Privacy Policy

Stoatly Ltd - Last updated: 12/06/2026

1. About Us

   Stoatly Ltd is a private limited company registered in Northern Ireland, United Kingdom (Companies House number: NI741169). Our registered office is Office 1832 92 Castle Street, Belfast, United Kingdom, BT1 1HE.
   We are registered with the Information Commissioner's Office (ICO). Registration number: [PENDING].




2. Data We Collect

   Account data

   • Name, email address, and password when you register
   • Studio name and configuration details
   
   

   Usage data

   • How you interact with the platform, including features used, pages visited, and actions taken
   • Error and diagnostic data collected via error monitoring software
   
   

   Billing data

   • Billing is handled entirely by Paddle as our Merchant of Record. We do not store your payment card details. Paddle's privacy policy governs how your billing data is handled: https://www.paddle.com/legal/privacy
   
   

   Technical data

   • IP address, browser type, and device information collected automatically during use



3. How We Use Your Data

   We process your data on the following legal bases under UK GDPR:

   • Contract performance: to provide the Stoatly service you have subscribed to
   • Legitimate interests: to monitor and improve the platform, detect errors, and ensure safety
   • Legal obligations: to comply with applicable laws and regulations
   
   

   Specifically we use your data to:

   • Operate and maintain your account
   • Process your subscription via Paddle
   • Monitor platform performance and diagnose errors
   • Analyse usage to improve the service
   • Send service-related communications including billing notices and product updates



4. Analytics, Error Monitoring, and Tracking

   We use the following third party services which may process your data:

   • Analytics: to understand how the platform is used in aggregate
   • Error monitoring: to detect and diagnose technical issues
   • Usage tracking: to identify areas of the platform that need improvement
   
   

   These services process data in accordance with their own privacy policies:

   • Sentry (error monitoring): https://sentry.io/privacy/. We use Sentry to capture diagnostic data about technical errors on a legitimate-interests basis. Sentry is configured not to collect personal data by default.
   • PostHog (product analytics): https://posthog.com/privacy. We use PostHog to understand how the platform is used in aggregate. Analytics only run with your consent (you can decline via the cookie banner), and we do not enable session recording.



5. Cookies and Similar Technologies

   We use the cookies and browser storage listed below. You can accept or decline non-essential (functional and analytics) storage via the cookie banner; strictly necessary items are always active. Some browser storage may be subject to PECR/ePrivacy regulations.

   
   

   Strictly Necessary Cookies

   Essential for the platform to function. These do not require your consent.

   Name	Type	Purpose	Duration
   sb-<project>-auth-token (and chunks)	Cookie	Authenticates your session. Set by Supabase Auth.	Session
   gh_state_token	Session storage	Temporary CSRF security token for the GitHub integration handshake; deleted at the end of the session.	Session
   stoatly-cookie-consent	Local storage	Remembers your cookie-consent choice so we don’t ask again on every visit.	Until cleared

   
   

   Functional Cookies

   Improve your experience but are not essential. These are only set with your consent.

   Name	Type	Purpose	Duration
   sidebar_state	Cookie	Remembers whether the navigation sidebar is expanded or collapsed.	7 days
   stoatly-theme	Local storage	Stores your light/dark mode preference.	Until cleared
   stoatly-active-studio	Local storage	Remembers your last selected studio for convenience.	Until cleared
   Paddle checkout cookies	Cookie	When you start a subscription purchase, Paddle (our Merchant of Record) loads a checkout overlay which sets its own cookies for fraud prevention and checkout session management. Governed by Paddle’s privacy policy.	Per Paddle

   
   

   Paddle's checkout cookies are governed by Paddle's privacy and cookie policy: https://www.paddle.com/legal/privacy.

   
   



6. Data Retention

   • Account and studio data is retained for the duration of your subscription
   • Following cancellation or subscription lapse, your data is retained for 30 days before permanent deletion
   • Anonymised analytics and error data may be retained for longer periods in aggregate form



7. Data Sharing

   We do not sell your personal data. We share data only with:

   • Paddle: for subscription billing and payment processing
   • Supabase: for database hosting and authentication
   • GitHub: for repository integration where you have connected your account
   • Analytics and error monitoring providers listed in Section 4
   • Law enforcement or regulatory bodies where required by law



8. Your Rights

   Under UK GDPR you have the right to:

   • Access: request a copy of the personal data we hold about you
   • Rectification: request correction of inaccurate data
   • Erasure: request deletion of your data, subject to legal obligation
   • Portability: receive your data in a machine-readable format
   • Objection: object to processing based on legitimate interests
   • Restriction: request that we limit how we use your data
   
   

   To exercise any of these rights, contact us at support@stoatly.io. We will respond within 30 days.

   
   

   You also have a right to lodge a complain with the ICO at ico.org.uk




9. International Transfers

   Our application infrastructure is hosted on servers located in Germany, which is within the European Economic Area (EEA). The UK recognises the EEA as providing adequate data protection, so no additional safeguards are required for this transfer.

   
   

   Some of our third party providers may process data outside the UK. Where this occurs we ensure appropriate safeguards are in place, including Standard Contractual Clauses where required.




10. Security

    We implement appropriate technical and organisational measures to protect your data, including encrypted data transmission (HTTPS), authenticated controls, and row-level security at the database level.




11. Changes to This Policy

    We will notify you by email of any material changes to this policy at least 14 days before they take effect.




12. Contact

    For any questions regarding these terms, contact us at support@stoatly.io