StitchQueue← Back to App

Privacy Policy

Last updated: March 25, 2026

Effective Date: April 1, 2026 | Last Updated: March 25, 2026

StitchQueue
Operated by Stitched By Susan

1. Introduction

Welcome to StitchQueue. We are committed to protecting your privacy and handling your data in an open and transparent manner.

This Privacy Policy explains how Stitched By Susan (“we,” “us,” “our”) collects, uses, stores, and protects information when you use StitchQueue (the “Service”), our workflow management software available at stitchqueue.com and beta.stitchqueue.com.

By using StitchQueue, you agree to the collection and use of information in accordance with this policy.

1.1 Who we are

  • Company Name: Stitched By Susan (a Washington State corporation)
  • Product Name: StitchQueue (workflow management software for professional longarm quilters)
  • Website: stitchqueue.com
  • Contact Email: legal@stitchqueue.com
  • Mailing Address: 1310 E Cleveland Bay Ln, Spokane, WA 99208, USA
  • Data Controller: Stitched By Susan (for GDPR purposes)

2. Information we collect

2.1 Information you provide directly

When you create an account and use StitchQueue, you provide:

Account Information:

  • Email address (required for login and communications)
  • Password (encrypted and never stored in plain text)
  • Subscription status (trial or active)

Business Information (in Settings):

  • Business name
  • Business address (street, city, state/province, postal code, country)
  • Phone number
  • Email address
  • Tax ID or business registration number (optional)
  • Pricing rates and overhead costs
  • Batting and thread options

Client Project Data:

  • Client names, phone numbers, email addresses, and mailing addresses
  • Quilt dimensions, service types, and project details
  • Estimate amounts, deposit information, and payment records
  • Project status, due dates, and notes
  • Invoice details and payment history

Feedback and Support:

  • Feedback submissions (category, description, screenshots)
  • Support request details
  • Browser information and page URLs (automatically captured with feedback)

Important: When submitting feedback, ensure the page URL does not contain sensitive client information. We capture the URL you were viewing to help diagnose issues, but we cannot filter sensitive data from URLs.

2.2 Information collected automatically

Usage Data:

  • Pages visited, features used, time spent in the application
  • Device information (browser type, operating system, screen resolution)
  • IP address and general location (city/region level, not precise GPS)
  • Session duration and interaction patterns

Technical Data:

  • Cookies and session tokens (for authentication and security)
  • Error logs and diagnostic information
  • Performance metrics

2.3 Information we do NOT collect

  • We do not collect or store payment card information. All subscription payments are processed by our payment provider (Stripe), and we never see or store your full credit card details. We receive only:
    • Last 4 digits of card (for display in your account)
    • Card brand (Visa, Mastercard, etc.)
    • Expiration date
    • Billing ZIP code
  • We do not track you across other websites. We do not use third-party tracking pixels or advertising networks.
  • We do not sell your data. Ever.

3. How we use your information

3.1 To provide the service

  • Create and maintain your account
  • Enable you to manage client projects, estimates, and invoices
  • Store your business settings and pricing configurations
  • Sync data across devices
  • Provide customer support

3.2 To communicate with you

  • Send transactional emails (estimate/invoice delivery, password resets)
  • Respond to support requests and feedback
  • Send important service updates and security notices
  • Send optional product updates and feature announcements (you can opt out)

3.3 To improve the service

  • Analyze usage patterns to identify bugs and improve features
  • Monitor performance and uptime
  • Conduct internal research and development

3.4 To ensure security and compliance

  • Detect and prevent fraud, spam, and abuse
  • Enforce our Terms of Service
  • Comply with legal obligations (tax reporting, lawful data requests)

3.5 Legal basis for processing (GDPR)

If you are in the European Union, European Economic Area, or United Kingdom, we process your data under the following legal bases:

  • Contract Performance: Processing necessary to provide the Service you signed up for (Article 6(1)(b) GDPR)
  • Legitimate Interests: Improving our Service, security monitoring, and analytics (Article 6(1)(f) GDPR)
  • Consent: Marketing communications (you can withdraw consent anytime)
  • Legal Obligation: Compliance with tax, accounting, and data protection laws (Article 6(1)(c) GDPR)

4. How we share your information

4.1 We do not sell your data

We do not sell, rent, or trade your personal information to third parties. Period.

