Privacy Policy
We believe privacy is a fundamental right. This policy explains exactly what data we collect, why we collect it, how we protect it, and what rights you have over it.
Table of Contents
The StockPro platform is developed and operated by Lerony Co. Ltd, a technology company registered in the Republic of Rwanda. For the purposes of applicable data protection laws, Lerony Co. Ltd acts as the Data Controller for personal information collected through the StockPro platform.
Lerony Co. Ltd
1 KN 78 St, Nyarugenge, Kigali, Rwanda
As a platform serving businesses ("Tenants"), we act as both a Data Controller (for account and platform operations data) and as a Data Processor (for Business Data that your employees and clients input into the platform).
We collect data through different channels and for different purposes. Below is a transparent breakdown of everything we collect:
We use session cookies to maintain your logged-in state and localStorage to remember theme preferences (light/dark mode). We do not use advertising cookies or cross-site tracking technologies.
We use the data we collect strictly to provide, maintain, and improve the StockPro platform. We do not use personal data for advertising, profiling, or sale. Specific uses include:
We process personal data only when we have a lawful basis to do so. Our legal bases include:
We share personal data only in limited, controlled circumstances. We do not sell, rent, or trade personal information. The following are the only categories of third parties who may receive data:
Email Service Providers
Hosting Infrastructure
Legal Authorities
Business Transfers
We require all third-party service providers to maintain adequate data protection standards consistent with applicable laws and our own policies.
StockPro uses a business_id scoping methodology to ensure that every database query filters data by the authenticated tenant's unique identifier. This means:
- No user within one tenant can ever view, search, or modify records belonging to another tenant
- Our Super Admin console provides read access for support purposes only, protected by multi-factor authentication and audit logging
- Branch-level access control further restricts which users within your organization can see which data
- All API endpoints validate both session authenticity and business_id ownership before returning any data
We retain your data only for as long as necessary to deliver the Service and meet our legal obligations. Our retention schedule is:
| Data Type | Retention Period | After Period |
|---|---|---|
| Account & profile data | Duration of active subscription + 30 days | Anonymized or permanently deleted |
| Business transaction records | Duration of subscription + 5 years (tax compliance) | Archived then permanently deleted |
| Audit logs (user actions) | 12 months | Permanently deleted |
| Security event logs (login, device) | 6 months | Permanently deleted |
| Email delivery records | 90 days | Permanently deleted |
| Backup snapshots | 30 days rolling | Overwritten by newer backups |
| Support communications | 3 years | Permanently deleted |
Certain financial and tax records may be retained for longer periods to comply with Rwanda Revenue Authority requirements (minimum 5 years from the end of the applicable fiscal year).
We use a minimal set of cookies and browser storage technologies, strictly necessary for platform operation:
| Cookie / Storage | Name | Duration | Purpose |
|---|---|---|---|
| Session Cookie | PHP Session (PHPSESSID) | Session only — deleted on browser close | Maintains your authenticated login state across pages. Essential for security. |
| Theme Preference | localStorage: "theme" | Persistent (until cleared) | Stores your light/dark mode preference. No personal data involved. |
| OTP State | Session variable | Session only | Temporarily stores OTP verification state during login. Cleared immediately after use. |
We do not use third-party advertising cookies, social media tracking pixels, or cross-site behavioral tracking of any kind. You can clear cookies at any time via your browser settings, which will log you out of active sessions.
We implement a comprehensive set of technical and organizational security measures to protect your data:
All passwords are stored using bcrypt (PASSWORD_DEFAULT) — they are never stored in plain text or reversible format.
All data transmitted between your browser and our servers is encrypted using industry-standard SSL/TLS protocols.
Login is protected by a time-limited one-time password sent to your registered email, expiring after 10 minutes.
Security notifications are sent automatically when login is detected from an unrecognized device or IP address.
Accounts are temporarily locked after a configurable number of consecutive failed login attempts.
All significant actions (logins, data changes, exports) are recorded with timestamps, IP addresses, and user identifiers.
The StockPro platform is hosted in our primary data center. Email delivery services may route email through international infrastructure. Where data is transferred outside Rwanda, we ensure appropriate safeguards are in place, including:
- Standard contractual clauses requiring equivalent data protection
- Transfers only to service providers in countries with adequate data protection frameworks
- Encryption of data in transit for all international transfers
Your Business Data (inventory, invoices, client records) is stored on servers located within our configured hosting environment and is not transferred internationally except for email delivery purposes where technically necessary.
You have the following rights regarding your personal data. To exercise any of these rights, contact us at privacy@lerony.com. We will respond within 30 days of your request:
Request a copy of all personal data we hold about you, in a portable, machine-readable format.
Request correction of inaccurate or incomplete personal data associated with your account.
Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
Request that we limit how we use your data while a dispute is resolved.
Receive your Business Data in CSV/JSON format for transfer to another provider.
Object to processing based on legitimate interests. We will comply unless we have compelling overriding grounds.
Requests related to your Business Data (inventory records, client lists, invoices) are handled through the platform's Settings → Data Export feature, or by contacting our support team. Identity verification may be required before we process sensitive data requests.
The StockPro Platform is intended exclusively for use by businesses and individuals who are at least 18 years of age. We do not knowingly collect personal information from anyone under the age of 18.
If you become aware that a child under 18 has provided us with personal information without parental consent, please contact us immediately at privacy@lerony.com. We will promptly delete such information upon verification.
It is important to understand the distinction between two types of data on the platform:
Data belonging to or generated by your business: products, inventory, invoices, client records, financial reports, branch configurations.
You are the Data Controller for this data. We act only as your Data Processor. You are responsible for ensuring you have a lawful basis to store your clients' personal information within our platform.
Information about you as a platform user: your name, email, phone, login history, device fingerprints, and account configuration.
We are the Data Controller for this data, and this Privacy Policy applies to it in full.
If your clients request access to, correction of, or deletion of their personal data that is stored within your StockPro account, you are responsible for handling those requests as the Data Controller for that data.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make significant changes, we will:
- Notify all active Business Admin accounts via email at least 14 days before the changes take effect
- Update the "Last Updated" date at the top of this page
- Maintain an archive of previous versions available upon written request
Your continued use of the platform after the effective date of any changes constitutes your acceptance of the updated policy. If you do not agree with the changes, you should close your account before the changes take effect.
For any privacy-related questions, data subject requests, or to report a suspected data breach, contact our Data Protection team:
If you believe we have not responded adequately to your privacy concern, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction.
This Privacy Policy was last updated on April 4, 2026.