PRIVACY POLICY

Last Updated: [18/02/2026]

Effective Date: [18/02/2026]

1. Introduction

Welcome to Stow ("we," "our," or "us"). We are committed to protecting your personal data and respecting your privacy.

This Privacy Policy explains how we collect, use, disclosure, and safeguard your information when you visit our website [www.stow.build] and use our marketplace for UI components (the "Service").

Important Note on Jurisdiction: We operate from the United Kingdom. However, as our Service is available to users in the United States and globally, we adhere to the UK General Data Protection Regulation (UK GDPR) and the California Consumer Privacy Act (CCPA) where applicable.

2. Information We Collect

We collect information that identifies, relates to, describes, or could reasonably be linked, directly or indirectly, with you ("Personal Data").

2.1 Information You Provide to Us

Account Registration: Name, email address, username, and password.
Profile Information: For Sellers (Creators), this may include professional bio, portfolio links, and developer framework preferences.
Financial Data:
- Buyers: We do not store full credit card numbers. Payment transactions are processed via our third-party processor, Stripe. We collect purchase history and credit balance information.
- Sellers: To process royalty payouts, we collect banking information or Connected Account details via Stripe Connect.
User Content: Comments, reviews of components, and code submissions.

2.2 Information We Collect Automatically

Usage Data: Information on how you use the Service, including components viewed, components downloaded (to calculate royalties), and credit usage.
Technical Data: IP address, browser type, operating system, and device information.
Cookies: We use cookies to maintain your login session and preferences. (Please see our separate Cookie Policy for details).

3. How We Use Your Data (Lawful Basis)

Under the UK GDPR, we must have a lawful basis for processing your data. We rely on the following:

Purpose of Processing	Data Type	Lawful Basis
To register you as a new user	Identity, Contact	Contract: Necessary to create your account.
To process subscriptions & credit packs	Financial, Transaction	Contract: Necessary to fulfill your purchase.
To calculate and pay Seller royalties	Usage, Financial	Contract: Necessary to fulfill your purchase.
To manage risk and fraud	Identity, Technical	Legitimate Interest: Detecting fraudulent credit usage or code theft.
To improve our Service	Usage, Technical	Legitimate Interest: Analyzing which frameworks (React, Vue, etc.) are most popular to optimize inventory.

4. Payment Processing (Stripe)

We use Stripe for payment, analytics, and other business services. Stripe collects identifying information about the devices that connect to its services. Stripe uses this information to operate and improve the services it provides to us, including for fraud detection.

You can learn more about Stripe and read its privacy policy here: https://stripe.com/privacy

5. Sharing Your Information

We do not sell your Personal Data to third parties. We typically share data only in the following circumstances:

Service Providers: With third-party vendors (e.g., cloud hosting like AWS/Vercel, email delivery services) who process data on our behalf under strict confidentiality agreements.
Business Transfers: If "Stow" is involved in a merger, acquisition, or asset sale, your Personal Data may be transferred.
Legal Obligations: To comply with a subpoena, court order, or legal process in the UK or US.

6. International Data Transfers

We are based in the United Kingdom.

For UK/EU Users: If we transfer your data to service providers in the USA (e.g., Stripe), we ensure safeguards are in place, such as the UK International Data Transfer Agreement (IDTA) or relying on the Data Privacy Framework (DPF) adequacy decision.
For US Users: Your data is processed in the UK and potentially other jurisdictions where our servers reside. By using the Service, you consent to this transfer.

7. Data Retention

We retain your Personal Data only as long as necessary:

Account Data: Retained as long as your account is active.
Transaction Data: Retained for 6 years to comply with UK tax and accounting laws (HMRC requirements).
Inactive Accounts: We may delete accounts that have been inactive for [INSERT PERIOD, e.g., 24 months] after providing notice.

8. Your Rights (UK & GDPR)

If you are located in the UK or EEA, you have the right to:

Access: Request a copy of the Personal Data we hold about you.
Correction: Request correction of inaccurate data.
Erasure ("Right to be Forgotten"): Request deletion of your data (subject to our legal need to keep transaction records).
Portability: Request transfer of your data to another service.
Withdraw Consent: Where we rely on consent (e.g., marketing emails), you can withdraw it at any time.

To exercise these rights, contact us at: [INSERT EMAIL ADDRESS]

9. Notice to US Residents (CCPA/CPRA)

Although we are a UK entity, we voluntarily provide these disclosures for our US users:

Right to Know: You may request details on the specific pieces of personal info we have collected in the past 12 months.
Right to Delete: You may request deletion of your personal info, subject to exceptions (e.g., completing a transaction).
Non-Discrimination: We will not discriminate against you (e.g., by denying services) for exercising your privacy rights.
"Do Not Sell My Info": We do not sell personal data as defined by the CCPA.

10. Children's Privacy

Age Restriction: Our Service is intended for professionals.

Buyers: You must be at least 13 years old to use the site (with guardian consent if under 18).
Sellers/Payouts: You must be at least 18 years old to register as a Creator and receive financial payouts. We verify age before processing any royalty payments. If we learn we have collected Personal Data from a child under 13 without verification of parental consent, we will delete that information.