Privacy Policy

Last updated: March 4, 2026

1. Information We Collect

Information You Provide

  • Account information: name, email address, company name, and password when you create an account
  • Billing information: payment details processed securely through Stripe (we do not store your full card number)
  • Business data: product information, inventory data, order details, warehouse configurations, and other data you enter into the Service

Information Collected Automatically

  • Usage data: pages visited, features used, and actions taken within the Service
  • Device information: browser type, operating system, and device identifiers
  • Log data: IP address, access times, and referring URLs
  • Anonymous analytics: we collect anonymous, aggregated website usage data including pages visited, referrer URLs, browser type, operating system, and country. This data does not identify individual visitors, does not use cookies, and IP addresses are not stored. We use this data solely to understand how the Service is used and to improve it.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Process transactions and send related notifications
  • Send service-related communications (account updates, security alerts, support messages)
  • Monitor and analyze usage patterns to improve user experience
  • Detect, prevent, and address technical issues and security threats
  • Comply with legal obligations

We do not sell your personal information to third parties. We do not use your business data for advertising purposes.

3. Data Storage and Security

Your data is stored on secure servers with industry-standard protections including:

  • Encryption in transit (TLS 1.2 or higher) and at rest
  • Regular security audits and vulnerability assessments
  • Role-based access controls limiting employee access to data
  • Automated backups with point-in-time recovery
  • Logging and monitoring of access to production systems
  • Incident response procedures

While we implement robust security measures, no method of electronic storage is 100% secure. We cannot guarantee absolute security of your data.

4. Third-Party Services

We use the following third-party services that may process your data:

  • Stripe - payment processing. Stripe handles your payment information according to their own privacy policy and PCI compliance standards.
  • Sentry - error tracking and monitoring. Sentry receives error reports that may include technical data but not your business data. Sensitive parameters are filtered.
  • Postmark - transactional email delivery. Your email address is shared with Postmark to send account-related messages.
  • Google Ads - advertising and conversion tracking on our public marketing pages. Google may collect anonymised interaction data to measure ad performance. No business data is shared with Google.

Each third-party service operates under its own privacy policy. We only share the minimum data necessary for each service to function.

5. Subprocessors

storq.io uses the following third-party subprocessors to provide the Service. Each subprocessor processes data only as necessary for the purpose described.

Service Purpose Data Processed Jurisdiction
Stripe Payment processing Name, email, billing address, payment method details United States
Postmark Transactional email delivery Email address, email content United States
Cloudflare R2 File storage Uploaded files (product images, documents) European Union
Sentry Error monitoring IP address, browser information, error context (sensitive parameters filtered) United States
Umami Anonymous website analytics Page views, referrer, browser type, country (no personal data stored) European Union
Google Ads Advertising and conversion tracking Anonymised page views, ad clicks, conversion events United States
Heroku Infrastructure hosting All data stored in the Service European Union

We will update this list when we add or remove subprocessors. If you have a Data Processing Agreement with us, we will notify you of changes by email at least 30 days before they take effect.

6. Cookies

Cookies are small text files stored on your device when you visit a website. storq.io uses a minimal number of cookies.

Name Purpose Type Expiry
_storq_session Maintains your authenticated session so you stay signed in as you navigate the application. Essential Browser session
cookie_consent Records that you have acknowledged the cookie consent banner so it is not shown again. Functional 1 year
remember_user_token Keeps you signed in across browser sessions when you select "Remember me" at login. Essential 2 weeks

Google Ads may set cookies on our public marketing pages to measure advertising performance and track conversions. These cookies are governed by Google's Privacy Policy. They are not set within the application itself.

Stripe, our payment processor, may set cookies when you interact with payment forms. These cookies are governed by Stripe's Cookie Policy and are used solely for fraud prevention and payment processing.

You can control and delete cookies through your browser settings. However, disabling essential cookies will prevent you from signing in and using the application.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specifically:

  • Account data: retained while your account is active
  • Business data: retained while your account is active, with a 30-day grace period after account deletion
  • Billing records: retained for 7 years for tax and legal compliance
  • Log data: retained for 90 days

After the applicable retention period, data is permanently deleted from our systems and backups.

8. Your Rights

You have the right to:

  • Access: request a copy of the personal data we hold about you
  • Correction: update or correct inaccurate personal data
  • Deletion: request deletion of your personal data and account
  • Export: download your business data in a standard format through account settings
  • Objection: object to certain processing of your personal data

To exercise any of these rights, contact us at [email protected] or use the relevant features in your account settings.

9. International Transfers

Where Personal Data is transferred outside the European Economic Area or the United Kingdom, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • The UK International Data Transfer Agreement or Addendum, where applicable
  • Adequacy decisions by the relevant authorities

Details of subprocessors and their jurisdictions are listed in the Subprocessors section above.

10. Data Processing Agreement

This section constitutes the Data Processing Agreement ("DPA") between Limitlesswealth Limited ("Processor", "we", "us") and the entity agreeing to the Terms of Service ("Controller", "you"). This DPA applies automatically when you use storq.io and does not need to be separately signed.

Definitions

Terms used in this section have the meanings given in the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR. Personal Data means any information relating to an identified or identifiable natural person processed through the Service. Processing means any operation performed on Personal Data. Sub-processor means any third party engaged to process Personal Data on behalf of the Controller. Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

Scope and Roles

You are the Controller of the Personal Data you enter into the Service. We are the Processor, acting on your instructions as defined by your use of the Service. We will not process Personal Data for any purpose other than providing the Service unless required by law.

The categories of data subjects include your employees, customers, and suppliers. The categories of data include names, email addresses, physical addresses, phone numbers, order details, and other business information entered into the Service.

Processor Obligations

  • Process Personal Data only on documented instructions from the Controller, unless required by applicable law
  • Ensure that persons authorised to process Personal Data are bound by obligations of confidentiality
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk
  • Assist the Controller in fulfilling obligations related to data subject rights, data protection impact assessments, and prior consultations with supervisory authorities
  • Delete or return all Personal Data upon termination of the Service, at the Controller's choice
  • Make available all information necessary to demonstrate compliance with this DPA

Sub-processing

The Controller provides general authorisation for the Processor to engage sub-processors as listed in the Subprocessors section above. We will notify you at least 30 days before adding or replacing a sub-processor. Each sub-processor is bound by data protection obligations no less protective than those in this DPA. If you object to a new sub-processor, you may terminate the affected Service by providing written notice within 30 days.

Data Subject Rights

We will assist you in responding to requests from data subjects exercising their rights under GDPR, including access, rectification, erasure, restriction, portability, and objection. Where a data subject contacts us directly, we will promptly redirect the request to you.

Data Breach Notification

We will notify you without undue delay (and within 72 hours) after becoming aware of a Data Breach affecting your Personal Data. The notification will include a description of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken to address it.

Audit Rights

We will make available all information necessary to demonstrate compliance with this DPA and allow for audits by you or an auditor you appoint. Audit requests must be made in writing with at least 30 days notice and conducted during normal business hours.

Termination and Data Return

Upon termination of the Service, we will delete or return all Personal Data within 30 days at your choice. You may export your data at any time through account settings before termination. We may retain data to the extent required by applicable law.

Governing Law

This DPA is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will take steps to delete such information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through a prominent notice on the Service.

We encourage you to review this policy periodically. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

13. Contact

If you have questions about this Privacy Policy or our data practices, please contact us at:

Limitlesswealth Limited (Company No. 11015312)
[email protected]