Stokk

Legal

Privacy Policy

Last updated: 9 May 2026

Quick guide
  • If you use Stokk as a Stokk customer (you signed in to plan inventory, manage suppliers, or run a loyalty program), see Privacy when you use Stokk.
  • If you received a Stokk-issued loyalty pass from a retailer, see Privacy for loyalty pass holders — the retailer is the controller of your data, not us.

Who we are

DEC ehf.(“Stokk,” “we,” “us”) is an Icelandic limited company, registration number 471119-1720, with its registered office at Kríuási 35, 221 Hafnarfjörður, Iceland. You can reach our privacy contact at privacy@stokkflow.com.

Privacy when you use Stokk

When you sign in to Stokk to forecast demand, plan replenishment, place purchase orders or run a loyalty program, DEC ehf. is the data controller of your account data and of personal data about you in your capacity as a Stokk user.

What we collect

  • Account information. Name, work email, company, role, and the credentials you use to sign in.
  • Business data you connect.Sales, stock, supplier, purchase order and product data that you import from your ERP or upload directly. This may include limited personal data about your own customers (for example, names and email addresses if you use the loyalty module — but for that data, see the next section).
  • Usage and technical data. IP address, browser and device information, pages visited, actions taken inside the app, and diagnostic logs.
  • Communications. Messages you send to us by email or through forms on the site.

Why we use it

  • To provide, operate and secure the Stokk service.
  • To authenticate users, prevent abuse, and meet our legal and contractual obligations.
  • To produce forecasts, replenishment suggestions and the Monday Morning Brief on your behalf.
  • To respond to support requests and, where you have opted in, to send service updates.
  • To improve the product, using only de-identified, aggregated statistics that cannot reasonably be used to identify you, your company, or any individual.

Lawful basis (EEA / UK)

We rely on the contract you (or your employer) have with us to provide the service, on our legitimate interests in keeping the service safe and improving it, on consent for any non-essential cookies or marketing emails, and on legal obligations where they apply.

How long we keep it

We keep account and business data for the lifetime of the account. After you cancel, we delete or return the data without undue delay and in any case within 90 days of a written request, subject to any legal retention obligations.

Privacy for loyalty pass holders

If you signed up for a loyalty program with a retailer that uses Stokk to issue your wallet pass, the retailer is the data controllerof your personal data — they decide what to collect and how to use it. DEC ehf. is the data processor: we hold the data on the retailer’s behalf only to issue and update your pass under their instructions and our contract with them.

What is collected through the Stokk enrollment form

  • Full name— printed on the pass and used to match you to the retailer’s customer record.
  • Kennitala(Icelandic national ID number) — used to look up or create your record in the retailer’s system. We collect kennitala only because the retailer requires it for that purpose, and we use it strictly for that purpose, in line with §10 of the Icelandic Data Protection Act.
  • Email address— used to deliver your pass and any pass-related notifications the retailer sends.
  • Phone number— optional, used by the retailer if they have set up SMS-based pass delivery or support.
  • Pass identifiers— the pass serial and the device push tokens issued by Apple Wallet or Google Wallet. These let the wallet on your phone receive updates (for example, an updated point balance) from us on the retailer’s behalf.

Lawful basis

The retailer (the controller) determines the lawful basis. In practice this is usually the loyalty membership contract you signed up for, or your consent. The retailer can explain.

Your rights

For access, correction, deletion, portability or any other data protection right relating to your loyalty data, please contact the retailer that issued your pass— they are the controller. If you can’t reach them or you have a security question about how we hold the data on their behalf, email us at privacy@stokkflow.com and we will route your request appropriately.

Common to both

How we share data

We do not sell personal data. We share it only with sub-processors that help us run the service, under written agreements that require equivalent protection. Current sub-processors include:

  • Hosting and database— Supabase and the underlying cloud infrastructure.
  • Application hosting— Vercel.
  • AI processing— Anthropic (Claude API). Prompts are scoped per request and are not used to train shared models.
  • Wallet pass delivery— Apple (Apple Wallet, including APNs for pass updates) and Google (Google Wallet).
  • Transactional email delivery— Resend.

The full, current list lives at /subprocessors. We may disclose personal data when required by law, to enforce our terms, or to protect the rights, property or safety of users, the public or DEC ehf..

Where we store it

We host Stokk in the European Union where available. Some sub-processors (for example, the AI and wallet pass providers listed above) may process limited data outside the EEA. Where we transfer personal data outside the EEA, we rely on Standard Contractual Clauses or another lawful transfer mechanism.

Cookies

We use a small number of strictly necessary cookies for sign-in and security. We do not use advertising cookies, and as of the date above we do not run third-party analytics that set cookies.

Automated decisions and AI

Stokk uses automated processing to produce forecasts and replenishment suggestions, and to draft the Monday Morning Brief. These are decision support — a human always reviews and approves before any purchase order is sent to your ERP. We do not make decisions producing legal or similarly significant effects on individuals on a solely automated basis within the meaning of GDPR Article 22.

Personal data breaches

If we become aware of a personal data breach affecting your data, we will notify the controller (you, or for loyalty data the retailer) without undue delay and, where required by law, within 72 hours of becoming aware.

Children

Stokk is a business tool and is not directed to children under 16. We do not knowingly collect personal data from children.

Changes

We may update this policy from time to time. The “Last updated” date at the top reflects the most recent change. Material changes will be highlighted on the site or by email.

Complaints

You have the right to lodge a complaint with a supervisory authority. In Iceland, that is Persónuvernd.

Contact

DEC ehf.
Kríuási 35, 221 Hafnarfjörður, Iceland
Privacy: privacy@stokkflow.com
General: support@stokkflow.com

Changelog

  • v1 — 2026-05-09: initial publication.