Privacy Policy

Last updated: April 5, 2026

This Privacy Policy describes how System 49 ("we", "us", "our") collects, uses, and protects your information when you use the Supply Cache inventory management platform ("Service").

1. Information We Collect

Account Information

When you create an account, we collect your username, email address, and password. Passwords are stored as one-way cryptographic hashes and cannot be viewed by anyone, including us. We also generate a secure token for email verification during signup. This token is stored temporarily and removed once your email is verified.

Store and Inventory Data

We store the data you enter into the Service, including store names, inventory items, quantities, prices, categories, suppliers, transactions, and damage records. This data is necessary to provide the Service. You can import inventory data from CSV files and export your data as CSV at any time.

Store Invitations

When a store owner invites someone to join their store, we collect the invitee's email address and generate a unique invitation token. The token is stored until the invitation is accepted. Invitation emails are sent via our email provider.

Usage Information

We automatically collect certain information when you use the Service, including:

• IP addresses, recorded in the audit log for security purposes when you sign up, log in, verify your email, accept invitations, and perform administrative actions
• Actions performed within the Service (login, item changes, exports, scans, etc.)
• Timestamps of activity

Store owners can view audit logs showing all user actions within their store, including usernames and timestamps.

Payment Information

Payment processing is handled entirely by Stripe. We do not store your credit card number, bank account details, or other payment credentials. We do store your subscription plan type (monthly, semi-annual, or annual) and subscription expiration date. Please refer to Stripe's Privacy Policy for information about how they handle payment data.

Device Permissions (Optional)

Certain features request optional device permissions:

• Camera: The barcode/QR code scanning feature requests access to your device's camera. Camera data is processed entirely on your device for real-time scanning. No images or video are transmitted to our servers or stored.
• Motion sensors: The Tap Count feature requests access to your device's accelerometer to detect physical taps for inventory counting. Motion data is processed entirely on your device and is never transmitted, logged, or stored.

You can deny these permissions and continue using the Service with other methods.

2. How We Use Your Information

We use your information to:

• Provide and maintain the Service
• Send email verification during signup
• Send store invitation emails on behalf of store owners
• Send email notifications you have opted into (low stock alerts, new item alerts)
• Send payment confirmation emails when subscriptions are activated
• Send password reset emails when requested
• Monitor and protect the security of the Service
• Respond to support requests

3. Information Sharing

We do not sell, rent, or share your personal information with third parties except in the following circumstances:

• Stripe for payment processing. Stripe receives your email address and payment details. Refer to Stripe's Privacy Policy.
• Resend for email delivery. Resend receives recipient email addresses and email content necessary to deliver messages. Refer to Resend's Privacy Policy.
• Sentry for error tracking. When application errors occur, Sentry receives error details, stack traces, and request metadata. We do not send personal data (PII) to Sentry. Refer to Sentry's Privacy Policy.
• Cloudflare for DNS and automated database backups. Backup data is stored on Cloudflare R2 and encrypted in transit and at rest. Refer to Cloudflare's Privacy Policy.
• Legal requirements: We may disclose information if required by law, court order, or governmental authority.
• Business transfer: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you of any such change.

4. Data Security

We implement security measures to protect your data, including:

• HTTPS encryption for all data in transit
• Secure password hashing (PBKDF2 with SHA-256)
• CSRF protection on all forms
• Rate limiting on authentication and sensitive endpoints
• Content Security Policy headers
• HTTP Strict Transport Security (HSTS)
• Session security (HttpOnly cookies, 1-hour timeout)

While we take reasonable precautions, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

5. Data Retention

We retain your data for as long as your account is active. You can delete your inventory, your store, or your entire account from within the Service at any time. If you delete your account, your data will be permanently removed from active systems within 30 days. Automated database backups are retained for up to 30 days before being automatically purged.

6. Your Rights

You have the right to:

• Access your data: You can view all your data within the Service and export it as CSV at any time.
• Correct your data: You can edit your inventory data, store settings, and account information at any time.
• Delete your data: You can delete your inventory, store, or entire account from within the Service. You can also contact us at the address below.
• Opt out of emails: You can disable email notifications in your store settings at any time.

7. Cookies and Local Storage

We use essential cookies only:

• Session cookie: Required for authentication and maintaining your login session. Expires after 1 hour of inactivity or when you close your browser.
• CSRF cookie: Required for form security to prevent cross-site request forgery attacks.

We also use browser localStorage to save your dark mode preference. This is not a cookie and contains no personal information.

We do not use tracking cookies, analytics cookies, or advertising cookies.

8. Offline Access

Supply Cache uses a service worker to enable basic offline access to previously loaded pages. Cached data is stored entirely on your device and is not transmitted elsewhere.

9. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes via email or through a notice on the Service. The "Last updated" date at the top of this page indicates when this policy was last revised.

11. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at [email protected].