "GullStack," "we," "us," or "our"), collects, uses, discloses, retains, and protects information in connection with the SuperTool platform and related services (collectively, the "Service"). This Policy applies to all users of our Service, including Subscribers (business customers who subscribe to our platform), their Authorized Users, and End Users (visitors to websites hosted through our platform).

We are committed to protecting the privacy and security of information entrusted to us. We encourage you to read this Policy carefully to understand our practices regarding your information.

IMPORTANT NOTICE REGARDING HEALTHCARE DATA: GullStack Trust is NOT a "covered entity" or "business associate" under the Health Insurance Portability and Accountability Act ("HIPAA"). Our Service is not designed for the storage or processing of Protected Health Information ("PHI"). See Section 11 for important details.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you are a Subscriber, you agree to make this Privacy Policy (or your own compliant privacy policy) available to your End Users.

1. Information We Collect

We collect information in several categories, depending on how you interact with our Service.

1.1 Information Provided by Subscribers (Account Information)

When a Subscriber registers for and uses our Service, we collect:

Account registration data: Name, email address, phone number, business name, business address, professional license information (if provided), and other registration details.
Billing and payment information: Billing name, billing address, and payment method details. Note: Full credit card numbers are collected and processed directly by our payment processor, Stripe, and are not stored on our systems. See Section 5.
Business information: Practice name, specialty, business type, website preferences, branding materials (logos, images, brand colors), and business descriptions.
Communication records: Correspondence with our support team, concierge requests, feature requests, and feedback.
Authorized User information: Names and email addresses of individuals the Subscriber designates as Authorized Users.

1.2 Customer Data Uploaded by Subscribers

Subscribers may upload, import, or input data about their own customers ("Customer Data") into the Service, including:

Customer names, email addresses, phone numbers, and mailing addresses.
Customer communication preferences and marketing consent records.
Customer interaction history and notes.
Data imported via CSV files or manual entry.

Important: We process Customer Data on behalf of our Subscribers as a service provider/data processor. Subscribers are solely responsible for the lawfulness of the Customer Data they upload, including obtaining all necessary consents. See Section 11 regarding restrictions on uploading health-related data.

1.3 Information Collected Automatically (Usage Data)

When you access or use the Service (including Subscriber Websites), we automatically collect:

Device and browser information: IP address, browser type and version, operating system, device type, device identifiers, screen resolution, and language preferences.
Usage information: Pages viewed, features used, actions taken within the Platform, clickstream data, session duration, and referring/exit URLs.
Log data: Server logs recording access timestamps, requested URLs, response codes, and data transferred.
Location data: Approximate geographic location derived from IP address (city/region level; we do not collect precise GPS coordinates).

2. How We Use Information

We use the information we collect for the following purposes:

2.1 Service Delivery and Operations

Providing, maintaining, and operating the Service, including website hosting, analytics reporting, email/SMS delivery, payment processing facilitation, and concierge services.
Creating, managing, and authenticating Subscriber accounts.
Processing and fulfilling Subscriber requests, including website modifications and content updates.
Deploying and managing Subscriber Websites through our hosting infrastructure.
Facilitating payment processing through Stripe Connect.
Delivering email campaigns through AWS SES and SMS campaigns through Twilio on behalf of Subscribers.

2.2 Analytics and Reporting

Generating analytics reports and dashboards for Subscribers based on Google Analytics data.
Providing SEO analysis and recommendations.
Producing aggregate usage statistics and performance metrics.
Analyzing service usage patterns to optimize platform performance.

2.3 Billing and Financial Operations

Processing subscription payments and transaction fees.
Managing billing, invoicing, and collections.
Detecting and preventing fraudulent transactions.
Complying with financial reporting and tax obligations.

2.4 Security and Fraud Prevention

Protecting the security and integrity of the Service, our systems, and our users.
Detecting, preventing, and responding to security incidents, fraud, abuse, and violations of our Terms of Service.
Monitoring for unauthorized access, malicious activity, and policy violations.

3. How We Share Information

We do not sell Personal Information. We share information only in the following circumstances:

3.1 Third-Party Service Providers

We share information with third-party service providers who process data on our behalf to help us deliver the Service. These providers are contractually obligated to use the information only for the purposes for which it is disclosed and to maintain appropriate security measures.

Provider	Purpose	Data Shared
Stripe	Payment processing	Subscriber billing data, transaction data, End User payment data
Amazon Web Services (AWS)	Cloud infrastructure, email delivery (SES)	Subscriber data, Customer Data, email content and recipient addresses
Twilio	SMS messaging	Phone numbers, SMS content
Google (Analytics)	Website analytics	End User browsing data, device information, usage patterns
Vercel	Website hosting and deployment	Subscriber Website content, domain configurations, access logs

3.2 Legal Obligations

We may disclose information if required to do so by law or in response to valid legal process, including subpoenas, court orders, or other legal process, and to protect the rights, property, or safety of GullStack Trust, our users, or the public.

3.3 Business Transfers

In connection with any merger, acquisition, sale of assets, financing, reorganization, bankruptcy, or similar transaction, Personal Information may be transferred to the acquiring entity. We will use reasonable efforts to ensure that the acquiring entity is bound by similar privacy obligations.

