Privacy Policy
Last updated: 1 April 2026
Quick Summary (TL;DR)
- Data Economy: We collect only the data necessary to provide and improve the Statch service.
- No Selling: We do not sell your data to third parties.
- Control: You have full control over your business records and can delete them at any time.
- Security: We use encrypted storage and industry-standard security measures to protect your info.
- Rights: Under GDPR, you have the right to access, rectify, or erase your data by contacting us.
- Only the full text below has legal force.
1. Who We Are
Statch is a mobile application for small businesses, retailers, and anyone who sells products — online, offline, or both — developed and operated jointly by:
Vladyslav Petruk, conducting business as a sole trader (jednoosobowa działalność gospodarcza) registered in Poland, NIP: 6343029041, registered address: ul. Ogińskiego 11, 03-318 Warszawa, Poland
Pavlo Zoria, conducting business as a sole trader (фізична особа — підприємець, ФОП) registered in Ukraine, РНОКПП: 3638804410, registered address: Ukraine
Together referred to as "Statch", "we", "us", "our".
Joint controllership: In accordance with Article 26 GDPR, both parties act as joint controllers for the personal data processed through the App. Vladyslav Petruk's Polish-registered entity serves as the lead controller and primary point of contact for data protection matters within the EU. A joint controller arrangement is in place between the parties, determining their respective responsibilities for compliance with GDPR obligations. The essence of this arrangement is made available to data subjects upon request.
The Statch trademark is registered in Ukraine. The application is available on iOS and Android.
For any privacy-related questions, contact us at: privacy@statch.io
2. Scope
This Privacy Policy explains what personal data we collect when you use the Statch mobile application ("App"), why we collect it, how we use it, and what rights you have under the General Data Protection Regulation (GDPR) and applicable Polish and EU law. Users based in Ukraine also retain rights under applicable Ukrainian personal data protection legislation, which we respect and do not seek to exclude.
3. Data We Collect
3.1 Account & Authentication Data
When you register and sign in, we collect:
- Phone number — used for SMS-based authentication via Twilio
- Name and email address — provided by Apple or Google when you sign in with Apple or Google Sign-In; used for account-related notifications where available
Tip: If you sign in with a phone number, we recommend also linking a Google or Apple account in the App settings.
3.2 Company Profile Data
After registration, you are required to create a company profile. This includes:
- Company name
- Currency preference
- Optionally: contact details and a company photo
3.3 Business & Inventory Data
The App is designed to store your business data, including:
- Product nomenclatures, specifications, variants, and photos
- SKUs, prices (retail, wholesale, cost), and pricing settings
- Warehouse names, addresses, phone numbers, email addresses, and comments
- Categories and subcategories
- Product templates and specifications
- Orders, including optional customer names and contact details
- Product history records (stock movements, write-offs, transfers, returns, orders)
This data is entered by you and belongs to your business. We process it solely to provide the App's functionality.
Note on third-party personal data in orders: When you add customer contact details to orders, you act as the data controller for your customers' data and are responsible for having a lawful basis to collect and store it.
3.4 Device Information
Each request to our backend includes limited device metadata: platform (iOS or Android), application version, operating system version, and Firebase Installation ID.
3.5 Notifications
If you grant permission, we may send push notifications. You can manage or revoke notification permissions at any time in your device settings or within the App.
3.6 Account Deletion Reason
When you submit an account deletion request, we ask you to select a reason. This information is retained in anonymised or aggregated form for product improvement purposes.
3.7 Analytics
We use Microsoft Clarity on the Statch website to understand how visitors interact with our pages. All analytics data is processed in an aggregated, pseudonymised form.
