Legal
Privacy Policy.
Last updated: 29 June 2026
Control Stack is a free Australian security and AI governance controls library operated by Mindset Cyber PTY LTD (ABN 55 668 364 261). This policy explains what data the Control Stack website (controlstack.au) and the Control Stack mobile app collect, how we use it, where it is stored, and your choices.
Browsing the controls library is free and does not require an account. Control Stack also offers an optional compliance tracker (a personal dashboard, per-framework progress, remediation tasks and an audit countdown). The tracker requires a free account, and using it means some of your data is saved to our servers and synced across your devices, as described below.
Information we collect
When you browse the website: our hosting provider (Cloudflare) records standard server logs including your IP address, browser type, referring page, and the URLs you request. We use Google Analytics 4 to measure aggregate, anonymised usage of the website (page views, sessions, device type, country). IP addresses are anonymised before being stored in Google Analytics, and Google Analytics runs on the website only, not inside the mobile app.
Product analytics and diagnostics (website and app): we use PostHog to understand how the product is used. PostHog captures page views and in-product interactions, and records anonymised session replays in which all form inputs are masked. We also use Sentry to capture crash and error diagnostics so we can fix problems. Both PostHog and Sentry run on both the website and inside the mobile app. A PostHog person profile is only created once you sign in.
In the mobile app: the app loads pages from controlstack.au inside a native shell. Google Analytics is disabled inside the app; PostHog and Sentry are not. The app also uses on-device storage to remember bookmarks and recently viewed controls, and to detect that you are using the app (see "Cookies and local storage").
When you create an account (optional): to use the compliance tracker you create a free account. We collect your email address and an account identifier. If you sign in with Google or Apple, we receive the basic profile information those providers share with us (such as your name and email); if you use Apple's "Hide My Email", Apple gives us a private relay address instead of your real one. Authentication is handled by Supabase Auth, and you can sign in with Google, Apple, an email address and password, or a one-time magic link. We send you account and authentication emails (for example, magic links and password resets).
Tracker content you create: when you use the tracker we store the frameworks you choose to track, the implementation status you set for each control (implemented, in progress, or not started), any remediation tasks and due dates you create, your target audit date, and the progress statistics calculated from them. This information is saved to your account and synced across the devices where you sign in.
We do not require an account to browse, and we do not collect names or email addresses from people who only browse the library.
How we use information
- To operate, secure, and improve the Control Stack website and app.
- To provide the compliance tracker and sync your progress across your devices.
- To understand which controls and frameworks people find most useful, and to improve the product (analytics).
- To diagnose crashes and errors so we can fix them.
- To send you account, sign-in, and authentication emails.
- To respond to enquiries you send us by email.
We do not sell, rent, or share personal information with third parties for marketing.
Where your data is stored
Your account and compliance-tracker data is stored in our database, hosted by Supabase in Australia. Sign-in sessions are handled with the help of Cloudflare. Our analytics and error-monitoring providers, PostHog and Sentry, process usage and diagnostic data on servers in the United States. This means some of your data is disclosed to and processed by service providers outside Australia. By using Control Stack you consent to this overseas processing, and we take reasonable steps to use reputable providers that protect your information.
Cookies and local storage
The website uses Google Analytics and PostHog cookies to measure aggregate usage. If you sign in, we set a cookie to remember that you are signed in. The mobile app uses on-device storage (sessionStorage and Preferences) to remember your bookmarks and recently viewed controls, to detect that you are using the app, and to keep you signed in. Bookmarks and recently viewed controls stay on your device; your compliance-tracker data is synced to your account on our servers.
Third-party services
- Cloudflare — hosting, content delivery, and sign-in session handling (server logs, security).
- Supabase — account authentication and the compliance-tracker database (hosted in Australia).
- Google Analytics 4 — aggregate, anonymised website usage (website only, not the app).
- PostHog — product analytics and masked session replay, on the website and in the app (processed in the United States).
- Sentry — crash and error diagnostics, on the website and in the app (processed in the United States).
- Google and Apple — sign-in identity providers, used only if you choose to sign in with them.
How long we keep your data
We keep your account and compliance-tracker data for as long as your account is active. When you delete your account, we delete this data (see "Deleting your account and data"). Analytics and diagnostic data is retained according to our providers' settings, and server logs are kept only for a short period for security and troubleshooting.
Your rights
Under the Australian Privacy Principles you may request access to, or correction of, the personal information we hold about you. If you hold an account, this includes your account details and the data in your compliance tracker, which you can also view and change in the app. You can delete your account and its data at any time, and you may contact us using the address below with any privacy request.
Deleting your account and data
You can delete your account at any time from inside the app, under Settings → Account → Delete account. Deleting your account permanently removes your profile and all of your compliance-tracker data (your framework selections, statuses, tasks, due dates and audit dates). If you would prefer, you can ask us to delete your account by emailinginfo@controlstack.aufrom your account email address. See ouraccount deletion pagefor full details. We action deletions within 30 days; copies may persist briefly in encrypted backups before they are overwritten.
Children
Control Stack is intended for adult cyber security and compliance professionals and is not directed at children.
Changes to this policy
We may update this policy from time to time. The "last updated" date at the top of this page reflects the most recent revision.
Contact us
If you have questions about this policy or how Control Stack handles data, contact us atinfo@controlstack.au.