Privacy & Cookie Policy | Warehouse Organizer

Last updated:

Plain-language summary. Warehouse Organizer is inventory and warehouse software. This policy explains what personal data we handle, why, how long we keep it, who we share it with, and the choices and rights you have. Some organization-specific legal details below are still being finalized and are marked [TODO].

1. Who we are

This site and service are operated by Warehouse Organizer LLC (“Warehouse Organizer”, “we”, “us”). Our registered address is [TODO: registered business address]. For any privacy question, or to exercise a data right, contact our privacy team at contact@warehouseorganizer.com [TODO: confirm Data Protection Officer / privacy contact and, where applicable, an EU/UK representative under GDPR Art. 27].

2. Our two roles: controller and processor

We handle personal data in two different capacities, and your rights differ accordingly:

3. What personal data we process, and why

3.1 Account & authentication (controller)

To create and secure your account we process your first and last name, email address, phone number, company name, a password (stored only as a BCrypt hash — never in plain text), two-factor authentication state, session identifiers, and expiring security/reset tokens.
Lawful basis: performance of our contract with you (GDPR Art. 6(1)(b)); our legitimate interest in securing the service (Art. 6(1)(f)).

3.2 Subscription billing (controller; Stripe as processor)

For paid plans we process your subscription and tier state and billing-contact details. Card and payment details are collected and stored by Stripe, our payment processor — not on our systems.
Lawful basis: performance of contract (Art. 6(1)(b)); legal obligation to keep financial records (Art. 6(1)(c)).

3.3 Employee HR records (processor, on behalf of the employer)

Where an organization uses the HR features, we store the HR records it enters about its employees — which may include a government identifier (e.g. SSN), pay rate, emergency-contact details, employment status and type, title/department, a company ID, and uploaded documents. This data is encrypted at the application layer with a per-organization AES-256 key (envelope encryption, with the key-encrypting key held in a key-management service in production). The employing organization is the controller of this data.

3.4 Time & attendance (processor)

Where an organization uses the time-clock feature, we process clock-in/out timestamps, the assigned work location, approval/superior references, and — where geofencing is enabled — the device geolocation (latitude, longitude and accuracy) captured at the punch. Geolocation is used only to validate that a punch occurred at an authorized work location. We automatically purge stored geolocation after a retention window [TODO: state window; default 90 days], keeping the attendance timestamps needed for payroll and labor-law purposes. Because this is processed for the employer, the employer is the controller and is responsible for the lawful basis and for informing its employees.

3.5 Ordering, storefront & trade documents (processor)

Where an organization uses ordering features, we process its customers’ names, shipping/billing addresses, contact details, and order and pricing history to produce orders, invoices and purchase orders. The organization is the controller of this data.

3.6 Security audit logging (controller / processor)

To keep the service accountable and secure we log actions taken against sensitive features: the acting user, organization/warehouse, action, timestamp, and a trace identifier. Secrets (passwords, tokens, government IDs) are redacted before the log is stored. Audit records are protected by a keyed integrity signature and expire automatically after a retention window [TODO: confirm window; default 365 days].
Lawful basis: our legitimate interest in security, and legal obligation (Art. 6(1)(f)/(c)).

3.7 Transactional email (controller / processor)

We send operational email — account invites, two-factor codes, password resets and notifications — through an email provider, processing the recipient address and message content.
Lawful basis: performance of contract; legitimate interests.

4. Cookies & website analytics

We use a small number of strictly necessary cookies and similar storage to run the site — for example to keep you signed in, protect against cross-site request forgery, remember your language, and store your cookie choice. These are required for the service to work and do not need consent.

We also use optional analytics (Google Analytics via Google Tag Manager) to understand how the site is used. Analytics only runs after you give consent, and only when analytics is configured at all — it is disabled by default. Until you choose “Accept” on our cookie banner, analytics storage stays denied (we use Google Consent Mode v2 to enforce this). Analytics may process your IP address, device/browser information and usage events.
Lawful basis: your consent (Art. 6(1)(a)).

Changing your choice. You can accept or reject non-essential cookies from the banner when it appears. To change your decision later, clear this site’s stored data in your browser (which removes the saved wa-cookie-consent preference); the banner will appear again on your next visit. You can also block or delete cookies in your browser settings.

5. Who we share data with

We do not sell your personal data. We share it only with service providers (sub-processors) who help us run the product under contract — currently our payment processor (Stripe), email delivery, analytics (Google, only with consent), hosting, and a key-management service. Our current list of sub-processors and their roles is maintained at [TODO: publish sub-processor list URL — see docs/compliance/sub-processors.md]. We may also disclose data where required by law.

6. International transfers

Our providers may process data outside your country. Where personal data is transferred across borders we rely on an appropriate safeguard, such as the EU Standard Contractual Clauses. [TODO: confirm hosting region(s) and the transfer mechanism for any processing outside the EEA/UK.]

7. How long we keep data

We keep account data for the life of the account. When an account is erased, the identity record is anonymized (name, phone and email are tombstoned and the credential cleared) so it can no longer be linked to you. Employee HR and time-clock data is retained per the employing organization’s instructions and is hard-deleted when a user is removed; captured geolocation is purged on the schedule in §3.4. Billing records are kept for the statutory financial-record period [TODO: confirm period]. Audit logs expire on the schedule in §3.6.

8. Your rights

Subject to applicable law, you have the right to access your data and receive a portable copy, to have it corrected or erased, and to restrict or object to certain processing. The product provides tooling that supports these rights:

How to exercise your rights. If your data was entered by an employer or organization (HR, time-clock or order data), contact that organization — they are the controller and we will support their request. For data we control (your account and billing), email contact@warehouseorganizer.com. You also have the right to complain to your data-protection supervisory authority [TODO: name the lead supervisory authority].

9. How we protect data

We apply layered technical and organizational measures: TLS encryption in transit; per-organization application-layer field encryption (AES-256-GCM) for sensitive HR data; BCrypt password hashing; role-based access control with a deny-by-default authorization model; RS256-signed API tokens; two-factor authentication; rate limiting; security response headers (HSTS, Content-Security-Policy); and redacted, integrity-protected, retained audit logging.

10. Children

Warehouse Organizer is a business tool and is not directed to children. We do not knowingly collect personal data from children.

11. Changes to this policy

We may update this policy as the service, our providers, or the law change. We will revise the “Last updated” date above and, for material changes, provide a more prominent notice.

12. Contact us

Questions about this policy or your data? Email contact@warehouseorganizer.com or write to us at [TODO: registered business address].

This page is provided for transparency and is not legal advice.