1. Who we are
Ctrl Signal Software Pty Ltd (ACN 696 695 557), trading as Stockpost, is an Australian proprietary limited company with its registered office at Shop 2, 290 Boundary Street, Spring Hill QLD 4000. We are an "APP entity" for the purposes of the Privacy Act 1988 (Cth) (Privacy Act) and this policy is our APP Privacy Policy for the purposes of APP 1.
2. What we collect
Stockpost is designed to collect the minimum information needed to operate the Service.
2.1 Merchant account information
When you install Stockpost, Shopify provides us with:
- your store's Shopify domain;
- the email address associated with your Shopify store;
- your store's display name and country as provided by Shopify;
- a Shopify-issued access token, which we store encrypted.
2.2 Supplier allowlist
You add suppliers in-product by entering the email addresses you want us to accept inbound stock reports from. We store those email addresses so we can authenticate inbound email against your allowlist.
2.3 Supplier stock data
When an allowlisted supplier emails an attached stock report to your inbound address, Stockpost extracts the SKU codes and stock quantities from the attachment and stores that data. We do not retain the original email or its attachments. We do not store email signatures, names, phone numbers, or anything else a sender may have included alongside the stock data.
2.4 Technical session information
- IP address, browser user agent, and session identifiers of users who sign in to the Stockpost admin;
- standard server and application logs, including audit entries for inbound verdicts and metafield writes.
2.5 What we do not collect
- any personal information about your end customers;
- your Shopify orders, inventory counts, discounts, customers, staff, or financial data — our Shopify scopes are products-only;
- "sensitive information" as defined in the Privacy Act (for example, health information or information about a person's race, religion, or political views);
- behavioural analytics, cross-site tracking, or marketing cookies.
3. How we collect it
- Directly from you when you install the app and configure supplier allowlists in-product;
- From Shopify via the OAuth flow at install, and via Shopify APIs as needed to operate the Service;
- Automatically from your browser and device when you use the Service.
4. Why we collect it
We use the information for these primary purposes:
- to authenticate you into the app and manage your Stockpost account;
- to accept inbound stock emails from allowlisted senders, extract SKU and stock data, and write those values to metafields on products in your Shopify store;
- to maintain an ingest log so you can see what was received and how it was processed;
- to send you transactional notices (install confirmation, billing receipts, security alerts);
- to prevent, detect, and respond to abuse, fraud, spam, or security incidents;
- to comply with law, resolve disputes, and enforce our agreements.
We only use personal information for a secondary purpose if (a) you would reasonably expect that use and it is related to the primary purpose, (b) you have consented, or (c) the use is otherwise permitted by the Privacy Act.
5. Who we share it with
We disclose personal information only to:
- Service providers (subprocessors) who host or support the Service on our behalf and who are contractually bound to handle the information only for that purpose — see section 6;
- Shopify, as necessary to operate the app through Shopify's platform APIs;
- Professional advisors (lawyers, accountants, auditors) under duties of confidentiality, where reasonably necessary;
- Law enforcement or regulators, where required by a valid legal process or where we have a good-faith belief disclosure is required by law; and
- An acquirer or successor, in the event of a merger, acquisition, insolvency, or sale of assets — subject to protections consistent with this policy.
We do not sell personal information. We do not disclose personal information for the direct marketing purposes of any third party.
6. Subprocessors
The following entities process personal information on our behalf to deliver the Service:
- Amazon Web Services (AWS) — hosting, data storage, and inbound email processing. Data is held in AWS's Sydney region (Australia).
- Shopify — the platform on which the Stockpost app operates. Shopify is headquartered in Canada with global operations.
- Cloudflare — DNS and content delivery. HTTP request metadata transits Cloudflare's global edge network.
We will update this list before adding or changing subprocessors.
7. Overseas disclosure (APP 8)
Personal information handled by Stockpost is primarily stored and processed in Australia (AWS, Sydney region). The Service also relies on the following overseas recipients:
- Shopify (Canada, with global operations) — for the operation of the Stockpost app on the Shopify platform;
- Cloudflare (global edge network) — HTTP request metadata may transit edge points of presence outside Australia.
Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient handles that information consistently with the APPs, including by contractual measures. By using the Service, you consent to these cross-border disclosures where consent is an available ground under the Privacy Act. Nothing in this section limits your rights to complain under the Privacy Act (see section 15).
8. Security (APP 11)
We take reasonable steps to protect personal information from loss, misuse, interference, unauthorised access, modification, and disclosure. Those steps include:
- encryption in transit (TLS) and encryption at rest;
- application-layer encryption of Shopify access tokens;
- access controls limiting which staff and systems can read stored data;
- authentication of inbound email (SPF, DKIM, DMARC) before any processing;
- structured logs with secret redaction, and alarms on anomalous activity;
- mandatory two-factor authentication for staff administrative access;
- a documented responsible disclosure process — report security concerns to security@stockpost.app.
9. How long we keep it
We retain information only for as long as it is needed for the purposes in section 4, then delete or de-identify it.
- Merchant account records and access tokens: until you uninstall the app, then deleted within 48 hours;
- Supplier allowlist entries: until you remove them or until you uninstall the app;
- Ingest log entries (supplier, timestamp, row counts, verdicts): 90 days;
- Current stock snapshots (per product, per supplier): until you uninstall the app;
- Application and audit logs: 30 days;
- Records we are required to retain by law (for example, tax records under the Income Tax Assessment Act): for the statutory retention period.
We do not retain the original supplier email or its attachments.
10. GDPR deletion
Stockpost honours the standard Shopify shop/redact, customers/redact, and customers/data_request webhooks in accordance with Shopify's requirements.
11. Access and correction (APP 12 and APP 13)
You may request access to the personal information we hold about you, or request that we correct information that is inaccurate, out of date, incomplete, irrelevant, or misleading. Email privacy@stockpost.app. We will respond within a reasonable period (and in any event within 30 days) and will not charge for making a request. We may charge a reasonable fee for giving access if the work involved is significant.
We may refuse access or correction where the Privacy Act or other law permits us to do so. If we refuse, we will give written reasons and explain how you can complain.
12. Direct marketing and electronic messages
We only send commercial electronic messages with your consent (which may be inferred in a business-to-business context based on your use of the Service). Every commercial message will include a functional unsubscribe mechanism, honoured within 5 business days, consistent with the Spam Act 2003 (Cth).
Transactional messages (security alerts, billing receipts, in-product notifications) are not commercial electronic messages within the meaning of the Spam Act.
13. Cookies
The Stockpost marketing site at stockpost.app uses only essential cookies required to deliver the page. The Stockpost app uses session cookies required for authentication. We do not use third-party advertising, cross-site tracking, or behavioural analytics cookies.
14. Children
The Service is a business-to-business tool for Shopify merchants. It is not directed at children under 16 and we do not knowingly collect personal information from children.
15. Complaints
If you believe we have breached the APPs or otherwise mishandled your personal information, please contact us first at privacy@stockpost.app. We will acknowledge your complaint within 7 days and aim to resolve it within 30 days.
If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC):
GPO Box 5288, Sydney NSW 2001
Phone: 1300 363 992
Web: oaic.gov.au
Online form: oaic.gov.au/privacy/privacy-complaints
16. Notifiable Data Breaches
We comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act. If an eligible data breach occurs — one that is likely to result in serious harm to any affected individual — we will notify affected individuals and the Australian Information Commissioner as soon as practicable.
17. Changes to this policy
We may update this policy from time to time. We will publish the updated policy at this URL and update the "Last updated" date. For material changes affecting how we use personal information, we will give at least 30 days' notice by email or in-product before the changes take effect.
18. Contact
Privacy questions, access requests, corrections, or complaints:
Privacy Officer
Ctrl Signal Software Pty Ltd
Email: privacy@stockpost.app
Post: Shop 2, 290 Boundary Street, Spring Hill QLD 4000, Australia