Stocketto
Sign inBook a demoStart free trial

Privacy Policy

Last updated: 2026-05-19

This Privacy Policy explains how Stocketto collects, uses, and protects information when you use our inventory management service (the "Service"). It applies to everything at stocketto.com and any subdomain that resolves to the same product.

Our promise to you

We treat your data like it's our own business on the line — because for our customers, it is. In plain terms:

  • We do not sell your data. Not to advertisers, data brokers, analytics resellers, or anyone else. Ever. Selling your data is not now, and will not become, part of our business model.
  • We do not share your data with third parties for marketing. The only third parties that touch your data are the infrastructure vendors needed to actually run the Service — hosting, database, transactional email, error tracking, payment processing. They are listed by name below, and each one operates under its own published privacy commitments.
  • We do not use your workspace data to train AI models. Your products, suppliers, purchase orders, sales records, and cost data are not used by us — or by any of our vendors — to train, fine-tune, or evaluate machine-learning models.
  • We do not show ads inside the Service. There are no third-party tracking pixels, retargeting tags, advertising cookies, or analytics SDKs that send your data to ad networks.
  • You own your data. You can export it as CSV any time from the Reports section. You can delete your workspace and all associated data from the Billing page. We honor deletion requests within 30 days (subject only to records we are legally required to retain — typically: payment receipts).

If any of the above ever changes, we will email every account owner before the change takes effect, and we will revise this page with the new date and a summary of what changed.

Who runs the Service

Stocketto is operated by Caddy Classics LLC ("we," "us," "our"), a Utah limited-liability company. You can reach the team at hello@stocketto.com for any privacy question — that inbox is read by a human, not a ticket queue.

What we collect

Account data. When you sign up we collect your email address, your name (if you provide it), and a salted, hashed copy of your password using bcrypt. We never store passwords in plaintext, and we cannot recover a forgotten password — only reset it.

Workspace data. Information you put into the Service — products, suppliers, locations, purchase orders, receipts, sales records, cost layers, cycle counts, write-offs, and similar inventory data — is stored on our servers so we can show it back to you and run the workflows you signed up for.

Integration data. If you connect a third-party channel (Shopify, BigCommerce, Amazon, Etsy, Faire), we receive whatever data that channel sends us under your authorization. We use it only to provide the integration features you asked for. We do not write back to channels — channels are a read-only feed into Stocketto.

Operational data. Server logs (timestamps, IP addresses, request paths, user agents) for debugging, abuse prevention, and rate limiting. We do not link these logs to advertising profiles or sell them.

Payment data. If you upgrade to a paid plan, our payment processor (Stripe) handles your card details directly. We receive only a customer ID, plan, and subscription status. We never see your full card number, CVV, or bank credentials.

What we use it for

  • Operate the Service and deliver the features you signed up for
  • Send you transactional emails: account verification, password resets, billing notifications, trial-end reminders, security alerts
  • Investigate and fix bugs, performance issues, and security incidents
  • Calculate aggregate usage metrics (e.g. number of workspaces, orders processed) — never tied back to identifiable individuals
  • Comply with legal obligations we are required by law to honor

We do not use your data to: build a profile of you for advertisers, train AI models, sell to brokers, or share with anyone outside the subprocessor list below.

Subprocessors

We rely on a small number of trusted vendors to deliver the Service. Each one only accesses the data needed to do its job and operates under its own published privacy and security commitments.

  • Hosting: Vercel — runs the application and CDN
  • Database: Neon — Postgres for workspace data
  • Authentication: NextAuth (self-hosted) — session management
  • Email: Resend — transactional email only (no marketing)
  • Error tracking: Sentry — bug reports and stack traces
  • Payments: Stripe — card processing and subscription billing
  • Analytics: none (no Google Analytics, no Mixpanel, no Segment, no marketing analytics)

We update this list when it changes and email account owners about additions that meaningfully change the data flow.

How long we keep it

While your account is active, we keep your workspace data so the Service works. If you delete your workspace, we permanently remove its data within 30 days, except for:

  • Operational backups, which are deleted on a rolling 30-day cycle
  • Records we are legally required to retain (typically: payment receipts and tax records, retained 7 years)
  • Logs of abuse or security incidents, retained as needed to protect the Service

Your rights

You can:

  • View the data on your account by logging in
  • Update your name, email, and password from your Profile page
  • Export your inventory data as CSV from the Reports section
  • Delete your workspace and all associated data from the Billing page (this is permanent)
  • Email hello@stocketto.com for a full data export or for help with deletion if the in-app tools aren't enough

If you live in the EU, UK, California, Colorado, Connecticut, Utah, Virginia, or any other jurisdiction with consumer-data laws, you have additional rights under GDPR / UK GDPR / CCPA / CPA / CTDPA / UCPA / VCDPA — including the right to access, correct, port, delete, opt out of "sale" (irrelevant here since we don't sell), opt out of "sharing for cross-context behavioral advertising" (also irrelevant), and to lodge a complaint with your local data-protection authority. We honor these rights for everyone, regardless of where you live.

To exercise any of these rights, email hello@stocketto.com. We respond within 30 days.

Cookies

We use cookies for two things only:

  • Session cookie — keeps you logged in
  • Workspace cookie — tells the server which workspace you're acting on if you belong to more than one

We do not use third-party advertising, retargeting, or cross-site tracking cookies. We do not embed third-party SDKs that set cookies of their own.

Security

We protect your data using industry-standard measures, including:

  • TLS for all traffic in transit (HTTPS only — no plaintext fallback)
  • Passwords stored as bcrypt hashes with per-account salts
  • Database isolation per workspace (multi-tenancy with row-level enforcement)
  • Principle of least privilege for all internal access
  • Regular dependency updates and security advisories monitoring
  • Encrypted backups

No system is 100% secure. If we discover a breach that affects your data, we will notify affected account owners within 72 hours of discovery, consistent with GDPR Article 33 and applicable U.S. state breach-notification laws.

Children

The Service is for business use. We do not knowingly collect data from anyone under 13 (or under 16 in the EU/UK). If you believe a minor has signed up, email us and we will remove the account.

International transfers

Our hosting and database are in the United States. If you access the Service from outside the U.S., your data will be transferred to and processed in the U.S. We rely on Standard Contractual Clauses (or an equivalent mechanism) where required by law for transfers from the EU/UK.

Changes to this policy

We will update this page and revise the "Last updated" date at the top whenever something changes. For material changes — new categories of data, new subprocessors with broader access, new uses of data — we will also email every account owner at least 14 days before the change takes effect.

Contact

Privacy questions, data requests, or anything else: hello@stocketto.com.