Privacy Policy
This Privacy Policy explains how Restock, Inc. ("Restock", "we", "us", "our"), collects, uses, shares, and protects personal information in connection with the Restock platform — a multi-tenant software-as-a-service application for beverage distribution, including route accounting, payments, contract management, distributor and territory management, and a brand marketplace (collectively, the "Service").
Restock is a business-to-business product. Our direct customers are businesses (beverage suppliers and distributors), and the individuals who use the Service are typically their employees and authorized representatives. This policy applies to personal information we process about visitors to our websites, individuals who create accounts, and individuals whose information is contained in data our customers upload — to the extent we act as a controller of that information.
1. Who we are
Restock, Inc. is the entity responsible for the Service. For account and website data described below, Restock is the data controller. For business data that our customers upload and process through the Service, our customers are the controllers and Restock acts as a processor on their behalf (see Section 4). You can reach our privacy team at privacy@restock.supply.
2. Information we collect
2.1 Account and contact data
When you register for or are invited to a workspace, we collect identifiers and contact details such as your name, business email address, phone number, job title, employer/organization, profile photo (if provided), and authentication credentials (password hashes, multi-factor settings). For customer administrators and billing contacts, we also collect billing names and addresses.
2.2 Business data our customers upload
Customers use the Service to manage their distribution operations. This may include data about their stores, accounts, routes, sales representatives, products and catalogs, orders, returns, invoices, contracts, supplier and distributor relationships, territories, and uploaded documents. Where this data contains personal information (for example, the name and contact details of a store buyer, route driver, or supplier contact), Restock processes it on the customer's instructions as a processor.
2.3 Usage and telemetry data
We automatically collect technical information when you use the Service, including IP address, device and browser type, operating system, pages and features accessed, timestamps, referring URLs, and diagnostic logs. We use this to operate, secure, troubleshoot, and improve the Service.
2.4 Cookies and local storage
We use a small set of cookies and browser local storage to keep you signed in, remember your selected workspace, and track onboarding progress. See our Cookie Policy and Section 12.
2.5 Payment metadata
Subscription and payment processing is handled by Stripe, Inc. We receive and store payment metadata such as the last four digits of a card, card brand, expiration month/year, billing postal code, transaction identifiers, and invoice records. Restock does not collect or store full payment card numbers. Stripe processes full card details directly under its own privacy terms.
2.6 Communications
If you contact support, request documents, or correspond with us, we keep records of those communications, including the content of your messages.
3. How and why we use information
We process personal information for the purposes below. Where the EU or UK General Data Protection Regulation ("GDPR") applies, the legal basis for each purpose is identified.
- To provide the Service — create and administer accounts, authenticate users, deliver features, and process transactions. Legal basis: performance of a contract (GDPR Art. 6(1)(b)).
- To bill and collect fees — manage subscriptions, process payments via Stripe, issue invoices, and prevent payment fraud. Legal basis: contract and legitimate interests (Art. 6(1)(b), (f)).
- To secure and maintain the Service — monitor for abuse, debug, enforce tenant isolation, and protect users. Legal basis: legitimate interests (Art. 6(1)(f)).
- To improve and develop the Service — analyze usage trends and product performance in aggregate. Legal basis: legitimate interests (Art. 6(1)(f)).
- To communicate with you — send service, security, and transactional messages, and, where permitted, product updates. Legal basis: contract, legitimate interests, or consent (Art. 6(1)(b), (f), (a)).
- To comply with law — meet tax, accounting, and other legal obligations, and respond to lawful requests. Legal basis: legal obligation (Art. 6(1)(c)).
- With your consent — for any purpose we describe at the time we ask for consent, such as optional analytics or marketing. Legal basis: consent (Art. 6(1)(a)), which you may withdraw at any time.
4. Controller and processor roles
Restock plays two distinct roles depending on the data in question:
- Restock as controller. For account and contact data, billing data, website visitor data, usage and telemetry, and support communications, Restock determines the purposes and means of processing and is the controller. This policy governs that processing.
- Restock as processor. For business data that a customer uploads or generates through the Service, the customer is the controller and Restock is the processor acting on the customer's documented instructions under our Data Processing Agreement. If you are an individual whose personal information appears in a customer's workspace and you wish to exercise rights over that data, please contact the relevant customer (the controller); we will assist them as required.
