Privacy Policy

This Privacy Policy explains how Stortsoo Teading, trading as "Stortsoo" / "Stortsoo Trading" ("we", "us", or "our"), collects, uses, discloses, and protects your information. It applies to: • Our website: https://stortsoo.com • Our Android mobile application • Our iOS mobile application • Our connected backend services and in‑store (POS) order flows By accessing or using any of these services, you agree to the practices described in this Privacy Policy.

We only collect information that is relevant for operating an e‑commerce platform, fulfilling your orders, and running support and analytics. 2.1 Account and identity data • Full name • Phone number (required to register and log in) • Email address (optional, used for account recovery and communication) • Role (customer, admin, salesperson, cashier) • Account status (active / inactive) • Password (stored as a one‑way cryptographic hash; we never store your plain password) • Profile image / avatar (optional image URL) • Assigned pickup location for some staff roles 2.2 Authentication, security and session data • One‑time passwords (OTP) sent by SMS to your phone, stored as codes with limited validity, attempt counters, and timestamps • Session tokens linked to your user ID and expiry time for both web and mobile • Basic authentication logs (success/failure, timestamps) 2.3 Order, payment and e‑commerce data • Cart contents and wishlist items • Orders and purchase history, including: – Products ordered (name, quantity, price snapshot, images at time of order) – Delivery option (home delivery or pickup) – Delivery address: street, city, region, postal code (optional), country – Pickup location ID and name – Promotions and discount codes used and amounts applied – Payment method (Paystack or cash on delivery) – Payment status (pending, completed, failed, refunded) – Payment reference (Paystack reference or internal reference for cash on delivery) – Order notes, POS notes and fulfillment timestamps (shipped, delivered, cancelled) • Saved addresses you choose to store for faster checkout (label, street, city, region, postal code, country, default flag) 2.4 Communications and support data • Messages you send through the website contact form (processed by Web3Forms on our behalf) • Support chat conversations and messages between you and our team (including message content, timestamps, read status, and which staff member is assigned) • SMS exchanges related to OTP, order updates and payment confirmations (content and delivery status are processed by our SMS provider) 2.5 Device and technical data • Device and browser information such as device type, operating system, browser type and version • IP address, approximate location inferred from IP (for security, fraud detection and analytics) • Expo push notification token and platform (Android or iOS) for our mobile app • Notification preferences (for example, whether you want order update push notifications) • Theme preference in the mobile app (light/dark/system), stored locally on your device 2.6 Files and media • Product images, category images, order documents and optional user avatars that you or our staff upload via the platform. These are stored in a secure object storage service (MinIO/S3‑compatible) and referenced by URL; we do not access your device photos or files unless you explicitly select and upload them. We do not intentionally collect sensitive personal information (such as national ID numbers) through the customer‑facing flows.

We use your information to operate a secure, reliable and compliant commerce experience. In particular we use it to: • Create and manage your customer account, authentication sessions and saved addresses • Process carts and orders, manage inventory and fulfill deliveries or pickups • Initiate and verify payments through Paystack and record payment outcomes • Send transactional communications such as: – OTP codes for login and password reset – Order confirmations, status updates and delivery confirmations by SMS, email and/or push notification • Provide in‑app and web support chat so our team can assist you with orders or questions • Generate internal sales, performance and inventory analytics dashboards and reports using aggregated order and product data • Protect the security of the platform, detect and prevent fraud or abuse, and enforce our Terms • Comply with legal and regulatory requirements (for example, accounting and tax record‑keeping) Where applicable privacy laws (such as GDPR) apply, our main legal bases for processing are: • Performance of a contract (providing the services and fulfilling your orders) • Compliance with legal obligations (for example, retaining financial records) • Our legitimate interests (for example, fraud prevention, service improvement and internal analytics) balanced against your privacy rights • Your consent for specific optional uses, such as certain marketing communications or enabling push notifications on your device.

We do not sell your personal information. We only share your data with: • Payment processors: Paystack receives your name, email, phone (where required), payment amount, reference and necessary metadata, and processes your card, bank or mobile money details directly on their systems. • SMS provider: Mnotify receives your phone number and the SMS content needed to send OTP codes and order/payment notifications. • Contact form provider: Web3Forms receives the contact form fields you submit on our website (name, email, phone, subject, message) and forwards them to us securely. • Hosting and infrastructure providers: We use managed infrastructure (including Convex backend services and MinIO/S3‑compatible storage) to host databases, APIs, files and backups. • Mobile notification providers: Apple, Google and Expo’s push notification service receive your Expo push token and message metadata needed to deliver mobile push notifications. We may also share information: • With professional advisers (lawyers, auditors) under appropriate confidentiality obligations • To comply with Ghanaian law or other applicable laws, court orders or lawful government requests • To protect the rights, property or safety of Stortsoo, our customers or others • In connection with a business transaction (such as a merger, acquisition or asset sale), in which case we will ensure that any successor is bound by data protection commitments at least as protective as this Policy.

We take reasonable technical and organisational measures to protect your data, including: • Transport security: All browser and mobile app traffic to our APIs and Paystack is protected by HTTPS/TLS encryption. • Password security: Passwords are never stored in plain text and are hashed using industry‑standard one‑way hashing algorithms (bcrypt). • Access controls: Role‑based access control restricts staff access to customer and order data based on role (admin, salesperson, cashier, customer). • Storage security: Files and images are stored in a controlled MinIO/S3‑compatible object storage system; database access is restricted to our backend services. • Session and OTP protection: Session tokens are random values with expiry times, and OTP codes have limited lifetimes, attempt limits and rate‑limiting to reduce abuse. • Logging and monitoring: We log operational events and payment verification flows to detect fraud and troubleshoot issues. Despite these measures, no internet service can be guaranteed to be 100% secure. You are responsible for keeping your password, OTP codes and devices secure.

