Privacy Policy
Last updated: 10 April 2026
1. Who We Are
Stock Runner ("we", "us", "our") operates the Stock Runner application and website at stockrunner.app. We are the data controller responsible for your personal data.
For any privacy-related queries, contact us at privacy@stockrunner.app.
2. What Data We Collect
Information you provide
- Account details — name, email address, phone number, password.
- Organisation details — shop name, address, business type.
- Product data — catalogue items, barcodes, prices, shopping lists, photos you upload.
- Payment information — processed securely by our payment provider; we do not store card numbers.
Information collected automatically
- Device information — device type, operating system, browser type, app version.
- Usage data — pages visited, features used, timestamps.
- Log data — IP address, request headers, error reports.
3. How We Use Your Data
We use your data to:
- Provide, maintain, and improve the Service.
- Sync your shopping lists and catalogue data across your devices in real time.
- Send you transactional messages (OTP codes, password resets, account notifications).
- Provide customer support.
- Monitor and analyse usage patterns to improve the product.
- Detect, prevent, and address technical issues and security threats.
We do not sell your personal data to third parties.
4. Legal Basis for Processing (UK GDPR)
- Contract — processing necessary to provide the Service you signed up for.
- Legitimate interest — analytics, security monitoring, product improvement.
- Consent — marketing communications (you can opt out at any time).
- Legal obligation — where we are required to retain data by law.
5. Sub-Processors
We use the following third-party services to operate Stock Runner:
| Service | Purpose | Location |
|---|---|---|
| Railway | Application hosting & database | EU / US |
| Cloudflare R2 | File storage (product photos) | EU |
| Bird.com | SMS delivery (OTP codes) | EU |
| WhatsApp Business Cloud API | WhatsApp messaging | EU / US |
| Firebase Cloud Messaging | Push notifications | EU / US |
| Sentry | Error monitoring | EU |
| PostHog | Product analytics | EU |
| Stripe | Payment processing | EU / US |
6. Data Retention
We retain your personal data for as long as your account is active or as needed to provide the Service. When you delete your account, we begin a 30-day grace period during which you can reverse the deletion. After 30 days, your personal data is permanently deleted from our systems, except where we are required by law to retain it (e.g. financial records for up to 7 years).
7. Data Security
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption in transit (TLS 1.2+) and at rest.
- Regular security audits and vulnerability assessments.
- Access controls limiting who can view your data internally.
- Automated encrypted database backups.
8. Your Rights
Under UK GDPR, you have the right to:
- Access — request a copy of your personal data (Settings → Export My Data).
- Rectification — correct inaccurate personal data via your account settings.
- Erasure — delete your account and data (Settings → Delete Account).
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interest.
- Restriction — request we limit processing of your data.
- Withdraw consent — where processing is based on consent, withdraw it at any time.
To exercise any of these rights, email privacy@stockrunner.app. We will respond within 30 days.
9. Cookies
Stock Runner uses essential cookies required for authentication and session management. We do not use advertising or third-party tracking cookies. Analytics are handled server-side via PostHog with privacy-preserving defaults (no cookie-based tracking).
10. Children's Privacy
The Service is not directed to individuals under 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.
11. International Transfers
Some of our sub-processors operate outside the UK. Where personal data is transferred internationally, we ensure appropriate safeguards are in place (e.g. Standard Contractual Clauses or UK adequacy decisions).
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice within the Service at least 14 days before the changes take effect.
13. Complaints
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.
14. Contact
Stock Runner
Email: privacy@stockrunner.app