Sign InSign Up
StockFlow

Privacy Policy

Last updated: 20 May 2026

StockFlow (stockflow.co.za) is operated by Bannatynes Products and Professional Services (Pty) Ltd ("B2PS", "we", "us") on the Appable platform. This policy describes how we collect, use, store, protect and share personal information when you use our website, applications and related services (collectively, the "Service").

We process personal information in line with the Protection of Personal Information Act, 2013 (POPIA) and applicable South African law. By using the Service you acknowledge this policy. Use of the Service is also governed by our Terms of Service.

Who we are

Responsible party (platform operator): B2PS, for personal information we collect to operate StockFlow accounts, billing, support and platform security.

Your business data: Information you or your users enter about customers, suppliers, staff and operations is generally processed on your instructions as part of the Service. You remain responsible for ensuring you have a lawful basis to collect and use that information and for meeting your own POPIA obligations toward your customers and staff, unless we act as operator only on documented instructions.

Privacy enquiries and data subject requests: support@stockflow.co.za.

Information we collect

Account and identity

  • Name, email address, organisation name and role.
  • Authentication and session data managed via our identity provider.
  • Billing contact details, subscription and payment status (card data is handled by our payment partners, not stored by us).

Business data you provide

  • Inventory, costing, sales, pricing, supplier and customer records.
  • Documents and files you upload (e.g. invoices, price lists, reports).
  • Integration configuration and transaction data from connected services you authorise.

Technical and security data

  • Usage logs, audit trails and error diagnostics needed to run and secure the Service.
  • Device and browser metadata, IP address and approximate location derived from network logs.
  • Webhook and API activity records for fraud prevention, troubleshooting and compliance.

Support and communications

  • Messages, tickets and feedback you send to us.

How we use information

We use personal information only for defined, legitimate purposes, including to:

  • Provide, operate, maintain and improve the Service.
  • Authenticate users, enforce role-based access and isolate tenant data.
  • Process subscriptions, trials, invoicing and payment confirmations.
  • Connect and operate third-party integrations you enable.
  • Process documents and automate workflows where you use those features (including assisted interpretation of uploaded business documents).
  • Detect abuse, investigate security incidents and protect the platform.
  • Respond to support requests and communicate service changes.
  • Meet legal, regulatory, tax and audit requirements.

We apply data minimisation: we collect what is needed for these purposes and do not use personal information for unrelated marketing profiling. We do not sell personal information.

Lawful basis and POPIA

We process personal information where:

  • It is necessary to perform our contract with you (providing the Service).
  • We have a legitimate interest that is not overridden by your rights (e.g. security, fraud prevention, product improvement).
  • You have given consent where required (e.g. optional communications).
  • Processing is required by law.

Under POPIA you may request access to, correction or deletion of personal information we hold about you, object to certain processing, or complain to the Information Regulator. We will respond within a reasonable period and in line with POPIA. Contact support@stockflow.co.za. Some requests may require verification of identity. Deletion may be limited where we must retain records for law, billing disputes or security investigations.

Security measures

We implement technical and organisational measures designed to protect personal information against unauthorised access, loss, misuse or alteration. No system is perfectly secure; we continuously work to improve our controls. Measures include:

Isolation and access control

  • Tenant separation: Each customer organisation is allocated dedicated database infrastructure so tenant business data is not commingled in a single shared application database.
  • Authentication: Industry-standard identity verification for users; authenticated routes are protected at the application edge.
  • Authorisation: Role- and permission-based access within each tenant; platform administration is restricted to authorised personnel.
  • Service-to-service trust: Internal APIs require authenticated, scoped credentials; backend services are not exposed for direct public access where private hosting is used.

Encryption and secrets

  • In transit: TLS (HTTPS) for all public-facing connections; database connections use encrypted transport in production.
  • At rest: Sensitive integration credentials, payment gateway secrets and similar configuration are encrypted before storage; encryption keys are held in secure environment configuration, not in application source or client bundles.
  • Payment data: Card numbers and card security codes are captured only on our payment partners' hosted flows. We receive payment tokens, status and references needed to complete billing — not full card details.

