Privacy Policy
1. Data Controller
stoklyst is operated by MedinaSoft, a company based in Spain. MedinaSoft acts as the data controller for personal data collected through the stoklyst platform and website (collectively, the "Service").
For any privacy-related enquiries, please contact us at privacy@stoklyst.com.
2. Data We Collect
2.1 Account Information
When you create an account, we collect:
- Name and email address.
- Business name and country.
- Password (stored as a one-way hash; we never store it in plain text).
- Profile information you choose to provide (e.g. phone number, company logo).
2.2 Usage Data
We collect information about how you use the Service, including:
- Log data: IP address, browser type, pages visited, timestamps.
- Feature usage: which features you access and how frequently.
- Device information: operating system, screen resolution, and locale settings.
2.3 Customer Data (your business data)
The inventory records, product information, sales data, and other operational content you enter into the Service ("Customer Data") belong to you. We process Customer Data only to provide the Service and do not use it for any other purpose.
2.4 Billing Information
Payment processing is handled by Paddle, our merchant of record. We do not store your full payment card details. We receive from Paddle only high-level billing information such as plan name, subscription status, and billing country, for the purpose of managing your account.
3. How We Use Your Data
We use the personal data we collect for the following purposes:
- Providing the Service: account management, authentication, and delivery of subscribed features.
- Billing: coordinating with Paddle to process payments and generate invoices.
- Customer support: responding to your requests and troubleshooting issues.
- Service communications: sending transactional emails (e.g. account confirmation, password reset, trial expiry reminders).
- Security: detecting and preventing fraud, abuse, and unauthorised access.
- Product improvement: analysing aggregated, anonymised usage patterns to improve the Service.
4. Legal Basis for Processing
We process your personal data on the following legal bases under the GDPR:
- Contract performance (Art. 6(1)(b) GDPR): processing necessary to provide the Service you have subscribed to.
- Legitimate interests (Art. 6(1)(f) GDPR): security monitoring, fraud prevention, and improving the Service.
- Legal obligation (Art. 6(1)(c) GDPR): retaining billing records as required by applicable law.
- Consent (Art. 6(1)(a) GDPR): for optional communications such as product newsletters, where we obtain your explicit opt-in.
5. Data Storage and Security
The Service runs on Google Cloud Platform. We use EU-based Google Cloud regions wherever technically feasible. Data may be transferred outside the EU only where appropriate safeguards are in place (e.g. Standard Contractual Clauses).
We implement commercially reasonable technical and organisational measures to protect your data, including encryption in transit (TLS) and at rest, role-based access controls, and regular security reviews.
6. Data Retention
We retain your personal data for as long as your account is active. After account deletion, we retain your data for a maximum of 30 days before permanently and irreversibly deleting it, unless a longer retention period is required by law (e.g. billing records required for tax purposes, which may be retained for up to 7 years).
You can request immediate deletion of your account and data by contacting us at privacy@stoklyst.com.
7. Your Rights Under GDPR
If you are located in the European Economic Area (EEA) or the UK, you have the following rights regarding your personal data:
- Right of access (Art. 15): request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17): request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
- Right to data portability (Art. 20): receive your data in a structured, machine-readable format and transfer it to another provider.
- Right to object (Art. 21): object to processing based on legitimate interests.
- Right to restrict processing (Art. 18): request that we limit how we use your data in certain circumstances.
- Right to withdraw consent (Art. 7(3)): withdraw any consent you have given at any time, without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at privacy@stoklyst.com. We will respond within 30 days.
8. Third-Party Processors
We work with the following third-party service providers, each of whom processes personal data on our behalf under a Data Processing Agreement:
| Provider | Purpose | Data processed |
|---|---|---|
| Google (Firebase) | Authentication, database, hosting | Account data, Customer Data, usage logs |
| Paddle | Payment processing, billing, merchant of record | Name, email, billing address, payment method |
| Resend | Transactional email delivery | Name and email address |
We do not sell your personal data to any third party. We do not use your data for advertising or behavioural profiling.
9. Cookies
stoklyst uses only essential and functional cookies — those strictly necessary for authentication, session management, and security. We do not use advertising cookies or third-party tracking cookies for profiling purposes.
By using the Service, you consent to the use of these essential cookies. You may disable cookies in your browser settings, but doing so will prevent you from logging in and using the Service.
10. Children's Privacy
The Service is intended for business users and is not directed at children under 16 years of age. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected such data, please contact us immediately.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email and by updating the "Last updated" date above. Continued use of the Service after the effective date of a change constitutes acceptance of the revised policy.
12. Supervisory Authority
If you believe we have processed your personal data in a manner inconsistent with applicable law, you have the right to lodge a complaint with the relevant data protection supervisory authority. In Spain, this is the Agencia Española de Protección de Datos (AEPD) at www.aepd.es.
13. Contact
For any questions or requests relating to this Privacy Policy or your personal data, please contact us at privacy@stoklyst.com.
stoklyst is operated by MedinaSoft, Spain.