Your privacy at Stoki

This Privacy Policy explains how Stoki collects, uses, and protects the personal data of people who use our service. It applies to the Stoki web application and any related services.

We are a sole trader based in London, United Kingdom, operating under English & Welsh law. We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Stoki is operated as a UK sole trader, trading as 'Stoki', based in London, United Kingdom. For all privacy questions, you can reach us at hello@usestoki.com.

We only collect the data we need to run the service. This includes:

• Account information: your email address, a hashed copy of your password, and your business name.
• Business data: products, sales, photos, settings, and other content you add to Stoki. This data belongs to you.
• Technical data: IP address, browser and device information, and basic logs needed to operate and secure the service.
• Cookies: essential cookies only, used to keep you signed in and remember your preferences. We do not use cookies for advertising or cross-site tracking.

We rely on three lawful bases under UK GDPR. We collect account and business data under 'Contract' — we need it to provide the service you signed up for. We collect technical data under 'Legitimate Interest' — to keep Stoki secure, fast, and reliable.

Where we ever need to do anything that goes beyond these — for example, sending you marketing emails — we will ask for your 'Consent' separately, and you can withdraw it at any time.

We keep your account and business data for as long as your account is active. If you delete your account, we keep a minimal backup for 30 days in case of accidental deletion, then permanently remove it.

Some data may be retained longer where the law requires it — for example, anonymised financial records for tax purposes.

We work with a small number of trusted providers to run Stoki. We share only the data each one needs to do its job.

We never sell your data to third parties. We never use it for advertising.

• Supabase (EU) — hosts our database and authentication system.
• Vercel (US) — hosts the web application. International transfers are protected by Standard Contractual Clauses.
• Resend (EU) — sends transactional email such as sign-up confirmations and password resets.
• Sentry — collects error reports to help us diagnose and fix bugs.

Some of our providers process data outside the UK and EU. Where this happens, transfers are protected by Standard Contractual Clauses or an equivalent legal mechanism approved under UK GDPR.

You have several rights regarding your personal data:

To exercise any of these rights, email us at hello@usestoki.com. We will respond within one month.

• Right to access — request a copy of the personal data we hold about you.
• Right to rectification — correct inaccurate or incomplete data.
• Right to erasure — ask us to delete your personal data (the 'right to be forgotten').
• Right to data portability — receive your data in a portable format.
• Right to object — object to certain types of processing, including direct marketing.
• Right to lodge a complaint — with the UK Information Commissioner's Office (ICO) at ico.org.uk.

Stoki is not intended for use by anyone under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has signed up, please contact us and we will delete the account.

We protect your data with industry-standard measures: HTTPS for all traffic, encrypted database storage, row-level security so businesses can only access their own data, and regular security reviews of our infrastructure.

For any privacy questions, requests, or concerns, please email hello@usestoki.com. We aim to respond within one working day, and always within one month as required by UK GDPR.

If we make material changes to this policy, we will notify active account holders by email at least 14 days before the changes take effect. The 'Last updated' date at the top of this page always reflects the current version.