OatStock Privacy Policy
Effective date: June 10, 2026 Last updated: June 10, 2026
Please note: This document is a professional-quality template prepared for the OatStock owner to review (and, where appropriate, have reviewed by a qualified lawyer) before publication. It is not legal advice. Owner-specific values appear in
[SQUARE BRACKETS]and must be filled in before this policy is published.
OatStock is a free personal inventory and consumption tracker for customers of Oats Overnight. This policy explains what data OatStock collects, why, how long it is kept, who it is shared with, and the choices and rights you have. OatStock contains no advertising, no analytics SDKs, and no third-party trackers. We do not sell your data, and we do not share it for advertising.
Table of Contents
- Scope and Self-Hosting
- Who We Are (Data Controller)
- Data We Collect
- What We Do Not Collect
- How We Use Your Data and Our Legal Bases
- Sub-Processors and Third Parties
- Data Retention
- Your Rights and How to Exercise Them
- International Data Transfers
- How We Protect Your Data
- Children's Privacy
- California / U.S. State Privacy (CCPA/CPRA)
- Changes to This Policy
- Contact Us
1. Scope and Self-Hosting
This policy applies to the OatStock mobile app (iOS and Android) and to the default backend operated by the owner at api.oatstock.com.
Self-hosting carve-out. OatStock lets you change the Server URL in the app's settings so you can point the app at your own backend or a backend run by another person or organization. When you connect OatStock to any server other than the default api.oatstock.com, the operator of that server โ not us โ is the data controller for the data you send to it, and this policy does not govern their processing. Please review the privacy practices of whoever runs the server you choose.
OatStock is an independent, unofficial fan project. It is not created by, affiliated with, endorsed by, or sponsored by Oats Overnight or its makers (see Section 6 and the Terms of Service for the full brand disclaimer).
2. Who We Are (Data Controller)
For the default OatStock service at api.oatstock.com, the data controller is the solo developer and owner of OatStock:
- Controller: OatStock
- Privacy contact: privacy@oatstock.com
Because OatStock is operated by a single independent developer, no formal Data Protection Officer (DPO) is appointed or legally required; direct all privacy requests to privacy@oatstock.com. If the controller is established outside the EU/EEA and an Article 27 EU Representative is required, that representative is: none has been appointed.
3. Data We Collect
OatStock collects only what it needs to run an inventory tracker for your account. The table below is an exhaustive description of what the default backend stores.
3.1 Account
| Data | Notes |
|---|---|
| Email address | Required and unique; used to sign in and to send account-recovery email. |
| Password | Stored only as a bcrypt hash โ never in plaintext, and we never see your actual password. |
| Display name | Optional. |
| Created / updated timestamps | When your account was created and last changed. |
| Failed-login counter and temporary lockout timestamp | Used to slow down password-guessing attacks on your account. |
3.2 Sessions
| Data | Notes |
|---|---|
| Refresh tokens | Stored hashed (not in plaintext); they rotate over time. |
| Device / User-Agent string | A short description of the device or app version per session, so you can recognize your sessions. |
| Last-used timestamp | Powers the "active sessions" screen so you can review and revoke sessions. |
3.3 Password-Reset Tokens
Stored hashed, single-use, and short-lived. Used only to verify a password-reset request you initiated.
3.4 Your Inventory and Activity
| Data | Notes |
|---|---|
| Inventory | Per-flavor pouch counts and low-stock thresholds. |
| Consumption history | The flavor, quantity, and timestamp of each "eaten" event you log. |
| Favorites | Which flavors you have favorited. |
| Flavor notes | Your own free-text notes for each flavor. |
3.5 Security Audit Log
For security and abuse-prevention, the backend keeps an append-only audit log of sensitive actions. Each entry may contain:
- the action name (for example, a login or password-reset event);
- whether it succeeded or failed;
- your IP address;
- a timestamp; and
- minimal metadata (for example, the email address submitted on a failed login or a reset request).
We log your IP address in this audit log. Please also read Section 7 (Data Retention) โ audit-log entries are intentionally retained even after you delete your account, for security and forensic reasons.
3.6 Data Stored On Your Device
Your authentication tokens and app settings are stored in your device's secure store โ the iOS Keychain or the Android Keystore โ not in ordinary app storage.
4. What We Do Not Collect
To be clear about our minimal footprint, OatStock does not collect or use any of the following:
- No analytics SDKs, advertising SDKs, or third-party trackers.
