Privacy policy
Last updated: 12 July 2026
1. Who we are
Steadel is a product of Parsius Bilişim Dan. Arge Tic. ve San. Ltd. Şti., a limited liability company incorporated in Türkiye, registered at İvedik OSB Mah. 1371 Sk. No: 4, Yenimahalle, Ankara, Türkiye ("we", "us"). We are the data controller for the personal data described in this policy. Contact: privacy@steadel.com.
2. What we collect and why
- Account data — name, email address, password (stored only as an Argon2id hash). Legal basis: performance of contract.
- Organization & store connections — your organization name, connected store domains and the API credentials you authorize (encrypted at rest with AES-256-GCM). Legal basis: performance of contract.
- Catalog & inventory data — product titles, SKUs and stock quantities synced from your store, used to run your automations. Legal basis: performance of contract.
- Alert & audit logs — a history of alerts we sent and of sensitive account actions (store connect/disconnect, plan changes, exports, deletion). Legal basis: legitimate interest in security and troubleshooting.
- Billing data — subscription status and Paddle customer/subscription references. Payment details (card numbers, billing address) are collected and stored by Paddle, our Merchant of Record — never by us. Legal basis: performance of contract and legal obligation.
- Support correspondence — emails you send to our support addresses. Legal basis: legitimate interest.
3. What we deliberately do not collect
- No end-customer personal data from your shop. We request read access to products and inventory only — not to your customers. Shopify GDPR webhooks (data request / redact) are acknowledged automatically; there is nothing for us to return or erase.
- No analytics or tracking. The app sets only the essential session cookie required to sign you in. No third-party trackers, no advertising pixels — which is also why there is no cookie banner.
- No card data. Payments run entirely on Paddle.
4. Where your data lives
All application data is stored on servers operated for us by Hetzner Online GmbH in Germany. Encrypted database backups are kept for 14 days. Transactional email is delivered through Brevo (EU processing); open/click tracking on our emails is anonymized.
5. Sub-processors
- Hetzner Online GmbH (Germany) — hosting and backups
- Brevo SAS (France) — transactional email delivery
- Paddle.com Market Ltd (UK) — payments, tax and invoicing as Merchant of Record
- Cloudflare, Inc. — DNS and inbound email routing for steadel.com
When you connect an integration (Shopify, WooCommerce, Meta), data flows between Steadel and that platform under your instruction; the platform's own terms and privacy policy apply to it.
6. Retention
- Account and organization data — for the life of the account.
- After account deletion — deactivated immediately, permanently erased within 30 days (backups roll off within a further 14 days).
- Alert and audit logs — for the life of the account.
- Invoices and tax records — retained by Paddle for statutory periods.
7. Your rights
Under the GDPR you may access, rectify, export, erase, restrict or object to the processing of your personal data. The two most common requests are self-serve: Settings → Account → Export my data (JSON) and Delete account (immediate deactivation, full erasure within 30 days). For anything else email privacy@steadel.com — we answer within 30 days. You may also lodge a complaint with your local supervisory authority.
8. Security
Third-party credentials are encrypted at rest (AES-256-GCM), passwords are hashed with Argon2id, all traffic uses TLS, authentication endpoints are rate-limited, and sensitive actions are recorded in an audit log.
9. Changes
If we make material changes to this policy we will notify you by email at least 14 days before they take effect.