4. Why We Process Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Providing authentication and account management | Phone number, Apple/Google ID, email | Performance of contract (Art. 6(1)(b) GDPR) |
| Delivering core App functionality | Business, inventory, warehouse, order data | Performance of contract (Art. 6(1)(b) GDPR) |
| Sending account notifications | Email address | Performance of contract (Art. 6(1)(b) GDPR) |
| Device compatibility and push notifications | Device info | Legitimate interest (Art. 6(1)(f) GDPR) |
| Crash reporting and stability monitoring | Device state, OS/app version, stack traces | Legitimate interest (Art. 6(1)(f) GDPR) |
| Sending promotional notifications and surveys (where opted in) | Notification preferences | Consent (Art. 6(1)(a) GDPR) |
| Improving the website and App via analytics | Aggregated usage data | Legitimate interest (Art. 6(1)(f) GDPR) |
| Understanding account deletion reasons for product improvement | Anonymised deletion reason | Legitimate interest (Art. 6(1)(f) GDPR) |
| Compliance with legal obligations | As required | Legal obligation (Art. 6(1)(c) GDPR) |
5. Third-Party Services
We use the following third-party services to operate the App. Where required by GDPR, we have entered into Data Processing Agreements with these providers.
| Service | Provider | Purpose |
|---|---|---|
| Microsoft Clarity | Microsoft Corporation | Website analytics — page views, clicks, scroll depth, and anonymised session recordings |
| Firebase Crashlytics | Google LLC | Automatic crash reporting |
| Google Sign-In | Google LLC | Authentication |
| Apple Sign-In | Apple Inc. | Authentication |
| Google Cloud Platform | Google LLC | Cloud infrastructure and file storage (product photos, etc.) |
| Twilio | Twilio Inc. | SMS verification codes |
| MongoDB Atlas | MongoDB, Inc. | Cloud database to store account and business data |
| Resend | Resend, Inc. | Transactional email delivery — account-related notifications |
We maintain this list as our register of sub-processors. If we add or change sub-processors, we will update this section accordingly.
6. Data Storage and Transfers
Your data is stored on Google Cloud Platform servers and MongoDB Atlas database clusters. Both Google (GCP) and MongoDB, Inc. may process data in regions outside the European Economic Area (EEA). Where such transfers occur, they are protected by appropriate safeguards (Standard Contractual Clauses) in accordance with GDPR Chapter V.
Other international transfers: Twilio Inc. (SMS verification), Resend, Inc. (email delivery), and Microsoft Corporation (Clarity analytics) are US-based providers. Data transferred to these providers is protected by Standard Contractual Clauses and/or an EU adequacy decision where applicable.
7. Data Retention
We retain your data for as long as your account is active or as necessary to provide the service.
Account deletion: You may request account deletion from within the App. Upon request:
- You will receive a confirmation notification (via email if your account has an associated email address).
- Your account enters a 30-day grace period during which you may cancel the deletion by logging in.
- After 30 days, your account and all associated data are permanently deleted.
Data export: We do not currently offer an automated data export feature. If you need a copy of your data before deletion, please contact us at support@statch.io.
8. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Polish Data Protection Authority (UODO) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR.
Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify affected users without undue delay, in accordance with Article 34 GDPR.
9. Your Rights
As a data subject, you have the following rights:
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — request correction of inaccurate data
- Right to erasure — request deletion of your data (see Section 7)
- Right to restriction — request that we limit processing of your data
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interest
- Right to withdraw consent — where processing is based on consent, you may withdraw it at any time
To exercise any of these rights, contact us at privacy@statch.io. We will respond within 30 days. You also have the right to lodge a complaint with the Polish Data Protection Authority (UODO): www.uodo.gov.pl
10. Children
The App is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children.
11. Changes to Policy
We may update this Privacy Policy from time to time. For material changes (such as changes to data collection practices), we will notify you at least 30 days in advance via the App or by email (if available) and request your affirmative acceptance before the changes take effect.
For non-material changes (such as clarifications), we will update the "Last updated" date at the top. Continued use of the App after such updates are published constitutes your acceptance of the changes.
12. Contact
If you have any questions about this Privacy Policy, please contact us at:
Email: privacy@statch.io
Support: support@statch.io