- No crash-reporting SDK.
- No device fingerprinting.
- No cross-app or cross-website tracking. OatStock does not track you across other companies' apps or websites.
- No precise location, contacts, camera, photos, microphone, calendar, or health data.
- No push-notification device tokens. OatStock's notifications are local only (see Section 5); there is no push server, and we do not collect or transmit any FCM/APNs device token.
5. How We Use Your Data and Our Legal Bases
Under the EU/UK General Data Protection Regulation (GDPR), we must have a lawful basis for each use of your data. The table below maps each purpose to its legal basis under GDPR Article 6.
| Purpose | Data used | GDPR lawful basis |
|---|---|---|
| Create and operate your account; provide the inventory tracker (inventory, consumption history, favorites, notes, sessions, sync) | Account data; inventory/consumption/favorites/notes; session tokens | Performance of a contract (Art. 6(1)(b)) โ to deliver the service you asked for. |
| Send password-reset / account-recovery email | Recipient email address (via our email sub-processor) | Performance of a contract and our legitimate interest in enabling account recovery (Art. 6(1)(b) / 6(1)(f)). |
| Secure your account: failed-login lockout, rate limiting, hashed session/reset tokens, and the security audit log (including IP address) | Failed-login counters, lockout timestamps, hashed tokens, audit-log entries incl. IP | Legitimate interests (Art. 6(1)(f)) โ securing accounts, detecting and preventing brute-force attacks and abuse, and forensic investigation of security incidents. |
| Send the optional daily low-stock reminder (a local notification) | Notification permission you grant; your inventory thresholds (on-device) | Consent (Art. 6(1)(a)) โ you opt in by enabling the reminder, and you can turn it off at any time. |
We do not use your data for advertising, we do not carry out automated decision-making or profiling that produces legal or similarly significant effects, and we do not sell your data.
6. Sub-Processors and Third Parties
The following third parties may process limited data on our behalf or in connection with the service. This list is exhaustive for the default backend.
| Party | Role | Data it receives | Notes / safeguard |
|---|---|---|---|
| Brevo (Sendinblue) | Transactional email provider | The recipient email address, used only to deliver password-reset email | Reached through a swappable mailer (SMTP) interface; self-hosters may substitute their own SMTP provider. Bound by its own data-protection terms. |
| Cloudflare | Tunnel + CDN/proxy in front of the API | Connection metadata and IP address at the network edge | Provides transport security and protects the service; bound by its own data-protection terms. |
| Apple App Store / Google Play | App distribution | App download/install and store-account data they collect under their own policies | Governed by Apple's and Google's own privacy policies. |
| External donation provider (currently GitHub Sponsors; operator-configurable) | Optional external donation link | No data from us. Only if you choose to tap the optional "support the developer" link, your device opens the external donation provider's page in your browser or its app; the app processes no payment and sends the provider no information beyond your decision to open the link. | Donations are voluntary, unlock nothing, and are handled entirely under the provider's own terms. The default link points to GitHub Sponsors; a self-hoster or the operator can point it at a different provider (e.g., Ko-fi or PayPal) without changing what data we collect โ which remains none. |
Oats Overnight public website. The backend can optionally read the public Oats Overnight flavor catalog (names, images, and macros) to populate flavor data. This is one-directional and admin-controlled, off by default, and sends Oats Overnight no user data whatsoever.
We do not sell your personal data, we do not share it for advertising or cross-context behavioral advertising, and we do not use data brokers. The sub-processors above act as processors that handle data on our behalf for the limited purposes described; they are not given your data for their own marketing.
7. Data Retention
| Data | Retention |
|---|---|
| Account, inventory, consumption history, favorites, flavor notes, sessions | Kept while your account exists. When you delete your account, these are permanently hard-deleted along with your account (cascading deletion). |
| Refresh tokens | Expire and rotate automatically; removed when you sign out, revoke a session, or delete your account. |
| Password-reset tokens | Single-use and short-lived; invalidated after use or expiry. |
| Security audit log (including IP address) | Intentionally retained for security and forensic purposes, and survives account deletion. See the note below. |
Audit-log exception (important and disclosed honestly). The security audit log is append-only. When you delete your account, OatStock cascades and hard-deletes your account and all of the data above โ except the audit log, which is kept for security and forensic reasons. After account deletion, the userId recorded in those audit entries is retained only as a plain identifier string and is no longer linked to a live account. We retain audit-log entries for 12 months, after which they are deleted or further minimized.
