Privacy
Your data, your Gmail, your control.
Last updated: 2026-05-15
What we collect
Only what is needed to run your inventory ops: account details, business and location records, inventory items, par levels, suppliers, purchase orders, POS sales you authorize us to ingest, channel identifiers for Telegram, WhatsApp, email, and push notifications, and any support or bug-report messages you send. If you save supplier website credentials or OAuth tokens, we store them encrypted and use them only for the connected feature.
What we do with it
We use your data only to operate the product: draft and send purchase orders, route supplier replies, compute daily briefs, deduct stock from POS sales, detect operational issues, and notify the users you have paired through the channels you enable. AI requests, when enabled, are sent only for product tasks such as parsing, classification, and drafting. We do not sell, rent, or share your data with third parties for marketing.
Gmail access is narrow
When you connect Gmail, StockPilot requests a single, narrow scope - the minimum needed to do the job:
gmail.send- to send the purchase-order emails you approve, from your own address.
We do not read your inbox. Supplier replies come back to a dedicated address StockPilot owns, set as Reply-To on the emails we send, and are routed back to the matching purchase order on our servers. You can revoke Gmail access at any time from your Google account, or disconnect it from Settings - Channels - Gmail.
Cookies and local storage
StockPilot uses essential cookies to keep you signed in and to remember the active location you selected. The public site also stores your cookie-consent choice in your browser so we do not keep asking. Optional analytics or marketing cookies are not enabled unless you choose "Allow optional" in the consent banner.
Who can see it
Only users you have explicitly added to your location, and a small on-call engineering team at StockPilot in the event of a support, security, abuse, or reliability issue. App actions are recorded in an audit trail so sensitive changes can be reviewed.
Where it lives
Production data lives in the managed database configured for the deployment, commonly Postgres on Neon or Railway; local development may use SQLite. Production connections use TLS, and database encryption and backup retention follow the configured hosting provider. You can request a data export or permanent deletion by emailing privacy@stockpilot.app.
Subprocessors
The exact providers depend on which features you enable. Common processors include:
- Railway, Neon, or the configured host for app hosting and database storage
- Google Gmail API for outbound purchase-order email when you connect Gmail
- Resend or your configured inbound email provider for supplier replies
- Telegram, Twilio WhatsApp, and Expo for notifications you enable
- Square, Clover, Shopify, QuickBooks, Xero, 7shifts, or Homebase when connected
- OpenAI-compatible, Cloudflare, or local AI providers for enabled AI features
- Browserbase or 2Captcha only when supplier sign-in automation is enabled
- Stripe when billing is enabled
Your controls
You can disconnect channels and integrations from Settings, revoke OAuth access at the provider, decline optional cookies, and ask us to export or delete your account data. Transactional account, security, and operational emails may still be sent when required to run the service or protect the account.
Contact
Questions, access requests, or concerns? privacy@stockpilot.app.