← Back home

Privacy Notice

Last updated: 2026 · Compliant with the Protection of Personal Information Act, 4 of 2013 (POPIA) and, where applicable, the GDPR.

1. Who we are (Responsible Party)

This Privacy Notice applies to services provided by Stoq ("Stoq", "we", "us"). For the purposes of POPIA, Stoq is the Responsible Party for personal information processed in connection with the Stoq platform. Where the GDPR applies, Stoq acts as the data controller.

Our Information Officer can be contacted through the in-app support channel or via your account settings. Where you ask us to handle personal information of your own customers (for example invoice recipients), you remain the Responsible Party for that information and Stoq acts as an Operator on your behalf.

2. The 8 conditions for lawful processing

We process personal information in line with the eight conditions set out in POPIA: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation. The sections below explain how we meet each condition in practice.

3. Personal information we collect

  • Account data: name, email address, login credentials, business name, role.
  • Contact and support data: messages, attachments, and correspondence you send us.
  • Usage and telemetry: pages viewed, features used, device identifiers, IP address, log data.
  • Operational content you upload: products, inventory, sales, invoices, customer details, staff records and other business data.
  • Cookies: essential cookies for authentication and session management; optional analytics cookies if enabled.

Payment card details are collected directly by our payment provider, Paddle, and are not stored by Stoq. We do not knowingly collect personal information from children under 18 without consent of a competent person, and we do not process special personal information (e.g. health, religious or biometric data) unless you choose to upload it and authorise us to process it.

4. Purpose and legal basis

We collect personal information for specific, explicitly defined purposes, including:

  • Creating and managing your account (performance of a contract).
  • Providing, securing and improving the Stoq platform (legitimate interest / contract).
  • Customer support and service notifications (contract / legitimate interest).
  • Security, fraud prevention and abuse detection (legitimate interest / legal obligation).
  • Billing, tax and accounting via Paddle (legal obligation / contract).
  • Direct marketing — only with your consent, or to existing customers about similar products in line with section 69 of POPIA, with a clear opt-out in every message.

We will not process your personal information for a purpose that is incompatible with the original purpose unless we have your consent or are permitted by law.

5. Who we share information with (Operators and recipients)

  • Service providers / Operators: hosting, database, email, analytics and support tooling vendors that process information on our written instructions and under confidentiality.
  • Paddle.com Market Limited: our Merchant of Record, which handles payments, subscription billing, tax compliance, invoicing and refunds.
  • Professional advisers: legal, accounting and audit providers under confidentiality.
  • Authorities: where required by law, court order, or to establish, exercise or defend legal rights.

We require all Operators to apply appropriate security safeguards and to process personal information only for the purposes we authorise.

6. Cross-border transfers (POPIA section 72)

Some of our service providers are located outside South Africa. Where we transfer personal information outside the Republic, we rely on one of the grounds permitted by section 72 of POPIA, namely: the recipient is subject to a law or binding agreement that provides an adequate level of protection; you have consented to the transfer; the transfer is necessary for the performance of a contract with you or in your interest; or the transfer is for your benefit and it is not reasonably practicable to obtain your consent. Where the GDPR applies we additionally rely on Standard Contractual Clauses or adequacy decisions.

7. Retention

We keep personal information only for as long as your account is active and for as long as needed to provide the service, comply with legal, tax and accounting obligations, resolve disputes and enforce our agreements. When information is no longer needed we delete or de-identify it. Records that we are required by law to retain (for example financial records) are kept for the prescribed period.

8. Your rights as a data subject

Subject to applicable law, you have the right to:

  • be notified that your personal information is being collected, or has been accessed by an unauthorised person;
  • request confirmation of, and access to, the personal information we hold about you;
  • request correction, deletion or destruction of personal information that is inaccurate, irrelevant, excessive, out of date, misleading or unlawfully obtained;
  • object, on reasonable grounds, to the processing of your personal information;
  • object to processing for purposes of direct marketing and withdraw consent at any time;
  • submit a complaint to the Information Regulator (see below); and
  • where the GDPR applies, additional rights of restriction, portability and to lodge a complaint with your local supervisory authority.

You can exercise most of these rights from your account settings or by contacting us via the in-app support channel. We aim to respond within a reasonable period and, where the GDPR applies, within one month. Formal POPIA access or correction requests may be submitted using Form 2 or Form 3 prescribed under the regulations.

9. Security safeguards

We apply appropriate, reasonable technical and organisational measures to protect personal information against loss, damage, unlawful access and unauthorised destruction. These include encryption in transit, access controls, least-privilege role design, audit logging and regular reviews. If a security compromise affects your personal information we will notify you and the Information Regulator as required by section 22 of POPIA.

10. Cookies

We use essential cookies required for authentication and to remember your preferences. We may also use analytics cookies to understand product usage. You can manage cookie preferences through your browser settings.

11. Complaints to the Information Regulator

If you believe we have not handled your personal information in accordance with POPIA, you have the right to lodge a complaint with the Information Regulator (South Africa):

We would, however, appreciate the opportunity to address your concerns directly before you do so.

12. Changes to this notice

We may update this Privacy Notice from time to time. Material changes will be communicated through the service or by email. Continued use of Stoq after changes take effect constitutes acceptance of the updated notice.

13. Contact us

For privacy questions, to exercise your rights, or to contact our Information Officer, please use the in-app support channel or your account settings.