4.2 Service providers

We share data with trusted third-party service providers who help us operate StitchQueue:

ProviderPurposeData SharedLocation
SupabaseDatabase hosting, authenticationAccount data, project data, business settingsUnited States
VercelApplication hosting, performance monitoringUsage data, IP addresses, session logsUnited States
StripeSubscription payment processingEmail address, name, billing address, last 4 card digitsUnited States
ResendTransactional email deliveryEmail address, recipient data for estimates/invoicesUnited States
ConvertKitMarketing email list (opt-in only)Email address, name (if provided)United States

All service providers are bound by data processing agreements and required to protect your data in accordance with applicable laws.

4.3 Legal requirements

We may disclose your information if required by law, such as:

  • In response to a valid subpoena, court order, or legal process
  • To protect our rights, property, or safety, or that of our users
  • To investigate fraud, security breaches, or Terms of Service violations

4.4 Business transfers

If Stitched By Susan is acquired, merged, or sells assets, your data may be transferred to the acquiring entity. You will be notified via email and/or a prominent notice on our website before any such transfer.

4.5 With your consent

We may share your data in other circumstances with your explicit consent (e.g., if you choose to integrate with third-party services in the future).

4.6 Anonymized aggregate data

We reserve the right to use anonymized, aggregated data for industry reports, research, and product improvement purposes. This data cannot be used to identify any individual user or their clients.

Examples of anonymized data usage:

  • “The average quilt size in 2026 was X square inches”
  • “Quilters using StitchQueue completed an average of Y projects per month”
  • Industry trends and benchmarking reports

No personally identifiable information is included in such reports, and we do not sell this aggregated data to third parties.

5. Data security

5.1 How we protect your data

We implement industry-standard security measures to protect your information:

Technical Measures:

  • All data transmitted over HTTPS (TLS 1.2+)
  • Passwords encrypted using bcrypt hashing
  • Database access restricted by role-based permissions (Supabase Row Level Security)
  • Session tokens expire after inactivity
  • Regular security updates and vulnerability patching

Organizational Measures:

  • Access to production data limited to authorized personnel only
  • Data backups performed automatically (Supabase managed)
  • Incident response procedures in place

5.2 Your responsibility

You are responsible for:

  • Keeping your password secure (do not share it)
  • Logging out of shared or public devices
  • Reporting any unauthorized access to your account immediately

No system is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. Use strong, unique passwords and enable two-factor authentication when available.

6. Data retention

6.1 How long we keep your data

  • Account and Project Data: Retained as long as your account is active
  • Deleted Projects: Moved to trash, permanently deleted after 30 days
  • Closed Accounts: Data deleted within 90 days of account closure request
  • Legal Requirements: Some data may be retained longer if required by law (e.g., tax records, fraud investigations)

6.2 Automatic backups

Supabase performs automatic daily backups. Backup retention depends on our Supabase plan (typically 7–30 days). Backups are used only for disaster recovery, not for restoring individual deleted items.

7. Your rights and choices

7.1 Access, correction, and deletion

You have the right to:

  • Access your data: View and download your information at any time via the Settings page
  • Correct your data: Update inaccurate or incomplete information in Settings
  • Delete your data: Request account deletion by emailinglegal@stitchqueue.com

Account Deletion Process:

  1. You request deletion via email
  2. We verify your identity (to prevent unauthorized deletion)
  3. We delete your account and all associated data within 90 days
  4. Backups containing your data will expire naturally (within 30 days)

7.2 Data portability (GDPR)

If you are in the EU/EEA/UK, you have the right to receive your data in a structured, machine-readable format (CSV export available in Settings).

7.3 Object to processing (GDPR)

You can object to processing based on legitimate interests by contactinglegal@stitchqueue.com. We will stop processing unless we have compelling legitimate grounds.

7.4 Withdraw consent

You can withdraw consent for marketing emails at any time by:

  • Clicking “unsubscribe” in any marketing email
  • Updating your preferences in Settings
  • Emailing legal@stitchqueue.com

Note: Transactional emails (password resets, estimate delivery, security alerts, billing notifications, and payment failures) cannot be unsubscribed from while you have an active account.

7.5 Restrict processing (GDPR)

You can request restricted processing (data stored but not actively used) in certain circumstances, such as while a data accuracy dispute is resolved.

