Privacy Policy — Stockhub B.V.
Effective date: 01 Jan 2024
Last updated: 01 Jan 2024
Stockhub B.V. ("Stockhub", "we", "us", "our") respects your privacy and is committed to protecting personal data we process in the course of operating our warehouse management platform. This Privacy Policy explains how we collect, use, store, protect, share and delete personal data, and the rights you have in relation to that data.
This Policy applies to https://www.stockhub.nl, the Stockhub warehouse management application, and all related services (collectively, the "Services").
1. Who We Are (Data Controller & Contact)
Stockhub B.V.
Euregioweg 235
7534SM Enschede
The Netherlands
Email: support@stockhub.nl
For all questions, data subject requests, or data protection matters, contact us at support@stockhub.nl.
Stockhub acts as a data controller for personal data of our merchant customers (the businesses that contract with us). Stockhub acts as a data processor for personal data of end-consumers that our merchant customers receive through their sales channels (including Amazon, Shopify, Magento, WooCommerce and similar platforms) and that flow through our Services for order-fulfillment purposes.
2. Categories of Personal Data We Process
2.1 Merchant Account Data (controller)
- Business name, contact name, billing address, VAT/KvK number
- Login credentials (email, hashed password, MFA secrets)
- Communication records (support tickets, emails)
- Usage and audit logs
2.2 End-Consumer Data from Amazon (processor)
When our merchant customers authorize Stockhub as their Amazon Selling Partner API ("SP-API") developer, we receive Amazon order data to enable fulfillment. This data may include:
- Buyer name
- Shipping address
- Buyer email (where provided by Amazon)
- Phone number (where provided by Amazon)
- Order ID, order line items, quantities
- Gift messages
We process Amazon Personally Identifiable Information ("Amazon PII") strictly for the purpose of fulfilling the corresponding order in accordance with the Amazon Data Protection Policy.
2.3 End-Consumer Data from Other Webshop Integrations (processor)
For merchant customers using other sales channels (Shopify, Magento, WooCommerce, Bol.com and others), we process equivalent order data: buyer name, shipping address, email, phone number, order details.
2.4 Shipping Carrier Data
To generate shipping labels and track parcels, we transmit the buyer name, shipping address, phone number and email to the carrier the merchant has chosen (including PostNL, DHL, DPD, SendCloud and others). Carriers act as independent controllers for the data they receive.
3. How We Collect Personal Data
- Directly from merchants when they register, configure their account, or contact support.
- Through Amazon SP-API under the authorization granted by the merchant in Amazon Seller Central.
- Through other webshop integrations via API connections the merchant configures.
- Automatically through cookies and server logs when you visit our website (see Section 12).
4. Purposes and Legal Bases (GDPR Article 6)
| Purpose | Legal basis |
|---|---|
| Providing the Services to merchant customers | Performance of a contract (Art. 6(1)(b)) |
| Processing end-consumer order data for fulfillment | Performance of a contract between the merchant and the end-consumer; processor acting on documented instructions |
| Generating invoices, tax records and accounting | Legal obligation (Art. 6(1)(c)) — Dutch tax law |
| Securing the Services, fraud prevention, audit logging | Legitimate interest (Art. 6(1)(f)) |
| Service communications and support | Performance of a contract (Art. 6(1)(b)) |
| Website analytics (only with consent) | Consent (Art. 6(1)(a)) |
5. How We Use Personal Data
We use personal data only for the following purposes:
- Operating the warehouse management platform and processing orders end-to-end
- Generating shipping labels and arranging carrier collection
- Processing returns and refunds
- Communicating with merchants for support, billing and service notifications
- Meeting legal and tax obligations
- Detecting, investigating and preventing security incidents
We do not use Amazon PII for any purpose other than fulfilling the corresponding Amazon order. We do not use personal data for advertising, profiling, or resale.
6. Data Storage and Security
Personal data is hosted on Microsoft Azure infrastructure in EU data centres (primarily West Europe).
We apply the security controls required by the Amazon Data Protection Policy and aligned with GDPR Article 32:
- Encryption in transit: TLS 1.2 or higher for all data transmission, including API calls and database connections.
- Encryption at rest: AES-256 encryption for databases, backups and blob storage.
- Access control: Role-based access, principle of least privilege, multi-factor authentication for administrative access.
- Network security: Firewalled environments, IP restrictions, no public exposure of databases.