5. Sharing and sub-processors
We do not sell personal information. We share personal information only as described here:
- Sub-processors and service providers who help us operate the Service (hosting, database, payments, email delivery, analytics, content delivery). Our current list of sub-processors is maintained in the Trust Center.
- Within your organization — data in your workspace is accessible to other authorized users of that workspace according to the roles and permissions your administrators configure.
- For legal reasons — to comply with law, enforce our agreements, or protect the rights, property, and safety of Restock, our users, or others.
- Business transfers — in connection with a merger, acquisition, financing, or sale of assets, subject to this policy.
6. International transfers
Restock is based in the United States, and our sub-processors may process data in the United States and other countries. Where we transfer personal information out of the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, together with supplementary measures where required. You may request a copy of the relevant transfer mechanism by contacting privacy@restock.supply.
7. Data retention
We retain account and contact data for as long as your account is active and for a reasonable period afterward to comply with legal obligations, resolve disputes, and enforce our agreements. Billing and tax records are retained for the periods required by applicable law. Usage logs are retained for a limited period for security and troubleshooting. Business data we process as a processor is retained per our customer's instructions and the DPA; on termination we delete or return it as described there.
8. Security
We maintain technical and organizational measures designed to protect personal information, including encryption in transit and at rest, tenant isolation, access controls, and monitoring. Learn more in our Security Overview. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
9. Your rights (GDPR / UK GDPR)
If you are in the EEA, the UK, or Switzerland, you have the following rights with respect to personal information for which Restock is the controller, subject to conditions and exceptions in applicable law:
- Access — obtain confirmation of, and a copy of, your personal information.
- Rectification — correct inaccurate or incomplete information.
- Erasure — request deletion of your information in certain circumstances.
- Portability — receive certain information in a structured, machine-readable format and have it transmitted to another controller where technically feasible.
- Restriction — request that we limit processing in certain circumstances.
- Objection — object to processing based on legitimate interests or to direct marketing.
- Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.
You also have the right to lodge a complaint with your local data protection authority. We would, however, appreciate the chance to address your concerns first.
10. Your rights (California — CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, provides the following rights with respect to personal information for which Restock is a business:
- Right to know — request the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of recipients.
- Right to delete — request deletion of personal information we collected from you, subject to exceptions.
- Right to correct — request correction of inaccurate personal information.
- Right to opt out of sale or sharing — Restock does not sell personal information and does not share it for cross-context behavioral advertising. There is therefore nothing to opt out of, but you may still exercise this right.
- Right to limit use of sensitive personal information — we do not use or disclose sensitive personal information for purposes that would trigger this right.
- Right to non-discrimination — we will not discriminate against you for exercising your rights.
California "Shine the Light" (Cal. Civ. Code § 1798.83): Because we do not share personal information with third parties for their direct marketing purposes, no "Shine the Light" disclosure is required; you may nonetheless contact us with related requests at privacy@restock.supply.
You may submit a request through an authorized agent; we will require reasonable verification of identity and authority.
11. Children and minors
The Service is intended for business use and is not directed to children. We do not knowingly collect personal information from anyone under 16 years of age, consistent with the California Age-Appropriate Design Code Act ("Cal-AGE") principles. If you believe a minor has provided us personal information, please contact us at privacy@restock.supply and we will take appropriate steps to delete it.
12. Cookies and similar technologies
We use strictly necessary and functional cookies and browser local storage, plus limited analytics. We do not use advertising cookies. For details and controls, see our Cookie Policy.
13. How to exercise your rights
To exercise any right described above, email privacy@restock.supply with the nature of your request. We will verify your identity before acting and respond within the timeframes required by applicable law (generally within 30 days under GDPR and 45 days under CCPA/CPRA, with extensions where permitted). If your information sits within a customer's workspace where Restock is a processor, we will route your request to that customer (the controller) and assist them.
14. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you through the Service or by email. Your continued use of the Service after an update constitutes acceptance of the revised policy.
15. Contact us
Restock, Inc.
Privacy: privacy@restock.supply
Legal: legal@restock.supply
Security: security@restock.supply
EU / UK Representative: [Placeholder — Restock will appoint an Article 27 GDPR / UK representative prior to launch where required. Contact details to be inserted here.]