Privacy Policy

What personal data we process, on what legal grounds, and how we protect it at StitchOne — a cloud ERP platform for garment production.

GDPR complianceEncryption and access controlEffective as of: January 15, 2025

Overview

This Privacy Policy describes how StitchOne (“StitchOne”, “we”) collects, uses, stores, and shares personal data in relation to our website and cloud services (SaaS) for managing garment production, including OCR and barcode scanning features.

The text below is for informational purposes and does not constitute legal advice. For specific questions regarding GDPR compliance and local legislation, consult legal counsel.

Data Controller

The Data Controller is StitchOne. If we process personal data on behalf of a customer (e.g., when providing the ERP service), we act as the Processor and the customer is the Controller.

Privacy email: privacy@stitchone.eu
Website: https://stitchone.eu

If a Data Protection Officer (DPO) is appointed, we will publish the contact details here.

Data we collect

Identification and contact data

First name, last name, job title
Email address, phone number
Profile data (username, role, permissions)

Operational data from the system

Records related to orders, styles, operations, and production
Barcode scans and reporting logs
Uploaded/captured images for OCR (e.g., cards, stickers)

Technical data and cookies

IP address, device/browser type, language and timezone settings
Diagnostic logs for errors and performance
Cookies: functional, analytics (if enabled)

Financial and contractual data

Billing, subscription plan, payment history
Contracts, support requests, correspondence

We do not intentionally process special categories of personal data within the meaning of Art. 9 GDPR. Please do not enter sensitive information in free-form fields and images.

Purposes of processing and legal bases

Providing the service and support

Legal basis: Contractual necessity — Art. 6(1)(b) GDPR

We use data to create and manage accounts, configure roles/permissions, provide functionality (incl. OCR and scanning), and deliver technical support.

Billing and regulatory requirements

Legal basis: Legal obligation — Art. 6(1)(c) GDPR

We process the minimum necessary data for invoicing, accounting, and compliance with applicable law.

Security, abuse prevention, and improvements

Legal basis: Legitimate interests — Art. 6(1)(f) GDPR

We maintain logs, monitor system events, and analyze usability and performance to improve the service and ensure security.

Communication and marketing

Legal basis: Consent or legitimate interest (depending on channel)

We send informational or promotional messages only where we have your consent or another applicable legal basis. You can opt out at any time.

Cookies and analytics

We use essential (functional) cookies for login, security, and settings. Analytics cookies/tools may be used to measure usability and improve the service—only where a lawful basis is present (consent, where required).

No third‑party advertising cookies for targeted ads.
You can manage your preferences via your browser settings.

OCR and barcodes

What we process

Images/scans of work cards and stickers
Barcode data, codes, and operation/batch identifiers
Recognized numeric values from OCR

Control and storage

Data is used for automatic and accurate reporting
Images are stored for a limited period necessary for verification
You can review/edit before final save

When using OCR, we apply a “data minimization” approach—processing only the necessary portion of the image and retaining data no longer than needed for reporting and control purposes.

Data recipients and processors

We share data only where necessary and with appropriate contractual and technical safeguards:

Cloud providers for hosting/storage and email delivery (processors).
Monitoring, diagnostics, and analytics tools (where lawful basis applies).
Consultants/auditors where legally justified and necessary.
Competent authorities upon a valid legal request.

International transfers

Where data is transferred outside the EEA, we apply appropriate safeguards such as Standard Contractual Clauses (SCCs), transfer risk assessments, and additional technical and organizational measures.

We strive to process data within the EU/EEA unless the specifics of the service require otherwise.

Retention periods

General principles

We retain data no longer than necessary for the purposes.
We comply with statutory retention periods for accounting and archiving.
Upon contract termination—deletion/return as agreed.

Examples (indicative)

Operational logs: 6–12 months
OCR images (needed for verification): short default periods
Invoice data: per applicable legislation

Specific retention periods may be agreed by contract and/or configured within the service.

Information security

Encryption in transit (TLS) and at rest where applicable.
Role-based access control (RBAC), audit logs, and the principle of least privilege.
Backups and incident recovery plans.
Periodic reviews, monitoring, and vulnerability management processes.

Your rights

Right of access to your personal data
Right to rectification of inaccurate or incomplete data
Right to erasure (“right to be forgotten”)
Right to restriction of processing
Right to data portability
Right to object to processing based on legitimate interests
Right to withdraw consent at any time (where processing is based on consent)

To exercise your rights, contact us at privacy@stitchone.eu. If you believe your rights have been violated, you can lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP):https://www.cpdp.bg/.

Changes to this policy

We may update this policy periodically. We will publish the latest version on this page and, where appropriate, notify you via a suitable channel. Effective date: January 15, 2025.

Privacy contacts

Have questions about personal data? Write to us—we will respond as soon as possible.

privacy@stitchone.eu Contact form