Privacy Policy

Last Updated: February 15, 2026

Data Controller

Stedrok Pty Ltd is the data controller responsible for your personal data.

Contact: contact@stedrok.org

1. Information We Collect

1.1 Information You Provide

Account Registration:

• Email address (required)
• Password (hashed - never stored in plaintext)

Payment Information:

• PayPal transaction ID and subscription status
• We never store your credit card numbers - PayPal handles this securely

1.2 Information We Collect Automatically

• IP address (for security and abuse prevention)
• Browser type, device info, pages visited
• Session cookies (required to keep you logged in)

1.3 Information We Don't Collect

• We do NOT store your PayPal credentials or card numbers
• We do NOT sell your data to third parties
• We do NOT share your email with marketers
• We do NOT collect biometric, location, or health data

2. How We Use Your Information

Lawful Basis for Processing (GDPR)

Where the GDPR or UK GDPR applies, we process your personal data on the following lawful bases: (a) Contract — to provide and manage the Service you have signed up for; (b) Legitimate Interests — to prevent fraud, detect abuse, and improve the Service; (c) Legal Obligation — to comply with applicable laws including tax and accounting obligations.

• Create and maintain your account
• Process subscriptions and payments via PayPal
• Deliver stock screener data
• Send password reset emails and billing updates
• Detect and prevent fraud or abuse
• Improve the service based on usage patterns

Legal Basis for Processing (GDPR / UK GDPR)

For users in the European Economic Area (EEA) or United Kingdom, we process personal data under the following legal bases:

• Performance of contract (Art. 6(1)(b)): Processing your email address and subscription status to provide the Service you have registered for.
• Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud and abuse prevention, and service improvement based on anonymised usage patterns.
• Legal obligation (Art. 6(1)(c)): Retaining transaction records as required by Australian tax and audit regulations (7-year retention).

3. Third-Party Services and International Data Transfers

We share minimal data with:

• PayPal: Payment processing
• Supabase: Database and authentication
• Cloudflare: API hosting and DDoS protection
• GitHub Pages: Static website hosting

International Data Transfers: When you use Stedrok, your data may be stored and processed on servers located in multiple regions, including outside of Australia. This is necessary for us to use the third-party services listed above (Supabase, Cloudflare, GitHub Pages, and PayPal), which operate infrastructure in various countries. By using Stedrok, you acknowledge and consent to these international data transfers.

We do not share data with advertising networks, data brokers, or email marketers.

4. Data Retention

Active accounts: Data retained while your account is active.

Deleted accounts: Personal data removed within 30 days. Transaction records kept for 7 years (tax/audit).

5. Your Rights

• Access: Request a copy of your data - email contact@stedrok.org
• Correction: Update email/password in Account Settings
• Deletion: Account Settings -> Danger Zone -> Delete Account
• Opt-out: Unsubscribe link in all promotional emails
• Portability: Request a copy of your personal data in a structured, machine-readable format by emailing contact@stedrok.org
• Complaint: You have the right to lodge a complaint with a data protection supervisory authority. In Australia: Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. In the UK: Information Commissioner’s Office at ico.org.uk. In the EU: your local national supervisory authority.

6. Rights for European and UK Users (GDPR / UK GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following additional rights:

• Right to Erasure: Request deletion of your personal data where there is no compelling reason for continued processing.
• Right to Restriction: Request restricted processing of your data in certain circumstances.
• Right to Data Portability: Receive your personal data in a structured, machine-readable format and transmit it to another controller.
• Right to Object: Object to processing based on legitimate interests.
• Right to Lodge a Complaint: You may complain to your local supervisory authority. In the EU, contact your national Data Protection Authority. In the UK, contact the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise these rights, email contact@stedrok.org with “Privacy Request” in the subject line. We will respond within 30 days.

International Transfers Note: Australia does not currently hold an EU adequacy decision. Data transferred to our processors (Supabase, Cloudflare, GitHub) relies on those providers' standard contractual clauses and other appropriate safeguards.

7. Cookies & Analytics

Essential Cookies: Stedrok uses session cookies to keep you logged in. These are required for the dashboard to function.

Analytics: We do not currently use third-party analytics trackers. If we add privacy-friendly analytics in the future (e.g., Plausible), we will update this section and notify users.

Your Choices: You can disable cookies in your browser settings, but this will prevent you from logging in. To delete existing cookies, clear your browser's site data for stedrok.org.

8. Data Security

All data uses HTTPS/TLS encryption. Passwords are hashed. Supabase is SOC 2 Type II certified. No system is 100% secure - we are not liable for breaches beyond our control.

9. Children's Privacy

Stedrok is not intended for users under 18. We do not knowingly collect data from children.

10. Changes to This Policy

Material changes will be communicated via email. Continued use constitutes acceptance.

11. Contact Us

Questions about privacy? Email contact@stedrok.org with "Privacy" in the subject line.

---

We take your privacy seriously. Thank you for trusting us.