Privacy Policy
This Privacy Policy explains how Stobio collects, uses, shares, and protects personal data when you visit our website, register for an account, or use the Stobio Platform (the "Service"). It is designed to align with the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and other applicable data protection laws.
Turkish users may also refer to our KVKK Aydınlatma Metni for KVKK-specific disclosures and rights under Turkish law.
1. Data Controller
The data controller responsible for personal data processed in connection with the Service is the founder of Stobio, Selman Kılınç, operating as a sole trader, based in Türkiye. References to "we", "us", or "Stobio" in this Policy mean the same data controller.
Contact for privacy questions and data subject requests: support@stobio.com
2. Categories of Personal Data We Process
We process the following categories of personal data:
- Account data. Email address, hashed password, account identifier, and (optionally) name.
- Tenant configuration data. Store domain(s), GA4 / Meta destination credentials (encrypted at rest), and routing configuration submitted by the customer.
- Event data. Server-side events forwarded through the Service on behalf of the customer. Where required, identifiers (e.g. email, phone number) are hashed prior to forwarding to third-party destinations. The customer remains the controller of this data.
- Payment-related data. Subscription state and transaction confirmation metadata received from Paddle (our Merchant of Record). Stobio does not collect or store full payment instrument details (card numbers, IBANs, etc.); those are handled directly by Paddle.
- Technical and security data. IP address, session tokens, access timestamps, error logs, and audit events used to operate and secure the Service.
- Support correspondence. Information you provide when contacting us for support, including the content of your messages.
3. Purposes and Lawful Basis of Processing
We process personal data under the following lawful bases set out in Article 6 GDPR:
- Performance of a contract (Art. 6(1)(b)). Creating and operating your account, providing the Service, billing through Paddle, and responding to support requests.
- Compliance with a legal obligation (Art. 6(1)(c)). Retaining records required by accounting, tax, or other applicable law and responding to lawful requests from competent authorities.
- Legitimate interests (Art. 6(1)(f)). Securing the Service, preventing abuse, monitoring performance, error reporting, and improving the product, where our interests are not overridden by your fundamental rights.
- Consent (Art. 6(1)(a)). Where required, for example for optional marketing communications. Consent can be withdrawn at any time without affecting the lawfulness of processing carried out before withdrawal.
4. How We Collect Personal Data
- Directly from you when you register, configure the Platform, or contact support.
- Automatically through the operation of the Service (log files, security telemetry).
- From Paddle, when you complete a transaction (subscription state and limited billing metadata only).
- From the customer's storefront, when the customer instructs Stobio to forward events on their behalf.
5. Sharing and Sub-Processors
We share personal data only with carefully selected service providers that act as processors or sub-processors on our behalf, and only as necessary to provide the Service. Each provider operates under its published data processing terms (DPA).
Current sub-processors:
| Provider | Purpose | Region |
|---|---|---|
| Neon | PostgreSQL database hosting (account, tenant, event, and audit data) | EU — Frankfurt |
| Bunny.net | CDN for static assets and container hosting for the API | EU (with global CDN edge) |
| Mailjet | Transactional email delivery (verification, password reset, notifications) | EU |
| Paddle | Payment processing and Merchant of Record (tax, VAT, invoicing) | US / UK |
| GitHub (GHCR) | Container image hosting for the API (no personal data in images) | EU / US |
| Sentry | Application error tracking and diagnostic telemetry | EU / US |
| BetterStack | Uptime monitoring and incident alerting | EU |
We may also disclose personal data to competent public authorities, professional advisors (e.g. lawyers, accountants), and other recipients where required by law or to establish, exercise, or defend legal claims. We do not sell personal data.
The list of sub-processors may change over time. Material changes will be reflected in this Policy and, where appropriate, notified to customers in advance.
6. International Transfers
Most personal data is processed within the European Union (primarily by our database and email providers). Some sub-processors (notably Paddle, GitHub, and Sentry) are based outside the EEA. Where personal data is transferred outside the EEA or to a country without an adequacy decision, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, additional technical and organizational measures (e.g. encryption in transit and at rest, pseudonymization).
You can request information about the safeguards in place for specific transfers by contacting us at support@stobio.com.
7. Retention
We retain personal data only for as long as necessary for the purposes described in this Policy and to comply with our legal obligations.
- Account data. Retained while your account is active and for up to six (6) months after account closure, unless a longer period is required by law.
- Event data. Retained for as long as your account is active and necessary to provide the Service, and is deleted, securely destroyed, or anonymized upon account closure or upon your request.
- Billing records. Retained for the period required by applicable tax and accounting law (typically up to 10 years).
- Security logs. Retained for a reasonable period necessary to detect and investigate security incidents.
- Support communications. Retained for as long as necessary to resolve your request and manage any related disputes.
When the retention period expires, personal data is deleted, securely destroyed, or anonymized.
8. Your Rights
Subject to the conditions of the GDPR, you have the following rights:
- Right of access (Art. 15).
- Right to rectification (Art. 16).
- Right to erasure ("right to be forgotten") (Art. 17).
- Right to restriction of processing (Art. 18).
- Right to data portability (Art. 20).
- Right to object to processing based on legitimate interests or for direct marketing (Art. 21).
- Right to withdraw consent at any time, where processing is based on consent (Art. 7(3)).
- Right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Art. 22).
- Right to lodge a complaint with a supervisory authority in your country of residence, place of work, or place of the alleged infringement.
To exercise any of these rights, please contact us at support@stobio.com. We will respond within one (1) month of receiving a valid request, subject to permitted extensions under the GDPR.
9. Cookies
Information about cookies and similar technologies used on our website and Platform is set out in our Cookies Policy.
10. Security
We implement appropriate technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption in transit and at rest, access controls, audit logging, backup procedures, and security vetting of providers. No system, however, can be guaranteed to be fully secure.
11. Children
The Service is not intended for children. We do not knowingly collect personal data from individuals under the age of 16. If you believe a child has provided us with personal data, please contact us so we can take appropriate action.
12. Changes to this Policy
We may update this Privacy Policy from time to time. The most recent version is always available on this page. Material changes will be communicated through the Platform or by email to the address associated with your account.
13. Contact
For any questions about this Policy or to exercise your data protection rights, please contact: support@stobio.com