Privacy Policy

Effective Date: March 1, 2026 · Last Updated: March 1, 2026

This Privacy Policy describes how OSPOS ("we," "us," "our") collects, uses, and protects your information when you use the OSPOS mobile application and related services (the "Service"). We are committed to protecting your privacy and being transparent about our data practices.

1. Our Privacy Principles

OSPOS is built on a simple idea: your data is yours. We designed the app so that the Free Tier works entirely on your device with zero data leaving your phone. For Paid Tier users, we collect only what's necessary to provide cloud features. We never sell your data.

2. Information We Collect

Free Tier (No Data Collection)

If you use the Free Tier, we collect nothing. All data — including your menu, orders, transaction history, and business settings — is stored locally on your device using SQLite. No data is transmitted to our servers. No account is required. No internet connection is needed.

Paid Tier (Account Required)

When you create an OSPOS account and use the Paid Tier, we collect:

Data	Purpose	Storage
Email address	Account authentication, notifications	Our servers
Business name	Receipts, account identification	Our servers
Business settings	Tax rate, tip config, sync preferences	Our servers + device
Order history	Cloud sync, reporting	Our servers + device
Transaction records	Cloud sync, reporting, receipts	Our servers + device
Customer phone/email	Receipt delivery (entered per-transaction)	Our servers (with order)

Apple Sign In

If you sign in with Apple, we receive only the information Apple provides based on your choices: your name (if you share it) and either your real email address or an Apple-generated private relay address. We use this solely for account creation and authentication.

3. Information We Never Collect

We never collect, store, process, or have access to:

Credit card numbers, debit card numbers, or cardholder data
Your location (location permission is used only for Stripe Terminal and never transmitted to us)
Your contacts, messages, call logs, or browsing history
Device advertising identifiers
Biometric data (Face ID / Touch ID is processed entirely on-device by iOS)

All payment card data is handled exclusively by Stripe in accordance with PCI DSS standards.

4. How We Use Your Information

We use your information solely to:

Provide and operate the Service (account management, data sync, receipts)
Send transactional emails (account verification, password resets, receipts)
Communicate service updates and important notices
Improve the Service using aggregated, anonymized analytics
Comply with legal obligations

We do not use your data for advertising, profiling, or marketing to third parties.

5. Third-Party Services

The Paid Tier integrates with the following third-party services, each with their own privacy policies:

Stripe — Payment processing. Stripe receives transaction and business data necessary to process payments. See Stripe's Privacy Policy.
Twilio — SMS receipt delivery. Twilio receives customer phone numbers only when an SMS receipt is sent. See Twilio's Privacy Policy.
SendGrid — Email receipt delivery. SendGrid receives customer email addresses only when an email receipt is sent. See SendGrid's Privacy Policy.
Sentry — Error monitoring. Sentry receives anonymized crash reports and error data to help us fix bugs. No personally identifiable information is sent. See Sentry's Privacy Policy.

We do not share your data with any other third parties.

6. Data Security

We take reasonable measures to protect your data:

In transit: All communication between the app and our servers uses TLS encryption (HTTPS).
At rest: Server-stored data is encrypted. Local data on iOS is protected by Apple's filesystem encryption.
Authentication: Account tokens are stored in your device's secure keychain (Keychain on iOS), not in plaintext storage.
Payment data: We never handle card data. Stripe manages all payment security in compliance with PCI DSS.

7. Data Retention

Free Tier: Data exists only on your device. Deleting the app deletes your data.
Paid Tier: We retain your data for as long as your account is active. After account deletion, server-stored data is retained for 90 days (to allow recovery), then permanently deleted.
Legal obligations: We may retain certain records longer if required by law (e.g., tax records, fraud prevention).

8. Your Rights

You have the right to:

Access your data: Export your transaction data via CSV at any time. Request a full data export by contacting us.
Delete your data: Request deletion of your server-stored data by emailing hello@ospos.app. We process requests within 30 days.
Correct your data: Update your account information at any time through the app.
Port your data: Export your data in CSV format for use with other services.

If you are located in the European Union, United Kingdom, or California, you may have additional rights under GDPR, UK GDPR, or CCPA respectively. Contact us to exercise these rights.

9. Children's Privacy

OSPOS is a business tool intended for users 18 years of age or older. We do not knowingly collect information from children under 13 (or under 16 in the EU). If you believe we have inadvertently collected such data, please contact us and we will promptly delete it.

10. International Data Transfers

Our servers are located in the United States and Germany (Hetzner). If you use the Paid Tier from outside these regions, your data will be transferred to and processed in these locations. By using the Paid Tier, you consent to this transfer. We ensure appropriate safeguards are in place for international transfers.

11. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice via email (for Paid Tier users) or in-app notification. The most current version will always be available at ospos.app/privacy.

12. Contact Us

If you have questions about this Privacy Policy or want to exercise your data rights, contact us at:

OSPOS
Email: hello@ospos.app
Website: ospos.app