Privacy Policy

Last updated: 28 February 2026

1. Data controller

The data controller for the purposes of the General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018 is:

[Stokka Ltd] (company number pending)
[Registered address to be confirmed]
Ireland

This section will be updated with the full legal entity name, Companies Registration Office (CRO) number, and registered address once the company is incorporated.

2. Information we collect

Information you provide

  • Account details: name, email address, company name, and password when you register.
  • Billing information: payment card details processed by our payment provider. We do not store full card numbers.
  • Inventory data: product, stock, supplier, and order information you enter into the Service.
  • Communications: messages you send to our support team.

Providing your name, email address, and company information is a contractual requirement necessary to create an account and use the Service. If you do not provide this information, we cannot provide the Service to you.

Information collected automatically

  • Usage data: pages visited, features used, timestamps, and session duration.
  • Device data: browser type, operating system, IP address, and device identifiers.
  • Cookies and similar technologies: see our Cookie Policy for details.

3. Legal basis for processing

Under Article 6(1) of the GDPR, we process your personal data on the following legal bases:

Processing purposeLegal basis
Providing and maintaining the Service (account management, inventory features, integrations)Performance of a contract (Art. 6(1)(b))
Processing payments and billingPerformance of a contract (Art. 6(1)(b))
Responding to support requestsPerformance of a contract (Art. 6(1)(b))
Monitoring usage patterns, diagnosing technical issues, and improving the ServiceLegitimate interest (Art. 6(1)(f)) - our legitimate interest is maintaining and improving a reliable, secure service
Sending product updates and marketing communicationsConsent (Art. 6(1)(a)) - you may withdraw consent at any time
Complying with legal and tax obligationsLegal obligation (Art. 6(1)(c))

4. Sharing your information

We do not sell your personal information. We may share data with:

  • Hosting: our infrastructure is hosted on Amazon Web Services (AWS) in the EU (eu-west-1, Ireland).
  • Payment processing: payments are processed by Stripe, Inc. (USA), operating under Standard Contractual Clauses for data transferred outside the EEA.
  • Third-party integrations: services you explicitly connect, such as Xero, QuickBooks, Shopify, or Amazon. Data is only shared with these services at your direction.
  • Law enforcement or regulatory bodies: when required by law or to protect our legal rights.

We maintain a list of sub-processors. If you would like a copy, contact us through our website at stokka.io.

5. Data retention

We retain your data for the following periods:

Data typeRetention period
Account and inventory dataFor as long as your account is active. Deleted within 90 days of account closure.
Financial and billing records6 years after the end of the relevant tax year, as required under the Taxes Consolidation Act 1997 (s. 886).
Support communications24 months after resolution, then deleted.
Usage and server logs90 days, then deleted.

6. Data security

We use industry-standard security measures including encryption in transit (TLS), encryption at rest, and access controls. No method of transmission or storage is 100% secure, but we take reasonable steps to protect your data.

7. Your rights

Under the GDPR, you have the right to:

  • Access the personal data we hold about you (Art. 15).
  • Rectify inaccurate or incomplete data (Art. 16).
  • Request erasure of your data (Art. 17).
  • Restrict processing in certain circumstances (Art. 18).
  • Data portability - receive your data in a structured, machine-readable format (Art. 20).
  • Object to processing based on legitimate interest (Art. 21).
  • Withdraw consent at any time, where processing is based on consent (Art. 7(3)).

To exercise any of these rights, contact us through our website at stokka.io. We will respond within one month of receiving your request, as required by Article 12(3) of the GDPR.

You also have the right to lodge a complaint with the Data Protection Commission (DPC), the Irish supervisory authority, if you believe your data protection rights have been violated. You can contact the DPC at www.dataprotection.ie.

8. International transfers

Your data is primarily hosted on AWS in Ireland (eu-west-1). Where data is transferred outside the European Economic Area - for example, to Stripe, Inc. in the United States for payment processing - we rely on Standard Contractual Clauses approved by the European Commission as our transfer safeguard under Article 46(2)(c) of the GDPR.

9. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the Service at least 30 days before they take effect. Where a change affects processing that relies on your consent, we will seek renewed consent before applying the change.

10. Contact us

If you have questions about this Privacy Policy or wish to exercise your data protection rights, contact us through our website at stokka.io.