This Privacy Policy explains what information OneAce ("OneAce", "we") collects when you use the OneAce inventory platform ("Service"), how we use it, and the choices you have. It works alongside our Terms of Service.
1. Information We Collect
Account data. When you sign up we collect your name, email address, organization name, and a hashed password. If you accept an invitation we also record the inviting user and role.
Inventory data. All content you create or upload to the Service — items, warehouses, stock counts, purchase orders, files — is stored under your Organization and scoped by Organization id so other tenants cannot access it.
Usage data. We log request metadata (IP address, user agent, timestamp, status code, endpoint) needed to operate the Service, detect abuse, and diagnose errors. Product analytics (PostHog) is only collected when the relevant environment variable is configured by the operator.
Error reports. Unhandled exceptions and performance traces may be sent to Sentry when enabled by the operator, for debugging. Error reports may include the URL path and a sanitised stack trace.
2. How We Use Information
We use information to provide and secure the Service, process transactions, send transactional email (account verification, password reset, invitations, billing receipts), prevent abuse, and improve reliability. We do not sell personal data. We do not use your Inventory Data to train external models.
3. Sharing With Sub-Processors
We rely on a small set of sub-processors to run the Service. Each is bound by data protection agreements and processes only the data necessary for its role:
- Database hosting — Neon / Vercel Postgres (US or EU region, per deployment).
- Application hosting — Vercel.
- Payments — Stripe (for customers on paid plans).
- Transactional email — Resend (when configured).
- Product analytics — PostHog (optional, configured by operator).
- Error monitoring — Sentry (optional, configured by operator).
4. Data Retention and Deletion
Customer Data is retained while your account is active. Closing your account triggers a cascade delete that removes your personal data and your Organization's Inventory Data from our operational database. Backups are rotated on a rolling 30-day window and then purged. You can request an export before closing your account.
5. Your Rights
Depending on your jurisdiction you may have the right to access, correct, export, or delete your personal data, and to object to or restrict certain processing. You can exercise these rights from the account settings page or by contacting hello@oneace.app. We will respond within 30 days.
6. Security
Data is encrypted in transit (TLS 1.2+) and at rest in our managed database. Passwords are stored as salted hashes. Sensitive routes are protected by rate limiting, and per-tenant isolation is enforced at the query layer. We follow a principle-of-least- privilege access model for operator access to production.
7. International Transfers
If you are located outside the region where your organization's data is hosted, transferring data to OneAce involves an international transfer. We rely on appropriate safeguards (standard contractual clauses) for such transfers.
8. Changes to This Policy
We may update this policy over time. Material changes will be communicated by email or in-product notice before they take effect. The "Last updated" date at the top of this page always reflects the current version.
9. Contact
Questions about this Privacy Policy or our data practices can be directed to hello@oneace.app.