Privacy Policy — what we collect & why

Overview

Stokis is an inventory and procurement agent. We connect to commerce, ERP, mail, and supplier systems to forecast demand and draft purchase orders.

The short version

We use your data to run Stokis for your workspace, protect the service, and improve product reliability. We do not sell your operational data.

Data we collect

We collect the information needed to create accounts, connect stores, forecast inventory, and prepare supplier communications.

Category	Examples	Purpose
Account data	Name, email, role, company, workspace	Create accounts and secure access
Operational data	SKUs, stock levels, sales velocity, supplier rules, purchase orders	Forecast demand and draft purchase orders
Communication data	Supplier emails, PO replies, delivery notes, read receipts	Track confirmations and surface delays
Telemetry	Pages visited, actions taken, errors, device and browser data	Improve reliability and diagnose issues

Payment details are handled by our billing provider. We do not store full card numbers on Stokis systems.

How we use data

Your data is used to operate Stokis for your workspace: sync inventory, forecast demand, score supplier options, draft purchase orders, send approved supplier messages, and keep an audit trail.

Authenticate users and enforce workspace permissions.
Generate forecasts, reorder suggestions, and procurement drafts.
Send transactional emails and supplier communications you approve or configure.
Measure product reliability and investigate abuse or security events.

Model use

Customer operational data is used to provide the service to that customer. It is not sold or used for third-party advertising.

Sharing and sub-processors

We share data only with the named sub-processors below, or when required by law. Each operates under contract and processes data only for the services they provide to us.

Sub-processor	Purpose	Region
Stripe, Inc.	Subscription billing, invoices, and payment processing	EU / US
Anthropic, PBC	Procurement-agent reasoning (Claude API). Workspace data is sent only when the agent runs; not used to train Anthropic models.	US
The customer's own SMTP provider (BYO)	Outbound supplier mail is sent through SMTP credentials the customer configures themselves. Stokis stores those credentials at-rest under AES-256-GCM encryption.	Customer-elected
Postmark / Cloudflare Email Routing	Inbound supplier replies routed to the workspace inbox	EU / US
Coolify-hosted VPS infrastructure	Application, database, file, and backup hosting	EU
Umami Cloud	Cookieless, privacy-first product analytics — aggregate pageviews and activation events only. No cookies, no cross-site tracking, no personal profiles, no advertising.	EU
Sentry	Application error monitoring and diagnostics	EU

This list is the complete set of sub-processors that receive workspace data. We update it before adding new ones — material changes are announced in the changelog.

Cookies and local storage

Stokis uses cookies and local storage strictly to keep you signed in and to remember your in-app preferences.

Type	Examples	Required?
Authentication	Session cookie set by better-auth so you stay signed in	Yes — site won't work without it
Preferences	Local storage for the active workspace, sidebar collapse state, command-palette history	No — clearable from your browser without breaking the app

For product analytics we use Umami (see the sub-processors table) — it is cookieless, sets nothing on your device, and builds no personal profiles. We do not use advertising or cross-site tracking cookies. Adding any cookie outside the table above would update this section first.

Retention and deletion

We keep data for as long as your workspace is active, as long as needed to provide the service, or as required by legal, tax, security, and audit obligations.

Data type	Typical retention
Active workspace data	For the lifetime of the workspace
Closed workspace data	Hidden immediately on deletion, then permanently erased 30 days later (a recovery grace window), subject to legal holds
Audit logs	Retained for security, compliance, and dispute records
Telemetry	Aggregated or deleted after it is no longer needed

You can request export or deletion by contacting info@stokis.io.

Your rights

Depending on where you live, you may have rights to access, correct, export, delete, restrict, or object to certain processing of your personal data.

To exercise these rights, email info@stokis.io. We may need to verify your identity and workspace relationship before acting on a request.

Security

We use technical and organizational safeguards designed to protect customer data, including encrypted transport, role-based access controls, audit logs, and least-privilege operational access.

Security reports

If you believe you found a vulnerability, contact info@stokis.io. Please do not access or modify data that is not yours.

Contact

Contactinfo@stokis.io