SH
StockHaven

Legal

Privacy Policy

Last updated: 16 May 2026

This Privacy Policy explains how StockHaven (“we”, “us”, or “our”) collects, uses, stores, and shares your personal data when you use our inventory management platform at stockhaven.co.uk (the “Service”). We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

StockHaven is the data controller for personal data processed through the Service. If you have questions about this policy or wish to exercise your rights, please contact us at:

StockHaven
Email: privacy@stockhaven.co.uk
United Kingdom

2. What personal data we collect

Account data

When you register for an account we collect your name, email address, and (if you are invited by an organisation) the organisation you belong to. Your password is hashed and never stored in plain text.

Business and inventory data

You choose to enter business data into StockHaven — product listings, purchase orders, supplier details, order records, and shipment information. This data is stored on your behalf and may include the names and contact details of your suppliers or customers if you enter them.

Usage data

We collect anonymised page-view and interaction data via Vercel Analytics to understand how the Service is used and to improve it. This data does not identify you individually and is not linked to your account.

Payment data

Subscription payments are processed by our payment provider. We do not store full card numbers or sensitive payment details — only payment confirmation metadata (plan, billing date, last four digits if surfaced by the processor).

Communications

If you contact us by email we will retain your message and contact details to respond to your enquiry.

Amazon order data

If you connect Amazon Seller Central via the SP-API integration, we retrieve order records from Amazon and store them within the Service on your behalf. We act as a data processor for this data; Amazon is the original source. Refer to Amazon's own privacy policy for how they handle seller data.

3. Legal bases for processing

We process your personal data on the following legal bases under UK GDPR Article 6:

  • Performance of a contract — creating and managing your account, delivering the Service, and processing subscription payments.
  • Legitimate interests — improving the Service, maintaining security, preventing fraud, and sending service-related notifications. We have balanced these interests against your rights and concluded they do not override your privacy.
  • Consent — non-essential cookies and any direct marketing communications (you can withdraw consent at any time).
  • Legal obligation — retaining financial records for the period required by UK tax law.

4. How we use your data

  • Providing and operating the Service
  • Sending transactional emails (account setup, shipment notifications, password reset)
  • Responding to support enquiries
  • Monitoring and improving Service performance and reliability
  • Detecting and preventing fraudulent or abusive use
  • Complying with legal obligations

We do not sell your personal data to third parties. We do not use your business data to train machine-learning models or for any purpose beyond operating the Service.

5. Third-party processors

We share data only with the following sub-processors, all of whom are contractually bound to process data solely on our instructions:

ProcessorPurposeLocation
SupabaseDatabase, authentication, and file storageEU (Ireland)
VercelHosting, edge compute, and anonymised analyticsUS / Global CDN
ResendTransactional email deliveryUS
Amazon SP-APIRetrieval of order data from Amazon Seller CentralAWS / UK & EU

Where data is transferred outside the UK or EEA we ensure appropriate safeguards are in place (standard contractual clauses or an adequacy decision).

6. Data retention

  • Account and business data — retained for the lifetime of your account. After account closure, data is retained for 6 years to meet UK statutory accounting obligations (Companies Act 2006, HMRC requirements) and then securely deleted.
  • Server and access logs — deleted after 90 days.
  • Support correspondence — retained for 2 years after the enquiry is resolved.
  • Analytics data — anonymised aggregates retained indefinitely; no personally identifiable information is stored.

You may request early deletion of your data — see Your Rights below.

7. Cookies

We use a small number of strictly necessary cookies (for authentication) and an analytics cookie (Vercel Analytics, which does not collect personally identifiable information). See our Cookie Policy for full details and opt-out instructions.

8. Your rights under UK GDPR

You have the following rights in relation to your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete your data (subject to legal retention obligations).
  • Restriction — ask us to limit how we use your data while a dispute is resolved.
  • Portability — receive your data in a machine-readable format. Most of your business data is already exportable to CSV from within the app.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any right, email privacy@stockhaven.co.uk. We will respond within one month. We may need to verify your identity before fulfilling a request.

9. Supervisory authority

You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) if you believe we have handled your personal data unlawfully:

Information Commissioner's Office
ico.org.uk— 0303 123 1113

We would, however, appreciate the opportunity to address your concern directly before you approach the ICO.

10. Security

We implement industry-standard technical and organisational measures to protect your data, including encryption in transit (TLS), encryption at rest, row-level security on our database, and role-based access controls within the application. No system is perfectly secure and we cannot guarantee absolute security, but we take reasonable steps to protect your information.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or a prominent notice in the app at least 30 days before taking effect. The “Last updated” date at the top of this page will always reflect the most recent revision. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.