Integrations and webhooks

  • Incoming webhooks from payment, identity and commerce partners are verified using cryptographic signatures before processing.
  • OAuth and API connections use scoped access; live and test environments are separated where supported.
  • Payment and provisioning side-effects are designed to be safe on retry to prevent duplicate charges or duplicate business events.
  • Tenant-scoped dispatch ensures integration events are applied only to the intended organisation.

Monitoring, audit and resilience

  • Security-relevant actions (including payment and integration events) are logged for audit and investigation.
  • Rate limiting and abuse controls on signup and external API access.
  • Infrastructure hosted with reputable cloud providers offering encryption at rest for managed databases and encrypted storage volumes.
  • Backups and operational recovery procedures aligned with our hosting provider capabilities.

We do not publish detailed security architecture publicly, to avoid assisting attackers. Enterprise customers may request additional security information under a mutual non-disclosure arrangement where appropriate.

Third-party service providers

We use carefully selected subprocessors to host and operate the Service. They process data only on our instructions and under contractual confidentiality and security obligations. Material providers and categories include:

  • Hosting and infrastructure — cloud hosting and managed database services (including Railway and Vercel) for application and data storage.
  • Identity and authentication — Clerk for user sign-in, session management and organisation membership.
  • Payments — Yoco, PayFast, PayPal and Stripe (where you enable them) for checkout, subscriptions and payment notifications. Card data is handled on the gateway's systems, not stored by us.
  • Email — transactional email delivery (e.g. Resend) for account, billing and service notifications.
  • Accounting and commerce — Xero, Sage and Shopify (where you connect them) to sync invoices, catalogue, payments and related business records.
  • Google services — Google Document AI for automated reading of supplier invoices and business documents; Google Drive for cloud filing and document storage you configure; Google Search Console for platform website analytics where enabled.
  • AI agents — when you use AI-assisted document review, supplier matching or similar features, prompts and document excerpts may be sent to configured AI providers, including platform defaults (OpenAI, Anthropic, xAI) or tenant-supplied keys for supported providers (including OpenAI, Anthropic, Azure OpenAI and Grok). You may also configure a custom API endpoint for adjudication where your plan allows it.

We only invoke AI and Google document services when the relevant feature is enabled for your tenant and, for tenant-supplied AI keys, when you have configured that provider. Document content sent for processing is limited to what is required for the task.

A current list of material subprocessors is available on request via support@stockflow.co.za. We will notify account owners of material changes to subprocessors where practicable.

International transfers

Some providers may process data outside South Africa. Where this occurs, we take steps reasonably required under POPIA, including appropriate contractual safeguards and assessing the protection offered in the destination country.

Retention

We retain personal information while your subscription or account is active and for a period afterward as needed for backups, billing records, dispute resolution, security investigations and legal compliance. Tenant offboarding includes deletion or return of tenant business data according to our documented process and your plan. Aggregated or de-identified analytics may be retained longer where it no longer identifies individuals.

Security incidents and breach notification

We maintain procedures to detect, contain and remediate security incidents. If we become aware of a compromise of personal information that poses a real risk of harm to you or your data subjects, we will notify affected customers without undue delay and, where required, cooperate with regulatory notification under POPIA. Notifications will describe, in general terms, what occurred, what data may be affected and steps we are taking.

Your responsibilities

  • Keep account credentials confidential and use strong access controls for your team.
  • Ensure you have lawful grounds to upload personal information about your customers, employees and contacts.
  • Configure integrations only with parties you trust.
  • Export critical business records where your own compliance or continuity requires it.

Children

The Service is intended for businesses. We do not knowingly collect personal information from children under 18.

Changes to this policy

We may update this policy from time to time. Material changes will be posted on this page with an updated date and, where appropriate, notified via the Service or email. Continued use after the effective date constitutes notice of the updated policy.

Contact

Privacy and data requests: support@stockflow.co.za

Terms of Service

Privacy Policy — StockFlow | StockFlow