Privacy Policy

App: HESHE Stocker · Version: 2.0 · Effective: 29 April 2026

TL;DR: HESHE Stocker is a cloud service. Your data is stored on Supabase servers in the EU region (Frankfurt, Germany) — it never leaves the European Union. We do not use advertising or trackers.

1. Data Controller

HESHE Katarzyna Grodzka, VAT ID: PL7393505797.
Contact: info@heshe.pro
Address: Poland (available on request under Art. 13 GDPR).

2. Data We Collect and Why

2.1 Account Data

At registration we collect:

Email address — account identifier, required for sign-in and team invitations.
Full name — displayed to other users within your company.
Company name — identifies your organisation in the system.
VAT number (optional) — for invoicing purposes.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

2.2 Inventory Data

Data you and your team enter: parts, products, orders, stock movements, shopping list. This data is accessible only to users within your company (enforced by Row Level Security in Postgres).

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

2.3 Subscription Data

Subscription status (trial / active / expired), billing period end date. Purchase receipts and transaction tokens are processed by Apple / Google as merchant of record — we only receive a status confirmation.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

2.4 Technical Logs

Supabase collects standard API access logs (IP address, timestamp, endpoint). Logs are retained by Supabase for 7 days and used solely for error diagnostics.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest — system security).

3. Sub-processors

Data is processed with the involvement of the following entities:

Entity	Purpose	Location
Supabase Inc.	Database, authentication, realtime, file storage	EU – Frankfurt (AWS eu-central-1)
Apple Inc.	In-app payments (iOS), receipt validation	USA (Standard Contractual Clauses)
Google LLC	In-app payments (Android), receipt validation	USA (Standard Contractual Clauses)

Data transferred to Apple and Google is limited solely to the information necessary for purchase verification (transaction token). We do not transfer inventory data outside the European Union.

4. Device Permissions (Android / iOS)

Internet — synchronisation with the cloud.
Camera / Photos (optional) — to attach photos to parts. Photos are uploaded to Supabase Storage (EU region) or stored locally.
Microphone (optional) — voice search. Speech recognition is performed by the system speech engine: Apple Speech Recognition (iOS) or Google Speech Recognition (Android). Depending on the device and its settings, short audio segments may be processed on Apple or Google servers solely to convert speech to text. HESHE does not receive or store any recordings — we only see the resulting text.

5. Data Retention

Account and inventory data: for the duration of the contract (active subscription or account) and 30 days after termination, unless you request earlier deletion.
Technical logs: 7 days (Supabase).
Tax / billing records: 5 years (legal obligation).

6. Your Rights (GDPR)

You have the right to:

Access — request a copy of your data (Art. 15 GDPR).
Rectification — correct inaccurate data in the app or by email.
Erasure — delete your account in app settings (Settings → Delete Account) or by writing to info@heshe.pro. Deleting an account permanently removes all your company's data.
Data portability (Art. 20 GDPR) — export your data as JSON via Settings → Export Data.
Objection and restriction — regarding processing based on legitimate interest.
Complaint — to your national data protection authority (in Poland: UODO, ul. Stawki 2, 00-193 Warsaw).

We respond to requests within 30 days. Contact: info@heshe.pro.

7. Security

Data in transit is encrypted with TLS 1.2+. Passwords are stored exclusively by Supabase Auth as a hash (bcrypt). Access to company data is protected by Row Level Security at the database level — users of one company have no technical ability to access data belonging to another company.

8. Children

The app is a professional tool and is not directed at children under the age of 13. We do not knowingly collect data from children.

9. Policy Changes

We will notify you of material changes through an in-app notification or email at least 14 days before they take effect. The current version is always available on this page.

10. Contact

info@heshe.pro