Privacy Policy
Last updated: 2026-05-17
Data Controller: Michael Cosby · privacy@stowbook.app
This policy will be updated when a trading name is registered.
1. What Stowbook is
Stowbook is a home inventory application for iOS and Android. This policy covers the Stowbook mobile application, the Stowbook website (stowbook.app), and any associated backend services operated by Michael Cosby.
2. Data we collect and why
2.1 Account data
When you create an account we collect your email address and a password hash. We use this to authenticate you. Legal basis: performance of a contract.
2.2 Inventory data
Everything you add to Stowbook — items, containers, rooms, photos, custom fields, notes — is stored in your account. You put it there; it belongs to you. Legal basis: performance of a contract.
2.3 AI identification data
When you use the AI scanning feature, the photo you take is sent to Google Vertex AI for identification. The photo is then stored in your Stowbook account (in your chosen region) as part of the item you created. The text returned by the AI (item name and description) is stored both in your account and in a usage ledger.
Usage ledger: We maintain a log of AI credit usage for dispute resolution — so you can verify that two charges in quick succession were two distinct scans, not the same scan processed twice. Ledger entries include the timestamp, a thumbnail, and the item name returned. After 90 days, ledger entries are automatically reduced to a timestamp and credit count only; the thumbnail and item name are deleted. You may request early reduction of any ledger entry at any time by contacting privacy@stowbook.app.
Legal basis: performance of a contract (AI identification is a paid feature); legitimate interests (dispute resolution record).
Third-party processor: Google LLC (Vertex AI). Google processes the image to return an identification result. See Google's data processing terms at cloud.google.com/terms/data-processing-addendum.
2.4 Payment data
If you purchase a subscription or AI credits, payment is processed by Stripe, Inc. We do not store your card details. We receive and store a record of the transaction (amount, date, subscription status). Legal basis: performance of a contract; legal obligation (financial records).
Third-party processor: Stripe, Inc. See stripe.com/privacy.
2.5 Server logs
Our servers automatically record standard HTTP access logs: IP address, request path, timestamp, response code, and user agent. These logs are used for security monitoring, debugging, and operational purposes. They are not linked to your account for any other purpose, are retained for 365 days, and are not individually accessible or deletable. Legal basis: legitimate interests (security and operation of the service).
2.6 Infrastructure
Stowbook runs on Amazon Web Services. When you sign up, you choose whether your data is stored in the United States (us-east-1) or the European Union (eu-central-1). Your data does not leave the region you chose. AWS acts as a data processor under a data processing agreement.
3. What we do not do
- We do not sell your data.
- We do not serve ads.
- We do not use third-party analytics or tracking on this website or in the app.
- We do not share your data with any party not listed in this policy.
4. Your rights
If you are in the European Economic Area or United Kingdom, you have the following rights under GDPR / UK GDPR:
- Access: You can request a copy of the data we hold about you.
- Portability: You can export your full inventory at any time, free of charge, from within the app.
- Rectification: You can correct inaccurate data directly in the app, or contact us.
- Erasure: You can delete any item, photo, or your entire account from within the app. Deleting your account deletes all inventory data, photos, and account data. Ledger entries are reduced to timestamp and credit count (stripped of content) rather than deleted, as we retain these for dispute resolution for 90 days. Server logs cannot be individually deleted but are purged on the standard retention schedule.
- Restriction / Objection: You can ask us to restrict processing or object to processing based on legitimate interests. Contact privacy@stowbook.app.
- Withdraw consent: Where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, contact privacy@stowbook.app. We will respond within 30 days.
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. In the EU, find your authority at edpb.europa.eu. In the UK, contact the ICO at ico.org.uk.
5. Data retention
| Data | Retention |
|---|---|
| Account and inventory data | Until you delete your account |
| Photos | Until you delete them or delete your account |
| AI ledger entries (full) | 90 days from creation, then auto-reduced |
| AI ledger entries (reduced: timestamp + credit count) | Until you delete your account |
| Payment records | 7 years (legal / financial obligation) |
| Server logs | 365 days |
6. Children
Stowbook is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child under 13 has created an account, contact privacy@stowbook.app and we will delete it.
7. Changes to this policy
We may update this policy. If we make material changes, we will notify you by email or by a notice in the app before the change takes effect. The "last updated" date at the top reflects the most recent revision.
8. Contact
Michael Cosby
privacy@stowbook.app
[DATA CONTROLLER NAME] — to be updated when trading name is registered.