Privacy Policy

The data controller responsible for your personal information is Aspire Digital LLC, a company registered in the United States. For privacy-related inquiries, data subject requests, or questions about this Policy, contact our Data Protection Officer at privacy@stoxbay.com.

For users in the European Economic Area (EEA), United Kingdom, Saudi Arabia, United Arab Emirates, Jordan, United States (including California), and Canada, additional rights and protections may apply as described in this Policy.

2.1 Information You Provide Directly

• Account details: full name, company name (for business accounts), email address, phone number, account role (warehouse provider, business customer, individual customer), preferred language, and password.
• Business verification: commercial registration numbers, tax registration numbers, and expiry dates (for warehouse providers and business customers).
• Profile data: profile photos, avatars, business descriptions, and team member information.
• Warehouse listing data (providers only): warehouse names, addresses, descriptions, features, pricing, availability, photos, and working hours.
• Transaction data: requests for quotation (RFQs), quotations, bookings, invoices, shipments, inventory records, and in-platform messages.
• Payment information: processed directly by our payment processor Stripe; we receive only the last four digits of payment cards and transaction metadata, not full card numbers.
• Communications: messages you send through our contact forms, support channels, and in-platform clarification notes.
• Marketing preferences: newsletter subscriptions and notification settings.

2.2 Information Collected Automatically

• Device and log data: IP address, device identifiers, browser type and version, operating system, mobile network information, device model, and crash reports.
• Usage data: pages visited, features used, clicks, search queries, referral URLs, session duration, and timestamps.
• Location data: approximate location derived from IP address for warehouse search results. Precise location is only collected if you explicitly grant permission in the mobile app.
• Cookies and similar technologies: session cookies, authentication cookies, and analytics identifiers. See section 8 for details.
• Push notification tokens: Firebase Cloud Messaging (Android) and Apple Push Notification service (iOS) identifiers, only if you opt in.

2.3 Information from Third Parties

• Integration partners: when you connect an ERP or CRM system (such as SAP, Oracle NetSuite, Microsoft Dynamics 365, Odoo, Salesforce, QuickBooks, Xero, or Zoho) through our connector framework, we receive the data you authorize that system to share.
• Authentication providers: if you sign in via a third-party provider in the future, we receive basic profile data they share with us.
• Payment processor: Stripe shares transaction status, payout identifiers, and failure codes with us.

2.4 Biometric Data

If you enable biometric login (Face ID, Touch ID, or fingerprint) in our mobile apps, the biometric data is stored and processed entirely on your device by Apple or Google. Stoxbay never receives, transmits, or stores your biometric data. We only receive a success or failure signal from the operating system.

2.5 Sensitive Categories

We do not intentionally collect sensitive categories of personal data (such as racial origin, political opinions, religious beliefs, health data, or genetic data). Do not submit such information through the Service.

We process your personal information for the following purposes. Where the General Data Protection Regulation (GDPR) or similar laws apply, we identify the legal basis for each purpose:

• Provide the Service (contractual necessity): create and manage your account, process RFQs and quotations, facilitate bookings, manage inventory and shipments, issue invoices, and deliver in-platform messaging.
• Process payments (contractual necessity): transmit transaction data to Stripe, reconcile payments, and manage provider settlements.
• Verify identity and eligibility (legal obligation, legitimate interest): verify commercial and tax registrations for providers and business customers, prevent fraud, and comply with anti-money-laundering requirements.
• Customer support (contractual necessity, legitimate interest): respond to inquiries, resolve disputes, and provide technical assistance.
• Platform safety and integrity (legitimate interest): detect and prevent fraud, abuse, spam, disintermediation attempts, and security incidents.
• Marketing communications (consent): send newsletters, product updates, and promotional content only where you have opted in. You can withdraw consent at any time.
• Analytics and improvement (legitimate interest): measure usage, diagnose errors, understand feature adoption, and improve the Service.
• Legal compliance (legal obligation): comply with tax reporting, e-invoicing regulations (including ZATCA in Saudi Arabia), court orders, and regulatory requests.
• Aggregated research and benchmarking (legitimate interest): produce anonymized statistics and market insights that do not identify any individual.

4.1 Between Platform Participants

To facilitate transactions, we share limited identifying information between warehouse providers and customers. Providers see the customer company name, contact name, and account type when an RFQ is submitted; customers see provider names and warehouse details. We do not share email addresses, phone numbers, or other direct contact details between parties unless and until required to fulfill a confirmed booking. In-platform messaging is provided so parties can communicate without exchanging contact details.

4.2 Service Providers and Sub-Processors

We rely on carefully selected third-party service providers to operate the Service, including:

• Supabase (PostgreSQL database, authentication, storage, realtime) — United States.
• Stripe (payment processing, subscriptions) — United States and Ireland.
• Resend (transactional email delivery) — United States.
• Vercel (application hosting and content delivery) — United States.
• Firebase (push notifications, app distribution, crash reporting) — Google LLC, United States.
• Apple Push Notification Service (iOS push notifications) — United States.
• Capacitor plugins for mobile functionality (camera, biometric, preferences) — processed locally on your device.

Each sub-processor is bound by contractual obligations to process your data only on our instructions and protect it appropriately. A current list of sub-processors is available on request.

