Privacy Policy
stokd ("we", "us", "our") operates the website www.trystokd.com and the stokd application (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. By using stokd, you agree to the terms of this policy.
stokd is operated by Keary Labs, based in Melbourne, Victoria, Australia. This policy is governed primarily by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where you are located in the European Economic Area (EEA) or United Kingdom, additional rights under the General Data Protection Regulation (GDPR) apply as described in Section 8. Where you are located in California, USA, additional rights under the California Consumer Privacy Act (CCPA) apply as described in Section 9.
1. Information We Collect
Account information: When you create an account, we collect your email address and password (stored securely via Supabase Auth — passwords are hashed and never stored in plain text).
Business data you enter: Inventory items, sales records, expense records, purchase sources, contacts, and categories that you create within the app. This data belongs to you.
Payment information: If you subscribe to a paid plan, payments are processed by LemonSqueezy. We do not store your credit card details. LemonSqueezy may share your subscription status, billing email, and transaction history with us for account management purposes.
Usage data: We collect analytics data (page views, feature usage, session duration, clicks) via PostHog to understand how the product is used and improve it. PostHog may record session replays. Where you are a logged-in user, this data may be linked to your account.
Technical data: IP address, browser type, device type, operating system, and referrer URL collected automatically when you use the Service.
Communications: If you contact us via email or submit feedback through the app, we retain those communications to respond to you and improve the Service.
2. How We Use Your Information
We use your information for the following purposes and on the following legal bases:
- Contract performance: To provide, operate, and maintain the Service you signed up for
- Contract performance: To process payments and manage your subscription
- Contract performance: To send transactional emails (account confirmation, password reset, billing receipts, important service notices)
- Legitimate interest: To analyse usage patterns and improve the product
- Legitimate interest: To respond to support enquiries
- Consent: To send marketing emails and product updates (see Section 6 — Email Communications)
- Legal obligation: To comply with applicable laws and regulations
We do not sell your personal information to third parties. We do not use your business data (inventory, sales, expenses) for any purpose other than providing you the Service.
3. Data Storage and Security
Your data is stored on Supabase (PostgreSQL), hosted on infrastructure in the United States. Supabase is SOC 2 Type II certified. Data in transit is encrypted via TLS 1.2 or higher. Data at rest is encrypted at the database level.
Images and receipts you upload are stored in Supabase Storage with private bucket access controls — only you can access your files via authenticated requests.
We implement reasonable technical and organisational measures to protect your data against unauthorised access, alteration, disclosure, or destruction. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security. In the event of a data breach that affects your personal information, we will notify you as required by applicable law.
4. Third-Party Services
We use the following third-party services to operate stokd. Each acts as a data processor on our behalf:
- Supabase — database, authentication, and file storage. Data stored in the United States. (privacy policy)
- LemonSqueezy — payment processing and subscription management. (privacy policy)
- PostHog — product analytics and session replay. Data stored in the United States. (privacy policy)
- Railway — application hosting and infrastructure. (privacy policy)
We do not share your personal information with any other third parties except as required by law or as necessary to provide the Service.
5. Cookies and Tracking
We use cookies and local storage for the following purposes:
- Essential cookies: To maintain your login session. Without these, the app cannot function.
- Analytics cookies: PostHog sets cookies to track page views and user behaviour. These help us improve the product.
We do not use advertising cookies or sell data to advertising networks. You may disable cookies in your browser settings, but this will prevent you from logging in to the Service.
6. Email Communications
Transactional emails: By creating an account, you agree to receive transactional emails necessary to operate the Service. These include: account verification, password resets, billing receipts, subscription confirmations, and critical security or service notices. You cannot opt out of transactional emails while maintaining an active account.
Marketing emails: By creating an account, you also consent to receive occasional marketing communications from stokd, including product updates, new feature announcements, tips for resellers, and promotional offers. We will only send marketing emails to the email address you registered with.
Unsubscribe: You may opt out of marketing emails at any time by clicking the "unsubscribe" link in any marketing email, or by emailing support@trystokd.com with the subject "Unsubscribe". We will process your request within 5 business days. Opting out of marketing emails does not affect your receipt of transactional emails.
We comply with the Spam Act 2003 (Cth) (Australia), CAN-SPAM Act (United States), and CASL (Canada) in our email practices. All marketing emails will clearly identify stokd as the sender, include our contact details, and include a functional unsubscribe mechanism.
7. Data Retention
We retain your account and business data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal or billing purposes (e.g. transaction records, which we retain for 7 years as required by Australian tax law).
Analytics data collected by PostHog is retained according to PostHog's data retention policies.
8. Rights of EEA and UK Users (GDPR)
If you are located in the European Economic Area or United Kingdom, you have the following rights under GDPR:
- Right of access: Request a copy of the personal data we hold about you
- Right to rectification: Request correction of inaccurate or incomplete data
- Right to erasure ("right to be forgotten"): Request deletion of your personal data
- Right to restriction: Request that we limit how we use your data
- Right to data portability: Receive your data in a structured, machine-readable format
- Right to object: Object to processing based on legitimate interests or for direct marketing
- Right to withdraw consent: Withdraw consent for marketing emails at any time
To exercise these rights, contact us at support@trystokd.com. We will respond within 30 days.
International data transfers: Your data is transferred to and stored in the United States. We rely on Standard Contractual Clauses (SCCs) and the data processing agreements with our service providers (Supabase, PostHog, Railway) as the legal mechanism for these transfers.
You may lodge a complaint with your local data protection authority if you believe we have not handled your data in accordance with GDPR.
9. Rights of California Users (CCPA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act:
- Right to know: Request disclosure of what personal information we collect, use, disclose, and sell
- Right to delete: Request deletion of personal information we have collected
- Right to opt out of sale: We do not sell personal information. No opt-out is required.
- Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights
To exercise these rights, contact us at support@trystokd.com.
10. Your Rights (Australian Privacy Principles)
Under the Privacy Act 1988 (Cth), you have the right to:
- Access the personal information we hold about you
- Request correction of inaccurate or incomplete information
- Request deletion of your account and personal data
- Make a complaint if you believe your privacy rights have been breached
To exercise these rights, contact us at support@trystokd.com. We will respond within 30 days.
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.
11. International Data Transfers
stokd is operated from Australia. Our infrastructure providers (Supabase, Railway, PostHog) are based in the United States. By using the Service, you acknowledge that your data will be transferred to and processed in the United States, which may have different data protection laws to your country of residence.
Where required by applicable law, we ensure appropriate safeguards are in place for international data transfers, including Standard Contractual Clauses for EEA/UK users.
12. Children's Privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us and we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice within the app or sending an email to your registered address at least 14 days before changes take effect. Your continued use of the Service after changes take effect constitutes your acceptance of the updated policy.
14. Contact Us
For privacy enquiries, data requests, unsubscribe requests, or complaints:
- Email: support@trystokd.com
- Website: www.trystokd.com
- Location: Melbourne, Victoria, Australia