5. Payment Data

5.1 Payment Processing

We use Stripe, Inc. ("Stripe") as our payment processor. When you provide payment information through our Service:

Credit card numbers, debit card numbers, CVV codes, and full card details are collected and processed directly by Stripe. This data is transmitted directly from your browser to Stripe's servers using Stripe's PCI-DSS compliant infrastructure. We do not receive, access, store, or process full card numbers on our systems.
We receive and store limited payment information from Stripe, including: the last four digits of the card number, card brand (Visa, Mastercard, etc.), expiration date, billing address, and transaction identifiers.
Transaction records, including amounts, dates, descriptions, and status, are stored in our systems for billing and record-keeping purposes.

5.2 PCI-DSS Compliance

We rely on Stripe's PCI-DSS Level 1 certification for the secure handling of cardholder data. Our integration with Stripe is designed to minimize our PCI-DSS scope by ensuring that full cardholder data is never transmitted through or stored on our servers.

5.3 Stripe Connect

For Subscribers who use payment processing features, we facilitate payments through Stripe Connect. Subscriber payout information and connected account details are managed by Stripe in accordance with the Stripe Privacy Policy and Stripe Connected Account Agreement.

6. Data Retention

6.1 General Retention Principles

We retain Personal Information only for as long as reasonably necessary to fulfill the purposes for which it was collected, comply with our legal obligations, resolve disputes, and enforce our agreements.

6.2 Specific Retention Periods

Data Category	Retention Period
Account registration data	Duration of the account plus 30 days after termination
Customer Data	Duration of the Subscriber's account plus 30 days, then deleted
Billing and transaction records	7 years from the date of the transaction (tax/accounting)
Usage and analytics data	26 months from the date of collection
Server and access logs	90 days
Google Analytics data	14 months (per Google's retention settings)

7. Data Security

7.1 Security Measures

We implement and maintain administrative, technical, and physical security measures designed to protect Personal Information from unauthorized access, disclosure, alteration, loss, and destruction. These measures include:

Technical Safeguards:

Encryption of data in transit using TLS 1.2 or higher.
Encryption of sensitive data at rest using AES-256 or equivalent encryption standards.
Secure authentication mechanisms, including password hashing using industry-standard algorithms.
Network security controls, including firewalls, intrusion detection/prevention systems, and network segmentation.
Regular security assessments and vulnerability scanning.

Administrative Safeguards:

Role-based access controls limiting access to Personal Information to authorized personnel on a need-to-know basis.
Employee and contractor security awareness training.
Documented security policies and procedures.

7.2 Limitations

While we implement commercially reasonable security measures, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee the absolute security of your information. You acknowledge that you provide information at your own risk.

8. Your Privacy Rights

Depending on your location and applicable law, you may have the following rights regarding your Personal Information:

Right of Access: Request confirmation of whether we process your Personal Information and access to that information.
Right to Correction: Request correction of inaccurate or incomplete Personal Information.
Right to Deletion: Request deletion of your Personal Information, subject to certain exceptions.
Right to Data Portability: Request a copy of your Personal Information in a structured, machine-readable format.
Right to Opt Out of Marketing: Opt out of receiving marketing communications at any time.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

How to Exercise Your Rights

To exercise any of the rights described above, please submit a request to us using the contact information provided in Section 17. We will respond to your request within the timeframe required by applicable law (generally within 45 days for CCPA requests, 30 days for GDPR requests).

11. HIPAA Notice and Healthcare Data

GullStack Trust is NOT a "covered entity" as defined under the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"), and its implementing regulations. We are a technology platform that provides general-purpose business management and marketing tools. We do not provide healthcare services, health plans, or healthcare clearinghouse services.

11.2 We Are Not a Business Associate

GullStack Trust does NOT operate as a "business associate" under HIPAA. Our Service is not designed, intended, or authorized for the creation, receipt, maintenance, or transmission of Protected Health Information ("PHI") or electronic Protected Health Information ("ePHI"). We do not enter into Business Associate Agreements ("BAAs") with Subscribers.

11.3 Service Limitations

Our Service provides general-purpose tools including website hosting, email/SMS marketing, customer contact management, analytics, and payment processing. These tools are NOT designed for:

Storage or transmission of medical records, clinical notes, or treatment information.
Management of patient health information or medical histories.
Processing of health insurance claims or benefits information.
Any purpose that would constitute the creation, receipt, maintenance, or transmission of PHI.

11.4 Subscriber Responsibilities

Subscribers who are HIPAA covered entities (such as healthcare providers, including plastic surgeons and other medical professionals) are solely responsible for ensuring HIPAA compliance in their own practices and for NOT uploading PHI to the Service.

17. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy, our data practices, or your privacy rights, please contact us:

GullStack Trust
d/b/a SuperTool, d/b/a Augment Advertise

Data Protection Contact:
Email: josh@augmentadvertise.com
Subject Line: "Privacy Inquiry"

Privacy Rights Requests:
Email: josh@augmentadvertise.com
Subject Line: "Privacy Rights Request — [Your Name]"

Location: Utah, United States

We will make every effort to respond to your inquiry within a reasonable timeframe and in accordance with applicable law.