Privacy Policy

1. Overview

STONELUX (“we,” “our,” “us”) operates stonelux.com and the STONELUX B2B mobile application for iOS and Android. This Privacy Policy explains what information we collect, how we use it, and the rights available to you under the Virginia Consumer Data Protection Act (VCDPA), California Consumer Privacy Act (CCPA / CPRA), and—where applicable—the EU/UK GDPR. By using our website, mobile app, or related services (“Services”), you agree to this policy.

2. Information We Collect

We collect only information required to operate our Services securely and efficiently.

Examples include:

• Account Information: name, email, company name, business address
• Authentication Data: email and password credentials
• Biometric Authentication Data: Face ID / Touch ID (processed locally on your device; never transmitted or stored by STONELUX)
• Transaction Data: quotes, orders, invoices
• Device & Technical Data: device model, OS version, IP address
• Usage Analytics & Session Recordings: pages viewed, feature interactions, click events, form submissions, and session recordings (video-like replays of browsing activity) collected via Google Analytics and PostHog
• Crash & Performance Data: crash reports, stack traces, device state at time of crash, app performance metrics collected via Firebase Crashlytics (mobile app only)
• Push Notification Tokens: device tokens when notifications are enabled
• Business Info: company details, shipping/billing addresses entered by you

We do NOT collect: photos, videos, camera/media data, precise GPS location, or advertising IDs (IDFA/GAID).

3. How We Use Information

We use personal information to:

• Provide and manage accounts, quotes, orders, and invoices
• Authenticate and secure your account
• Communicate about transactions and order updates
• Send optional marketing offers (with consent)
• Analyze app and website performance
• Monitor app stability, diagnose crashes, and improve mobile app reliability
• Detect and prevent fraud or unauthorized access
• Comply with accounting, tax, and legal obligations

We do not sell or share your data with third parties for their own marketing or cross-app tracking.

4. Mobile App Permissions

When you use the mobile app, the following device permissions may be requested:

• Biometric Authentication (Face ID / Touch ID): Enable quick, secure login using your device's biometric hardware. Biometric data is processed locally on your device and never transmitted to or stored by STONELUX.
• Network State: Detect connectivity for offline mode
• Local Storage: Store cart and authentication tokens securely
• Notifications: Send order or marketing alerts (if you opt in)

You can change permissions anytime in your device settings.

5. Third-Party Services & Processors

We share limited data with trusted processors solely to support our operations:

Each vendor operates under a data-processing agreement consistent with this Policy.

6. Analytics and Usage Data (PostHog)

We use PostHog, a third-party analytics platform, to understand how customers interact with our website and mobile application. PostHog helps us improve user experience, identify technical issues, and optimize our services for trade professionals.

What PostHog Collects

• Pageview Tracking: URLs visited, time spent on pages, and navigation patterns
• Click Events: Buttons, links, and interactive elements you engage with
• Form Interactions: When you submit forms (password fields are automatically masked)
• Session Recordings: Video-like replays of your browsing sessions showing mouse movements, clicks, scrolling, and page interactions
  • Recording begins after you scroll or after 10 seconds of page activity
  • Password input fields are automatically masked and never recorded
  • Email addresses and other form inputs may be visible in recordings
  • Sensitive transaction pages may be included; we periodically review and purge recordings containing confidential business information
• Device Information: Browser type, operating system, screen resolution, device type
• Session Data: Page entry/exit events, session duration, referring URLs

User Identification

• PostHog creates detailed user profiles only for logged-in, authenticated users
• Anonymous visitors are tracked with session-level data only
• If you create an account, your usage data may be linked to your user profile to provide better service

Data Storage and Retention

• Location: PostHog data is stored on PostHog's cloud infrastructure in the United States
• Session recordings: Retained for up to 90 days
• Event data: Retained for up to 12 months
• Aggregated analytics: May be retained up to 26 months in de-identified form

Your Choices Regarding PostHog

You have the right to opt out of PostHog session recording and analytics:

• To opt out of session recording while maintaining other analytics features, email info@stonelux.com with "PostHog Session Recording Opt-Out" in the subject line
• To request deletion of your PostHog profile and associated session recordings, email info@stonelux.com with "PostHog Data Deletion Request" in the subject line
• Enabling "Do Not Track" in your browser may limit some analytics tracking
• Note: Disabling analytics may affect personalization features and our ability to troubleshoot technical issues

For more information about PostHog's data practices, visit posthog.com/privacy

7. Data Security

We apply layered protection:

• HTTPS/TLS encryption for all data transmission
• Secure storage (iOS Keychain / Android Keystore / encrypted database)
• Server-side token validation & API authentication
• Automatic session timeouts
• Certificate pinning
• Role-based internal access controls

No system is 100% secure; we continuously monitor and improve safeguards.

6a. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you via email within 72 hours of discovering the breach, along with any affected regulatory authorities as required by law. The notification will include the nature of the breach, the types of data affected, and steps you can take to protect yourself.

7. Retention & Deletion

7a. How to Delete Your Account

You have the right to request deletion of your account and associated personal data at any time. To delete your account:

• Email info@stonelux.com with the subject line "Account Deletion Request"
• Include your registered email address and company name
• We will confirm your identity and process your request within 30 days
• Note: Because accounts are tied to ongoing business transactions and legal obligations, we may retain certain records as required by law (e.g., transaction history for tax/accounting purposes)

Upon deletion, you will no longer have access to your account, order history, quotes, or any other data associated with your STONELUX account.

8. Marketing Communications

• Email: via SendGrid; unsubscribe anytime from the email footer or contact us.
• SMS / Push: enabled only with consent; reply STOP or disable in settings.

Transactional messages (order status, quotes, invoices) are not optional.

10. Your Rights

Depending on your location, you may request:

• Access to personal data we hold
• Correction of inaccuracies
• Deletion of data where legally permissible
• A portable copy of your data
• To opt out of marketing (we do not profile for targeted advertising)
• Opt-out of session recording: Request to disable PostHog session recording while maintaining other analytics features
• Request PostHog data deletion: Request deletion of your session recordings and PostHog profile data

10a. Rights for California Residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months
• Right to Delete: Request deletion of your personal information, subject to legal exceptions
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: We do not sell or share personal information for cross-context behavioral advertising
• Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond what is necessary to provide our Services
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise any of these rights, contact us at info@stonelux.comwith "California Privacy Rights Request" in the subject line. We will respond within 45 days of verified requests.

Submit requests to info@stonelux.com. We respond within 45 days of verified requests.

11. Children's Privacy

Our Services are intended for business users and are not directed to children under 13. We do not knowingly collect children's data. If you believe a minor has provided information, contact us to delete it.

12. International Transfers

All data is stored and processed in the United States. If you access our Services from outside the U.S., you consent to this transfer under applicable law.

13. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated by posting the updated policy on our website and in-app, updating the “Last Updated” date, and emailing registered users when appropriate.

14. Contact

Stone Solutions and Design LLC d.b.a STONELUX
23700 Pebble Run Place, Suite 175
Sterling, VA 20166
📧 info@stonelux.com   📞 +1 (571) 353-3311