Data Processing Agreement

Last updated: April 24, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Stokr ("Processor") and the merchant ("Controller") who installs and uses the Stokr application. It applies where Stokr processes personal data on behalf of the Controller in the course of providing its services, and is entered into pursuant to Article 28 of the General Data Protection Regulation ("GDPR").

1. Definitions

Terms used in this DPA have the meanings given in the GDPR (Regulation (EU) 2016/679). "Services" means the inventory management, demand forecasting, and purchase order features provided by the Stokr application.

2. Subject Matter and Duration

Stokr processes data on behalf of the Controller solely to provide the Services. Processing continues for the duration of the Controller's active installation of the app and, unless an earlier deletion is requested, for up to 48 hours after uninstall (see Section 8).

3. Nature and Purpose of Processing

Stokr processes the following categories of data for the purposes listed:

  • Product and variant data — titles, SKUs, prices, cost prices, inventory quantities, vendor information — to compute inventory health scores, forecasts, and reorder suggestions.
  • Order line item data — quantities, revenue figures, ordered-at timestamps — to calculate sales velocity, demand forecasts, and lost revenue estimates. Buyer names, emails, addresses, and payment data are never accessed or stored.
  • Inventory levels — per-location stock quantities — to power multi-location analytics and safety stock calculations.
  • Supplier and purchase order data — supplier names, contact details, lead times, and PO records created by the Controller within the app — to manage replenishment workflows.
  • App settings — alert thresholds, notification email addresses, connector credentials — to operate the app as configured by the Controller.
  • Store information — store domain, plan, and installation date — for authentication and billing.

4. Controller Obligations

The Controller warrants that it has a lawful basis to instruct Stokr to process the data described above and that doing so complies with applicable data protection law, including any obligations to inform data subjects.

5. Processor Obligations

Stokr agrees to:

  • Process personal data only on documented instructions from the Controller (including those in the Terms of Service and this DPA), unless required by law.
  • Ensure that persons authorised to process data are bound by confidentiality obligations.
  • Implement appropriate technical and organisational measures to protect data against unauthorised access, loss, or destruction (including TLS in transit, AES-256-GCM encryption of access tokens at rest, and access restricted to the app's service account).
  • Not engage a sub-processor without prior notification to the Controller (see Section 7).
  • Assist the Controller in fulfilling data subject rights requests under Articles 15–22 GDPR.
  • Delete or return all personal data upon termination of the Services (see Section 8).
  • Provide the Controller with all information necessary to demonstrate compliance with this DPA.

6. International Transfers

Data may be stored or processed outside the European Economic Area by the sub-processors listed in Section 7. Where Stokr or its sub-processors transfer personal data to a country without an EU adequacy decision, such transfers are subject to Standard Contractual Clauses (SCCs) as adopted by the European Commission, or an equivalent appropriate safeguard. Merchants who require EU-only data residency should contact us at support@stokr.app to discuss a dedicated EU-region deployment.

7. Sub-processors

Stokr currently uses the following sub-processors. By accepting these Terms, the Controller provides general written authorisation for the use of these sub-processors. Stokr will notify the Controller of any intended change (addition or replacement) with reasonable advance notice:

Sub-processorPurposeLocation
Supabase, Inc.Database hosting (PostgreSQL)EU (Frankfurt, eu-central-1) or US as configured at deployment
Vercel, Inc.App hosting, serverless functions, and CDNUS / Global edge
Upstash, Inc.In-memory caching and background job queueUS
Resend, Inc.Transactional email deliveryUS
Groq, Inc.AI inference for optional reorder suggestionsUS (data not retained post-inference)

8. Data Retention and Deletion

  • While installed — data is retained to power the Services.
  • After uninstall — data is retained for up to 48 hours to support re-installation without data loss.
  • Upon Shopify shop-redact webhook — all data is permanently and irreversibly deleted from all systems within 30 days of the request (in practice within minutes of receiving the webhook).
  • On request — the Controller may request immediate deletion of all data by emailing support@stokr.app. Deletion is confirmed within 5 business days.

9. Security Incidents

Stokr will notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of any personal data breach that affects data processed under this DPA, as required by Article 33 GDPR. Notification will be sent to the email address associated with the Shopify store account.

10. Audit Rights

The Controller may request reasonable information to verify Stokr's compliance with this DPA. Where the Controller requires an audit, this will be conducted at the Controller's expense, with reasonable notice, and in a manner that does not disrupt Stokr's operations. Stokr may satisfy audit requests by providing up-to-date third-party certifications or audit reports in lieu of a direct audit.

11. Governing Law

This DPA is governed by the same law as the Terms of Service. For merchants in the EEA, it is supplemented by the applicable EU Standard Contractual Clauses.

12. Contact

Questions about this DPA or data protection matters should be directed to:

Email: support@stokr.app
App: Stokr — Inventory Management