On the website we use cookies and similar technologies in a limited way to: • Keep you signed in and maintain your session • Remember basic preferences • Protect against fraud and abuse • Support internal analytics about how the site is used (for example, aggregated order and sales reporting) Our current implementation does not use third‑party advertising networks or behavioural advertising cookies. In the mobile app we use: • Secure local storage (Expo SecureStore) to store your authentication session token and theme preference on your device • Push notification tokens stored both on your device and on our backend to deliver notification messages You can control browser cookies via your browser settings, and you can clear app data or uninstall the app at any time to remove locally stored data.

Our Android and iOS apps request only the minimum permissions necessary to work: • Notifications: To send you push notifications about order status, payment confirmations and other important transactional updates. You can enable or disable these in your device settings and in the in‑app notification settings screen. • Network/Internet access: Required to communicate with our backend APIs, fetch products and submit orders and payments. • Secure storage: Used to store your session token and display preferences securely on your device. We do not currently request access to: • Location/GPS • Contacts • Photos, camera or microphone • Bluetooth or nearby devices If we introduce new permissions in the future, we will update this Privacy Policy and explain the purpose clearly inside the app before requesting them.

We use Paystack as our primary online payment processor. When you make an online payment: • We send Paystack your name, email (where available), phone number (where required), the amount to be charged and a unique reference. • Paystack collects and processes your card, bank or mobile money details directly on their systems and returns only the transaction result and reference to us. • We do not store your full card or mobile money details on our servers. For cash on delivery orders we record: • The fact that you selected cash on delivery • The order amount and a generated internal payment reference • When payment has been collected and confirmed by staff Paystack’s separate privacy and security practices apply to their handling of your payment instrument and must be reviewed in addition to this Policy.

We keep personal data only for as long as necessary for the purposes described in this Policy or as required by law: • Account and profile data: retained while your account remains active and for a reasonable period afterwards, or as needed to resolve disputes and enforce our agreements. • Orders and payment records: retained for at least the period required under applicable accounting and tax laws (often up to 7 years) and for fraud‑prevention and audit purposes. • Saved addresses: retained until you delete them or your account is removed. • Support chats and contact messages: retained for as long as needed to manage your request and maintain support history, subject to legal limits. • Device tokens and notification preferences: retained while your device is registered and notifications are enabled, or until you revoke permissions or log out. • OTP codes: retained only for their short validity window and for limited audit and abuse‑prevention purposes. When data is no longer needed, we will securely delete it or irreversibly anonymise it where possible.

Depending on your location and applicable law, you may have some or all of the following rights: • Access: Request a copy of the personal data we hold about you. • Rectification: Ask us to correct inaccurate or incomplete data (for example, by editing your profile). • Deletion: Request deletion of your personal data where it is no longer needed and we are not required to keep it by law. • Restriction: Ask us to limit certain processing in specific circumstances. • Objection: Object to processing based on legitimate interests, including certain forms of profiling, where applicable. • Data portability: Request that we provide your data in a structured, commonly used format where technically feasible. • Withdraw consent: Where we rely on your consent (for example, certain marketing), you can withdraw it at any time without affecting prior lawful processing. In the mobile app: • You can manage push notification preferences in the "Notifications" and "Privacy & Security" screens and in your device system settings. To exercise any of these rights or to raise a privacy concern, contact us at stortsoo@gmail.com. We may need to verify your identity before responding.

Our services are intended for adults and are not targeted at individuals under 18 years of age. We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child under 18, we will delete it as soon as reasonably possible. If you believe that a child has provided us with personal data, please contact us immediately at stortsoo@gmail.com.

Stortsoo is operated from Ghana, and our primary data storage and infrastructure are hosted in data centres selected by our infrastructure providers. This means your information may be transferred to and processed in countries other than the one in which you reside. Those countries may have data protection laws that are different from those in your country. Where we transfer data across borders, we take steps to ensure that an appropriate level of protection is applied, for example through contractual commitments with our service providers and technical safeguards.

Our services integrate with or link to third‑party services including, but not limited to: • Paystack – online payment processing • Mnotify – SMS delivery for OTP and transactional messages • Web3Forms – processing and delivering website contact form submissions • Hosting, analytics and infrastructure providers (including Convex and S3‑compatible storage) • Apple, Google and Expo – push notification delivery for the mobile app These third parties process your data under their own privacy policies and terms. We encourage you to review those policies to understand how they handle your information. Our website and apps may also contain links to external websites that are not operated by us. We are not responsible for the content or privacy practices of those sites.

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements or operational practices. When we make material changes, we will: • Update the "Last Updated" date at the top of this page • Where appropriate, notify you via the website, app, email or other prominent communication We encourage you to review this Privacy Policy regularly to stay informed about how we protect your information.

Stortsoo Teading (trading as "Stortsoo" / "Stortsoo Trading") is the entity responsible for your personal data (the "data controller"). If you have any questions, concerns or requests regarding this Privacy Policy or our data practices, please contact us: Email: stortsoo@gmail.com Phone: 0557711248, 0540127045, 0242140740 Address: Rev. Richter St, Osu - Accra Business Hours: Monday - Friday (8:30am - 5:00pm)