Privacy & Security Policy

A comprehensive guide to how we protect, encrypt, and respect your business data.

STRICT ZERO-KNOWLEDGE ENCRYPTION

Your privacy is not just a promise; it is guaranteed by mathematics.

We utilize client-side AES-256 encryption. This means your Product Details, Transaction History, Payment Records, Selling & Purchasing Information are encrypted locally on your device before they ever reach our cloud servers. StockMaster has absolutely ZERO ability to access, decrypt, view, or sell your business data. We do not store your encryption keys. Even if we wanted to, we cannot see what you are selling or who you are buying from. It is totally encrypted.

This Privacy Policy describes how StockMaster ("we", "us", or "our") collects, uses, and discloses your information in connection with your use of our websites, software, and services (collectively, the "Services").

1. Information We Collect

We collect information to provide better services to all our users. The specific data we collect depends on how you interact with us.

A. Information You Provide to Us

  • Account Information: When you register an account, we collect basic contact details such as your name, email address, and phone number. This is used solely for authentication and billing.
  • Payment Information: We use third-party payment processors (like Stripe or Razorpay) to handle payments. We do not store your full credit card numbers or banking details.
  • Support Communications: Content of messages you send to us for customer support inquiries.

B. Encrypted Business Data (The "Black Box")

Your business operations generate data: inventory lists, sales history, customer directories, and supplier invoices. This data is treated as "Encrypted Content". To us, this looks like random alphanumeric strings. We cannot index it, we cannot search it, and we cannot use it for analytics.

C. Usage & Device Information

We automatically collect technical data necessary for system stability and security:

  • Log Data: IP address, browser type, and navigation paths.
  • Device Information: Operating system version, device identifiers, and screen resolution.
  • Cookies: Session tokens used to keep you logged in securely.

2. How We Use Information

We are strictly limited in how we can use your data because—by design—we cannot read most of it.

  • To Provide Services: Authenticating your login and syncing your encrypted blobs across your devices.
  • To Improve Reliability: Monitoring server uptime together with error logging (which excludes personal data).
  • To Communicate: Sending you critical security alerts, invoice receipts, or policy updates.

WE DO NOT: Sell your data to advertisers, use your sales history to build market reports, or spy on your profit margins.

3. Security Architecture

Our security model is based on the principle of "Trust No One" (Zero Trust).

Technical Safeguards

  • Encryption in Transit: All data is transmitted over secure TLS 1.3 (Transport Layer Security) tunnels.
  • Encryption at Rest: Servers are encrypted at the disk level. Furthermore, database entries for business data are encrypted at the field level.
  • Hashing: Passwords are salted and hashed using Argon2id so they cannot be reverse-engineered.

Key Management

Your encryption key is derived from your master password using a Key Derivation Function (PBKDF2) on your device. This derived key never leaves your browser RAM.

4. Data Ownership & Rights

You are the sole owner of your data. We act only as a custodian.

  • Right to Access: You can view all your data at any time via the dashboard.
  • Right to Export: You can export your decrypted data to CSV/Excel formats locally.
  • Right to Erasure ("Right to be Forgotten"): If you delete your account, your data is permanently wiped from our production servers immediately and from backups within 30 days. Because we don't hold the keys, this deletion is cryptographic—without the key, the data is irretrievable forever.

5. Data Retention

We retain your data only as long as your account is active. If your subscription expires, we will maintain your encrypted data in "cold storage" for 12 months as a courtesy, after which it will be permanently deleted.

6. Third-Party Sharing

We do not share your personal information with third parties except in the following limited cases:

  • Service Providers: Cloud hosting (e.g., Azure/AWS) and email delivery services (e.g., SendGrid) who process data on our behalf under strict confidentiality agreements.
  • Legal Requirements: If compelled by a valid subpoena or court order. In such cases, we will attempt to notify you before disclosing whatever limited, encrypted data we possess, unless prohibited by law.

7. Changes to this Policy

We may update this Privacy Policy from time to time. If we make significant changes, we will notify you through the application or via email. Continued use of the Service after such changes constitutes your acceptance of the new policy.