- Credential management: Secrets stored in managed key vaults; credentials rotated regularly and never committed to source code.
- Logging and monitoring: Audit logs of access to personal data; automated alerts for anomalous activity.
- Vulnerability management: Regular patching, dependency scanning and periodic security review of the codebase.
- Personnel: Staff with access to personal data are bound by confidentiality and trained on data protection.
- Backups: Encrypted, access-controlled, retained only as long as needed for disaster recovery.
7. Data Sharing and Sub-Processors
We do not sell, rent or trade personal data. We share personal data only with the following categories of recipients, and only as needed to deliver the Services:
| Recipient | Purpose | Location |
|---|---|---|
| Microsoft Azure | Cloud hosting, storage, database | EU |
| Shipping carriers | Label generation, delivery | EU / carrier-dependent |
| Email service providers | Transactional emails | EU/US under SCCs |
| Print services | Warehouse label printing | EU/US under SCCs |
| Tax authorities, regulators, law enforcement | Where legally required | NL/EU |
We do not share Amazon PII with any party other than what is strictly necessary to fulfill the corresponding order (the merchant, the chosen carrier, and infrastructure sub-processors bound by equivalent obligations).
A current list of sub-processors is available on request via support@stockhub.nl.
8. Data Retention and Deletion
We retain personal data only as long as necessary for the purposes described in this Policy:
- Amazon PII (buyer name, address, email, phone, gift messages): deleted within 30 days of order fulfillment, in line with the Amazon Data Protection Policy. The only exception is data we are legally required to retain for tax and accounting purposes (e.g. invoice records), which is kept for 7 years as required by Dutch tax law (Algemene wet inzake rijksbelastingen, art. 52). Tax-retained data is restricted to the minimum invoice fields and access is limited accordingly.
- End-consumer order data from other webshops: retained for the duration of the merchant's contract and deleted within 30 days of contract termination, subject to the same 7-year tax exception.
- Merchant account data: retained for the duration of the contract and deleted within 90 days of contract termination, subject to legal retention obligations.
- Audit and security logs: retained for up to 12 months for security investigations.
- Backups: purged on a rolling basis; deleted personal data is removed from backups within the standard backup rotation cycle.
Upon expiry of the retention period, personal data is securely deleted or irreversibly anonymized.
9. International Data Transfers
Personal data is processed within the European Union by default. Where a sub-processor is located outside the EU/EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) and apply supplementary measures where required, in line with the Schrems II ruling.
10. Your Rights Under the GDPR
If you are an EU/EEA data subject, you have the following rights:
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — request correction of inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — request deletion of your data where applicable.
- Right to restriction of processing — request that we limit processing.
- Right to data portability — request your data in a structured, machine-readable format.
- Right to object — object to processing based on legitimate interest.
- Right to withdraw consent — at any time, where processing is based on consent.
To exercise any of these rights, contact support@stockhub.nl. We will respond within one month.
End-consumers whose personal data we process on behalf of a merchant should generally contact the merchant directly (the controller). We will support the merchant in responding to such requests.
You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, https://autoriteitpersoonsgegevens.nl) or your local supervisory authority.
11. Data Breach and Incident Response
We maintain an incident response process for the detection, investigation and reporting of personal data breaches:
- Internal escalation: breaches are reported to our security lead immediately on discovery.
- GDPR notification: confirmed breaches likely to result in a risk to data subjects are reported to the Autoriteit Persoonsgegevens within 72 hours of awareness.
- Amazon notification: security incidents affecting Amazon Information are reported to Amazon within 24 hours of discovery, in accordance with the Amazon Data Protection Policy.
- Data subject notification: where a breach is likely to result in a high risk to rights and freedoms, we notify affected individuals without undue delay.
12. Cookies and Website Analytics
The Stockhub website uses strictly necessary cookies to deliver core functionality. Analytics or marketing cookies are only set with your prior consent via our cookie banner. You can withdraw consent at any time through the cookie settings on our website.
13. Children's Data
Our Services are not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact support@stockhub.nl and we will delete it.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be announced via the Services or by email to merchant customers at least 30 days before they take effect. The "Last updated" date at the top of this Policy indicates when it was last revised.
15. Contact
For any questions about this Privacy Policy or our handling of personal data:
Stockhub B.V.
Euregioweg 235
7534SM Enschede
The Netherlands
Email: support@stockhub.nl