8. Your Rights and How to Exercise Them
Depending on where you live, you have some or all of the following rights over your personal data. Where OatStock provides an in-app control, it is listed below; for anything else, contact privacy@oatstock.com.
- Access and Portability. Get a copy of your data: Settings โ Account โ Export my data produces a JSON file of your own data โ your account profile, inventory, consumption history, favorites, and flavor notes.
- Erasure ("right to be forgotten"). Delete your account and data: Settings โ Account โ Delete account permanently hard-deletes your account and cascades your inventory, consumption history, favorites, notes, sessions, and tokens. As disclosed in Section 7, the security audit log is a lawful exception and is retained for security/forensic purposes.
- Rectification. Correct your data in-app: change email, change password (which revokes your other sessions), and edit your display name.
- Restriction and Objection. You may ask us to restrict processing, or object to processing based on our legitimate interests (such as the security audit log), by contacting privacy@oatstock.com. We will consider and respond to such requests.
- Withdraw consent. Turn off the local low-stock reminder at any time in the app's notification settings to withdraw consent for notifications.
- Lodge a complaint. If you are in the EU/EEA or UK, you have the right to lodge a complaint with your local data protection supervisory authority.
We aim to respond to rights requests within one month, as required by GDPR (this period may be extended for complex requests, and we will tell you if so).
9. International Data Transfers
The default OatStock backend runs on the owner's hardware located in United States, behind a Cloudflare Tunnel. Our sub-processors โ Cloudflare and Brevo โ may process data in countries other than your own (for example, transfers between the EU/EEA and the United States).
Where personal data is transferred across borders, we rely on the providers' Standard Contractual Clauses (SCCs) and Data Processing Agreements, and/or applicable adequacy decisions to provide an appropriate level of protection. We do not claim certifications we have not obtained.
10. How We Protect Your Data
We use industry-standard safeguards, including:
- Passwords stored as bcrypt hashes โ never in plaintext.
- Refresh and password-reset tokens stored hashed, with rotation of refresh tokens.
- Per-account failed-login lockout and per-IP rate limiting to slow down attacks.
- Encryption in transit (HTTPS/TLS) via Cloudflare for traffic between the app and the backend.
- On-device secrets (auth tokens and settings) stored in the iOS Keychain / Android Keystore.
- A security audit log to detect and investigate suspicious activity.
No method of transmission or storage is 100% secure, and we cannot guarantee absolute security. OatStock does not provide end-to-end encryption. Data is encrypted in transit and sensitive credentials are stored as hashes, but the backend can process your non-credential data to operate the service.
11. Children's Privacy
OatStock is a general-purpose utility and is not directed to children under 16. We do not knowingly collect personal data from children below that age. If we learn that we have collected personal data from a child below the applicable age, we will delete it. If you believe a child has provided us personal data, contact privacy@oatstock.com. This age is kept consistent with the eligibility section of the Terms of Service.
12. California / U.S. State Privacy (CCPA/CPRA)
If you are a California resident (or are covered by a similar U.S. state privacy law), this section applies to you.
- We do not "sell" your personal information, and we do not "share" it for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA. Because we do not sell or share, no "Do Not Sell or Share My Personal Information" mechanism is required โ but we will honor any request you send us.
- Categories collected: identifiers (email, account user ID, IP address in the security audit log), and your user-generated content (inventory counts, consumption history, favorites, and flavor notes). We do not collect financial account numbers, precise geolocation, biometric, or health data.
- Your rights include the right to know/access, delete, and correct your personal information, and the right to non-discrimination for exercising these rights. Use the same in-app Export my data and Delete account tools described in Section 8, or contact privacy@oatstock.com.
13. Changes to This Policy
We may update this policy from time to time. When we do, we will update the "Last updated" date at the top and post the new version at the public policy URL (and, where appropriate, surface a notice in the app). For material changes, we will provide reasonable advance notice. Your continued use of OatStock after a change takes effect constitutes acceptance of the updated policy.
14. Contact Us
Questions, requests, or concerns about this policy or your data:
- Email: privacy@oatstock.com
- Controller: OatStock
For terms governing your use of the app, see the OatStock Terms of Service.