Skip to content

Legal · StorePack

Privacy Policy

Last updated: 2026-05-11

This policy explains what personal data we collect when you use StorePack, how we use it, and the rights you have under the GDPR and equivalent regulations.

1. Controller

StorePack is the controller for personal data about you (the account holder). For data your customers generate on your WooCommerce store (order data, customer records), you are the controller and StorePack is the processor — governed by our Data Processing Agreement.

2. Data we collect

  • Account data: email, name, hashed authentication credentials, organization membership, role, billing plan.
  • Store credentials: WooCommerce REST API keys and site URLs, encrypted at rest with envelope encryption.
  • Ingested commerce data: orders, products, customers, coupons, page audits — only what your stores expose via APIs you authorize.
  • Usage data: page views inside the dashboard, feature interactions, error reports. Gated by cookie consent.
  • Technical data: IP address, user-agent, timestamps for rate-limiting and abuse prevention.

3. Why we use it

  • Provide the Service (legal basis: contract).
  • Bill you and prevent fraud (contract / legitimate interest).
  • Send transactional email — sign-in codes, deletion confirmations, invoices (contract).
  • Improve the product through anonymized analytics (consent).
  • Respond to support requests (contract / legitimate interest).

4. Sub-processors

We rely on the following sub-processors, all under EU data-protection contracts:

  • Supabase — Postgres, auth, file storage (EU region).
  • Vercel — application hosting (EU region).
  • Resend — transactional email delivery.
  • Paddle — billing & merchant-of-record.
  • Sentry — error monitoring (optional, post-consent).
  • PostHog — product analytics (optional, post-consent).
  • Inngest — background job orchestration.

5. International transfers

Production data is stored in the EU. Where sub-processors transfer data outside the EEA, transfers rely on Standard Contractual Clauses and supplementary measures (encryption in transit and at rest).

6. Retention

We retain account data while your account is active and for up to 30 days after deletion to handle billing reconciliation. Backups are retained for 7 days. Ingested commerce data is retained as long as your stores remain connected and removed within 30 days of disconnection.

7. Your rights

Under the GDPR you have the right to access, rectify, erase, restrict, and port your personal data, and to object to processing. Account deletion: /account/delete. For other requests email privacy@storepack.app; we respond within 30 days.

8. Cookies

We use a single first-party cookie for authentication and a consent-gated set for analytics. See the in-app cookie banner for details and to change your preferences at any time.

9. Security

Detailed practices: Security overview. Report vulnerabilities to security@storepack.app.

10. Complaints

You can lodge a complaint with the Portuguese supervisory authority (CNPD, cnpd.pt) or the data protection authority in your country of residence.

11. Changes

We will email active users 30 days before any material change. The latest version is always at /privacy.

Questions? hello@storepack.app