4.3 Legal and Safety Disclosures

We may disclose your information when required by law, court order, government request, or when necessary to protect our rights, enforce our Terms of Service, investigate fraud, or protect the safety of our users or the public.

4.4 Business Transfers

If we are involved in a merger, acquisition, financing, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you and continue to honor this Policy or provide an updated policy consistent with your rights.

4.5 Sale of Personal Information

We do not sell your personal information for monetary consideration and do not engage in targeted advertising based on your personal information. California residents have the right to opt out of any future sale under the CCPA/CPRA.

Stoxbay operates globally, with users in Saudi Arabia, the United Arab Emirates, Jordan, the United States, and Canada. Our primary infrastructure is hosted in the United States. Where your personal information is transferred from the European Economic Area, the United Kingdom, or another jurisdiction with data-transfer restrictions, we rely on appropriate safeguards including Standard Contractual Clauses, adequacy decisions (where available), and supplementary technical measures such as encryption in transit and at rest.

We retain your personal information only for as long as necessary to fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements. Typical retention periods are:

• Account data: for the duration of your account plus 24 months after closure.
• Transactional records (bookings, invoices, payments): up to 7 years as required by tax and commercial record-keeping laws.
• Communications and support tickets: up to 36 months after resolution.
• Marketing preferences: until you withdraw consent.
• Audit logs and security records: up to 24 months.
• Anonymized and aggregated data: may be retained indefinitely.

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
• Row-level security policies on all database tables to enforce access control at the data layer.
• Multi-factor authentication support (TOTP authenticator apps).
• Secure credential storage using bcrypt hashing for passwords and AES-256-GCM encryption for connector credentials.
• Regular security reviews, dependency scanning, and penetration testing.
• Principle of least privilege for staff access and audit logging of administrative actions.

No system is completely secure. If we become aware of a breach affecting your personal information, we will notify you and the relevant supervisory authorities within 72 hours where required by law.

We use cookies and similar technologies for the following purposes:

• Strictly necessary: authentication, session management, CSRF protection, and load balancing. These cannot be disabled.
• Preferences: remembering your language, currency, locale, and UI settings.
• Analytics: understanding how users interact with the Service to improve it.

You can control non-essential cookies through your browser or device settings. Disabling cookies may affect Service functionality.

Depending on your jurisdiction, you have some or all of the following rights with respect to your personal information:

• Access: request a copy of the personal information we hold about you.
• Rectification: correct inaccurate or incomplete information.
• Erasure: request deletion of your personal information, subject to legal retention obligations.
• Restriction: restrict processing in certain circumstances.
• Portability: receive your data in a structured, commonly used, machine-readable format.
• Objection: object to processing based on legitimate interests or for direct marketing purposes.
• Withdraw consent: withdraw consent for processing based on consent at any time, without affecting prior lawful processing.
• Lodge a complaint: file a complaint with your local data protection authority.
• Opt out of sale/sharing: California residents may opt out of the sale or sharing of personal information (we do not currently sell or share for advertising purposes).
• Non-discrimination: you will not receive discriminatory treatment for exercising your rights.

To exercise any of these rights, email privacy@stoxbay.com. We will respond within 30 days (or the timeline prescribed by applicable law). We may need to verify your identity before fulfilling the request.

10.1 European Economic Area and United Kingdom (GDPR / UK GDPR)

You have the right to lodge a complaint with your national Data Protection Authority. Our legal bases for processing are contractual necessity, legitimate interests, legal obligations, and consent, as identified in Section 3.

10.2 California (CCPA / CPRA)

California residents have the right to know what personal information we collect, the right to delete personal information, the right to correct inaccurate personal information, the right to opt out of the sale or sharing of personal information, and the right to limit the use of sensitive personal information. We do not use sensitive personal information for purposes beyond those reasonably expected by a consumer.

10.3 Saudi Arabia (PDPL)

Under the Saudi Arabian Personal Data Protection Law, you have rights to be informed, to access your data, to request correction, and to request destruction of your data. For international data transfers outside the Kingdom of Saudi Arabia, we comply with the requirements of the PDPL and its implementing regulations.

10.4 United Arab Emirates (PDPL)

Under the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, you have rights to request information, correction, restriction, objection, deletion, and data portability.

10.5 Canada (PIPEDA)

Under the Personal Information Protection and Electronic Documents Act, you have the right to access and correct your personal information and to withdraw consent for processing.

The Service is intended for users who are at least 18 years old or the age of majority in their jurisdiction. We do not knowingly collect personal information from children under 13 (or under 16 in the European Economic Area). If you believe we have inadvertently collected information from a child, contact us and we will delete it promptly.

The Service may contain links to third-party websites or services that we do not operate. This Privacy Policy does not apply to those third parties. We encourage you to review their privacy policies before providing them with personal information.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Service. When we make material changes, we will notify you by email or through an in-app notice and update the "Last updated" date above. Continued use of the Service after the effective date of changes constitutes your acceptance of the updated Policy.

If you have any questions about this Privacy Policy, wish to exercise your rights, or have a privacy concern, please contact us:

• Email: privacy@stoxbay.com
• Data Protection Officer: dpo@stoxbay.com
• Postal address: Aspire Digital LLC, 9600 Great Hills Trail, Suite 150W, Austin, TX 78759, USA.