7.6 Lodge a complaint (GDPR)

If you believe we have mishandled your data, you have the right to lodge a complaint with your local data protection authority:

8. Cookies and tracking

8.1 What cookies we use

StitchQueue uses minimal cookies:

CookiePurposeDuration
sb-access-tokenSupabase authentication session1 hour (sliding)
sb-refresh-tokenSupabase session refresh30 days

We do not use:

  • Third-party advertising cookies
  • Social media tracking pixels
  • Cross-site tracking cookies

8.2 Analytics

We do not currently use third-party analytics tools. If we add analytics in the future, we will update this policy and the analytics will be privacy-focused with anonymized, aggregated data only.

8.3 Your cookie choices

Most browsers allow you to control cookies via settings. Note that disabling authentication cookies will prevent you from logging in.

For EU/UK users: We will implement a cookie consent banner before accepting users from those regions.

9. International data transfers

9.1 Where your data is stored

StitchQueue is operated from the United States. If you are accessing the Service from outside the US, your data will be transferred to and stored in the United States.

For EU/EEA/UK users:

  • We rely on Standard Contractual Clauses (SCCs) for GDPR-compliant data transfers
  • Our service providers (Supabase, Vercel, Resend) implement appropriate safeguards
  • You have the same rights regardless of where data is processed

10. Children’s privacy

StitchQueue is not intended for users under the age of 18. We do not knowingly collect personal information from children.

If we discover that we have collected data from a child under 18, we will delete it immediately. If you believe a child has provided us with personal information, please contact legal@stitchqueue.com.

11. California privacy rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

11.1 Right to know

You can request details about the personal information we have collected, used, disclosed, and sold (though we do not sell data) in the past 12 months.

11.2 Right to delete

You can request deletion of your personal information (with certain legal exceptions).

11.3 Right to opt-out

You have the right to opt out of the “sale” of personal information. We do not sell your data, so this does not apply.

11.4 Right to non-discrimination

We will not discriminate against you for exercising your CCPA rights.

11.5 How to exercise your rights

Email legal@stitchqueue.com with “CCPA Request” in the subject line. We will verify your identity and respond within 45 days.

Authorized Agents: You may designate an authorized agent to make requests on your behalf. The agent must provide proof of authorization.

12. Changes to this privacy policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated “Last Updated” date.

Material changes (e.g., changes to how we share data) will be communicated via:

  • Email notification to all users
  • Prominent notice on the StitchQueue dashboard

Your continued use of the Service after changes constitutes acceptance of the updated policy.

You can view previous versions of this policy by contactinglegal@stitchqueue.com.

13. Contact us

If you have questions, concerns, or requests regarding this Privacy Policy or your data, please contact us:

For Privacy, Legal & Compliance Matters:
Email: legal@stitchqueue.com
Subject Line: “Privacy Inquiry - [Your Topic]”

For Technical Support & Billing:
Email: support@stitchqueue.com

Mailing Address: 1310 E Cleveland Bay Ln, Spokane, WA 99208, USA

Response Time: We will respond to privacy inquiries within 5 business days and resolve requests within 30 days (or 45 days for CCPA requests).

14. Appendix: Legal definitions

Personal Information / Personal Data: Information that identifies, relates to, or could reasonably be linked to you (e.g., name, email, IP address).

Processing: Any operation performed on personal data (collection, storage, use, disclosure, deletion).

Data Controller: The entity that determines the purposes and means of processing personal data (Stitched By Susan).

Data Processor: A third party that processes data on behalf of the controller (e.g., Supabase).

EU/EEA: European Union and European Economic Area (includes Iceland, Liechtenstein, Norway).

15. Summary (plain language)

What we collect: Your email, business info, client project data, and usage stats.

Why we collect it: To run your account, save your work, and improve the app.

Who we share it with: Hosting providers (Supabase, Vercel), payment processor (Stripe), and email service (Resend). We do not sell your data.

Your rights: You can view, edit, download, and delete your data anytime. EU/UK users have additional GDPR rights.

Security: We encrypt data in transit and at rest, use secure authentication, and limit access.

Contact: legal@stitchqueue.com for privacy/legal matters, support@stitchqueue.com for technical support.

END OF PRIVACY POLICY

This document was prepared on February 7, 2026. It is designed to be attorney-reviewable but not a substitute for legal advice. Have your lawyer review and approve before publishing.