StuclyStucly

Privacy Policy

Last updated: May 27, 2026

Stucly (the “Service”) is operated by Kiwa Intel Inc., an Ontario corporation (“Kiwa Intel,” “we,” “us”). Kiwa Intel is the data controller responsible for personal information processed through the Service. This Privacy Policy explains what we collect, how we use it, and who we share it with. It applies to all visitors and users of the Service. Capitalized terms not defined here have the meaning given in our Terms of Service.

1. Information we collect

We collect only what we need to run the Service. Specifically:

  • Account information — email address, password hash, optional display name, and a default postal code used to personalize search results.
  • Usage data — the projects you create, the materials and quantities they contain, search queries you run, and your in-app settings (like preferred retailers and units).
  • Billing data — subscription state (active, cancelled, past-due), billing-period dates, and the masked card metadata returned by our payment processor. We don’t store full card numbers, expiry dates, or CVV codes.
  • Diagnostics — error events, stack traces with file/line metadata, and minimal performance traces. Request and response bodies are scrubbed before they leave the server.
  • Device and access logs — IP address, user agent, and referrer for each request, retained for a short period for security and abuse-prevention purposes.

2. How we use information

We use the information above to operate the Service:

  • authenticate you and keep your session secure;
  • generate AI-assisted estimates and price comparisons in response to your inputs;
  • store your projects, materials, and notes so you can come back to them;
  • bill you correctly, enforce plan quotas, and respond to refund requests;
  • diagnose errors, prevent abuse, and improve reliability;
  • send you transactional emails about your account, billing, and material changes to the Service or these policies.

Kiwa Intel does not sell personal information. We do not use Your Content (projects, descriptions, notes) to train third-party generative-AI models.

3. Legal bases for processing

Where Canadian or other privacy law requires a legal basis, we rely on: (i) contract — to provide the Service you signed up for, (ii) legitimate interests — to secure the Service, prevent abuse, and improve reliability, (iii) consent — where you opt in to non-essential communications, and (iv) legal obligation — where we have to retain or disclose information by law.

4. Sub-processors and third parties

Kiwa Intel relies on the following sub-processors to run the Service. Each receives only the data needed for its function, under a contract that restricts what they can do with it.

  • Supabase — authentication and primary database (managed Postgres). Hosts your account, projects, and materials.
  • Railway — application hosting for the Stucly web and API services.
  • Google (Gemini API) — generates AI estimates, refinements, and review summaries from your project descriptions. Configured for zero data retention on the Gemini API where supported.
  • Zyte — assists with fetching publicly available product pages from retailers that block direct access.
  • Sentry — error reporting and minimal performance traces. Request and response bodies are scrubbed before being sent.
  • Lemon Squeezy — subscription billing and payment processing. Lemon Squeezy is our merchant of record; they handle card data, invoices, and tax collection. Card data never reaches Stucly servers.

5. Retailer data

The Service fetches publicly available product listings from supported retailers (Home Depot, Rona, Canadian Tire, Home Hardware). Those fetches are anonymous and server-to-server — we do not share your identity, email, or account ID with any retailer. Retailers may log the request that comes from our infrastructure, but they don’t know it relates to any specific Stucly user.

6. Cookies and local storage

We use first-party cookies and browser local storage strictly to operate the Service — keeping you signed in, remembering UI preferences (theme, units, default postal code), and supporting the offline app shell. We do not run third-party advertising trackers and we don’t embed analytics that profile you across other sites.

7. Data retention

We keep your account data for as long as your account is active. Once you delete your account, we permanently remove your profile, projects, materials, and feedback within 30 days, except where we must retain limited records for legal, tax, or fraud-prevention reasons. Server access logs and diagnostic events are retained for a short rolling window (typically 30 days) and then deleted.

8. Your rights

Depending on where you live, you have rights over your personal information, including the right to access, correct, export, or delete it. You can:

  • export all of your account data at any time from Settings → Your data;
  • delete your account permanently from the Danger Zone in Settings;
  • contact us at legal@kiwaintel.com to ask questions, correct information you can’t change yourself, or exercise any rights provided by applicable privacy law.

Quebec users have additional rights under Law 25, including the right to data portability and the right to object to certain uses of your information. Reach out and we’ll help.

9. International data transfers

Kiwa Intel operates the Service from Canada. Some sub-processors (notably Google, Sentry, and Lemon Squeezy) may process data on infrastructure located in the United States or other countries. Where required, we rely on standard contractual clauses or equivalent safeguards to protect your information when it moves across borders.

10. Children

The Service is not directed to children under 13. We don’t knowingly collect personal information from children under 13. If you believe a child has provided us with information, email legal@kiwaintel.com and we’ll delete it.

11. Security

We protect the Service with industry-standard measures: encryption in transit (HTTPS everywhere), encryption at rest for the primary database, scoped access for sub-processors, hashed passwords, and per-environment secrets management. No system is perfectly secure, and we can’t guarantee absolute protection — but if we ever experience a breach affecting your information, we’ll notify you as required by applicable law.

12. Changes to this policy

We may update this Privacy Policy from time to time. If a change is material, we’ll notify you via the Service or by email at least 14 days before it takes effect.

13. Contact

Questions, requests, or complaints about your privacy? Email Kiwa Intel Inc. at legal@kiwaintel.com. We’ll respond within a reasonable time and, where required, route your request to the appropriate person.

Privacy Policy · Stucly