Privacy Policy
Last updated 13 July 2026
This policy explains what personal data StockVaults holds, why, and the rights you have over it.
1. Who we are
StockVaults (“we”, “us”) provides inventory-management software at stockvaults.co.uk. This policy explains how we handle personal data and your rights under UK data protection law (UK GDPR and the Data Protection Act 2018). For personal data in your own account records, we are the data controller.
2. Data you enter about other people
When you add records about consignors, buyers or suppliers — including names, contact details, addresses and, for consignor payouts, bank details — you are the data controller for that information and we process it on your behalf as your processor, only to provide the Service and on your instructions.
You are responsible for having a lawful basis to hold that data and for responding to the rights requests of the people it concerns. We will assist you where the law requires.
3. What we collect
- •Account and company details: your name, email, company name, and settings.
- •Authentication data: password hashes, two-factor secrets and login/session records.
- •Content you create: items, images, documents, consignor/buyer/supplier records and notes.
- •Billing data: your plan and payment status. Card details are handled by Stripe — we do not store full card numbers.
- •Usage and technical data: log records, IP address, device/browser information, and audit-trail entries of key actions.
4. How we use data and our lawful bases
- •To provide, secure and support the Service — performance of our contract with you.
- •To take payment and prevent fraud — contract and legitimate interests.
- •To send essential service and transactional emails — contract and legitimate interests.
- •To keep audit logs, protect data and meet legal duties — legitimate interests and legal obligation.
We do not sell your personal data, and we do not use it for third-party advertising.
5. Sharing and sub-processors
We share data only with service providers who help us run StockVaults, under contract and only as needed:
- •Stripe — payment processing.
- •Brevo — delivery of transactional email.
- •Cloudflare — network security, DNS and bot protection (including the Turnstile check on our forms).
- •Our UK hosting provider — servers and storage.
We may also disclose data where required by law or to protect our rights, users or the Service.
6. Security
We protect data with encryption in transit (TLS) and at rest. Especially sensitive fields — such as consignor bank details held in “secure notes” — are additionally encrypted using envelope encryption with a key unique to each company, are access-restricted, and every view is written to an audit log. Access to production systems is limited and logged.
If a StockVaults administrator needs to view secure data to resolve a support issue, that access is restricted, cannot alter the data, and is audited.
7. Data retention
We keep your data for as long as your account is active. After you close your account or request deletion, we remove or anonymise personal data within a reasonable period, except where we must retain limited records to meet legal, tax or accounting obligations. Encrypted backups are kept on a rolling window and then overwritten.
8. Your rights
Subject to UK GDPR, you have the right to access, correct, delete, restrict or object to processing of your personal data, and to data portability. You can:
- •export your company’s data at any time from Settings → Data & privacy;
- •request deletion of your account and data from the same screen;
- •contact us at [email protected] to exercise any other right.
We will respond within the time limits set by law. You also have the right to complain to the UK Information Commissioner’s Office (ico.org.uk).
9. International transfers
We aim to host and process data in the UK/EEA. Where a provider processes data outside the UK/EEA, we rely on appropriate safeguards such as UK adequacy regulations or standard contractual clauses.
10. Cookies
We use only the cookies needed to run the Service — chiefly to keep you signed in securely — plus Cloudflare’s security check on public forms. We do not use advertising or cross-site tracking cookies.
11. Changes and contact
We may update this policy from time to time and will note the “last updated” date above; material changes will be notified. For any privacy question or request, contact [email protected].
Questions about this document? Contact us.