Privacy Policy
Last updated: 11 February 2026
1. Who we are
StockTree is operated by James Birtwell, a sole trader based in England, trading as StockTree. For the purposes of applicable data protection law, we are the data controller responsible for your personal data.
Contact: [email protected]
2. What data we collect
Account data
When you register, we collect your name and email address. Your password is stored in hashed form — we cannot read it.
Team and inventory data
Data you create through the Service, including team names, member roles, product information, stock quantities, locations, batch records, custom field values, and product images.
Usage data
We automatically collect basic technical information when you use the Service, including IP address, browser type, device type, pages visited, and timestamps. This helps us maintain security and improve the Service.
Activity logs
The Service records actions taken within a Team (e.g. stock adjustments, product edits) to provide an audit trail for Team members. These logs include the name of the user who performed the action and a timestamp.
3. Why we collect it and our legal basis
Under UK GDPR, we must have a lawful basis for processing your personal data. The bases we rely on are:
| Purpose | Lawful basis |
|---|---|
| Creating and managing your account | Contract — necessary to provide the Service |
| Storing and displaying your inventory data | Contract — the core function of the Service |
| Sending transactional emails (password resets, account changes) | Contract — necessary for account operation |
| Sending product updates and service announcements | Legitimate interest — keeping you informed about the Service you use |
| Maintaining security and preventing abuse | Legitimate interest — protecting the Service and its users |
| Processing payments (when billing is active) | Contract — necessary to process your subscription |
4. Who we share data with
We do not sell your personal data. We share data only with the following service providers who process it on our behalf:
| Provider | Purpose | Location |
|---|---|---|
| Render | Application hosting and database | United States |
| Cloudflare | CDN, web hosting, and image storage (R2) | Global (headquartered in US) |
| Resend | Transactional email delivery | United States |
| Payment processor (TBC) | Subscription billing when payments are live | TBC |
We may also disclose your data if required to do so by law, regulation, or legal process, or to protect the rights, safety, or property of ourselves or others.
5. International data transfers
Your data is stored and processed on servers in the United States (Render, Oregon region) and distributed globally via Cloudflare's network. As a UK-based controller transferring data outside the UK, we rely on:
- UK adequacy regulations where the destination country has been deemed adequate by the UK government.
- International Data Transfer Agreement (IDTA) or UK Addendum to EU Standard Contractual Clauses where our providers have adopted these safeguards.
You can request a copy of the relevant transfer safeguards by contacting us at [email protected].
6. How long we keep your data
- Account data: Retained for as long as your account is active, plus 30 days after deletion to allow recovery.
- Inventory and team data: Retained for as long as the associated Team exists. When a Team is deleted, its data is permanently removed within 90 days.
- Activity logs: Retained for the lifetime of the Team.
- Usage data: Aggregated or deleted within 12 months.
- Backup copies: Automatically purged within 30 days of the source data being deleted.
7. Your rights
Depending on where you are located, you have certain rights regarding your personal data. We honour these rights regardless of where you live, to the extent that they are technically feasible.
All users
- Access: Request a copy of the personal data we hold about you.
- Correction: Ask us to correct inaccurate or incomplete data.
- Deletion: Ask us to delete your personal data. You can also delete your account directly from the Service.
- Export: Download your data in a structured, machine-readable format.
Additional rights under UK GDPR
- Restriction: Ask us to restrict processing of your data in certain circumstances.
- Objection: Object to processing based on legitimate interests.
- Complaint: Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
California residents (CCPA/CPRA)
- We do not sell your personal information.
- We do not share your personal information for cross-context behavioural advertising.
- You have the right to know what personal information we collect, request its deletion, and not be discriminated against for exercising your rights.
Australian residents
- Under the Privacy Act 1988 and the Australian Privacy Principles (APPs), you have the right to access and correct your personal information.
- You can complain to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs.
Canadian residents
- Under PIPEDA (and applicable provincial legislation), you have the right to access your personal information, request correction, and withdraw consent.
- You can file a complaint with the Office of the Privacy Commissioner of Canada.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (or within the timeframe required by applicable law).
8. Cookies
We use a minimal number of cookies to operate the Service:
- Authentication cookie: Keeps you logged in. Essential for the Service to work. Expires when your session ends or your token expires.
We do not use third-party tracking cookies, advertising cookies, or analytics cookies. If this changes in future, we will update this policy and implement appropriate consent mechanisms.
9. Security
We protect your data with the following measures:
- All data is encrypted in transit using TLS (HTTPS).
- Passwords are hashed using a strong one-way algorithm (bcrypt).
- Database access is restricted to the application servers.
- Authentication tokens expire automatically.
No system is 100% secure. If we become aware of a data breach that affects your personal data, we will notify you and the relevant supervisory authority in accordance with applicable law.
10. Children's privacy
The Service is not intended for anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
11. Changes to this policy
We may update this policy from time to time. If we make material changes, we will notify you by email or through the Service at least 30 days before they take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.
12. Contact
If you have any questions about this privacy policy or how we handle your data, please contact us:
- Email: [email protected]
- Data controller: James Birtwell t/a StockTree
- Supervisory authority: Information Commissioner's Office (ICO), ico.org.uk