Privacy Policy

Stowley (“Stowley,” “we,” “us,” or “our”) is a software product built by a small team with firsthand experience in white-glove storage and logistics. We created Stowley to make day-to-day management and operations easier for the people actually moving, storing, and tracking high-value items. The Service provides inventory, invoicing, scheduling, and client-portal tooling (the “Service”).

This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices available to you. By accessing or using the Service you agree to this Policy. If you do not agree, do not use the Service.

Operators are the businesses and individuals who sign up for a Stowley account to run their operations. Clients are the end-customers of those Operators who interact with Stowley only indirectly — for example, through a portal link, an invoice, or a public share page.

With respect to Client data submitted to the Service by an Operator, the Operator is the controller of that data and Stowley acts as a processor on the Operator’s behalf. Clients with privacy questions about their data should contact the Operator directly; Stowley will refer such requests to the appropriate Operator.

We collect the following categories of information:

• Account information. Name, email address, password hash, organization name, role, and authentication metadata.
• Operator content. Inventory items, photos, client records, invoices, messages, scheduling data, locations, tracking numbers, work orders, audit entries, and any other data you upload or generate inside your workspace.
• Client portal data. Information Clients submit through inbound request forms, pull-request forms, portal messages, and shipping address fields.
• Billing data. Subscription tier, plan history, and limited payment metadata. Card numbers and bank details are processed by Stripe and are never stored on our servers.
• Usage and device data. IP address, browser type, device identifiers, pages viewed, timestamps, referrers, error logs, and similar diagnostic information.
• Cookies and similar technologies. Session cookies, authentication tokens, and local storage used to keep you signed in and remember preferences.

We use information to:

• provide, operate, secure, and improve the Service;
• authenticate users and prevent fraud or abuse;
• process subscriptions, invoices, and payments through our payment processor;
• send transactional email (receipts, invoice notifications, password resets, security alerts, and Service announcements);
• respond to support requests and communicate with Operators;
• monitor performance, debug errors, and conduct internal analytics; and
• comply with legal obligations and enforce our Terms of Service.

We do not sell personal information, and we do not use Operator content or Client content to train third-party advertising or generative-AI models.

We rely on a small number of vendors to deliver the Service. These sub-processors only receive the data needed to perform their function and are bound by their own terms and privacy policies. Current categories include:

• cloud hosting and database infrastructure;
• transactional email delivery;
• payment processing (Stripe), including Stripe Connect for Operators that accept payments through Stowley;
• error monitoring and analytics tooling;
• optional integrations you choose to enable (for example, calendar sync providers).

We may add, replace, or remove sub-processors at any time. Continued use of the Service after such changes constitutes acceptance.

We share information only as follows:

• With your direction. When you send messages, issue invoices, share portal links, or publish a public gallery, the corresponding information is delivered to the recipient you specify.
• With sub-processors as described above.
• For legal reasons. To comply with applicable law, valid legal process, lawful requests from public authorities, or to protect the rights, property, or safety of Stowley, our users, or others.
• In a business transfer. If Stowley is acquired, merged, or its assets are sold, information may be transferred to the successor entity, subject to a privacy policy no less protective than this one.

We retain Operator and Client content for as long as the Operator’s account is active, plus a reasonable period thereafter to allow for billing reconciliation, dispute resolution, and legal compliance. After account deletion, residual copies may remain in encrypted backups for up to ninety (90) days before being purged in the ordinary course. We may retain anonymized or aggregated data indefinitely.

We implement reasonable administrative, technical, and physical safeguards designed to protect information against unauthorized access, disclosure, alteration, and destruction, including encryption in transit, row-level security policies in our database, scoped service credentials, and access controls.

No method of transmission or storage is perfectly secure. We cannot and do not guarantee absolute security, and you use the Service at your own risk. You are responsible for maintaining the confidentiality of your account credentials, configuring access for your team, and promptly notifying us of any suspected compromise.

Depending on your jurisdiction, you may have the right to access, correct, export, or delete personal information we hold about you, and to object to or restrict certain processing. Operators can exercise most of these rights directly within the Service. To make a formal request, email us at hello@stowley.com. We may verify your identity before responding and may decline requests that are unreasonable, repetitive, or that would compromise the privacy or rights of others.

Clients should direct privacy requests concerning Operator workspaces to the Operator that controls that workspace.

The Service is operated from the United States. By using the Service, you consent to the transfer, storage, and processing of your information in the United States and any other country where we or our sub-processors operate, which may have data-protection laws that differ from those of your country.

The Service is not directed to children under 16 and we do not knowingly collect personal information from them. If you believe we have collected information from a child, contact us and we will delete it.

We may update this Policy from time to time. The “Effective date” above indicates when it was last revised. Material changes will be communicated through the Service or by email. Continued use of the Service after the effective date of an updated Policy constitutes acceptance.

Questions about this Policy? Email hello@stowley.com.