Privacy Policy

1. Introduction

This Privacy Policy explains how Maksud Limited ("we", "us", or "our") collects, uses, stores, and protects information when you use our EPOS (Electronic Point of Sale) application ("the App").

The App is designed for business staff to manage point of sale operations, process orders, and handle payments. By using the App, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Staff Account Information

When business staff use the App, we collect:

• Full name
• Email address
• Staff role (e.g., manager, kitchen staff, owner)
• 4-digit PIN for authentication
• Staff activity logs (orders processed, login times)

2.2 Business Owner Information

When business owners register and manage their account:

• Email address
• Password (stored securely using industry-standard hashing)
• Business name, address, and logo
• Business configuration preferences

2.3 Customer Order Information

When processing customer orders, the App collects:

• Customer name
• Phone number
• Email address (optional)
• Delivery address (for delivery orders)
• Order details (items, quantities, special instructions)
• Payment information (processed securely via Stripe)

2.4 Device Information

To provide the service, we may access:

• Device identifiers for authentication
• Camera (for uploading product images)
• Local storage (for app settings and temporary data)
• Bluetooth (for connecting to receipt printers)

3. How We Use Your Information

We use the collected information to:

• Authenticate users: Verify staff identity and manage access permissions
• Process orders: Create, manage, and fulfil customer orders
• Process payments: Securely handle payment transactions via Stripe
• Send notifications: Deliver SMS notifications for payment links and order updates
• Improve our service: Analyse usage patterns to enhance app functionality
• Maintain security: Detect and prevent fraudulent activity
• Comply with legal obligations: Meet regulatory and legal requirements

4. Third-Party Services

We use the following third-party services to operate the App:

4.1 Stripe (Payment Processing)

• Purpose: Process credit/debit card payments
• Data shared: Customer ID, payment amount, transaction details
• Privacy Policy: https://stripe.com/privacy

4.2 Twilio (SMS Notifications)

• Purpose: Send payment links and order notifications via SMS
• Data shared: Customer phone numbers, message content
• Privacy Policy: https://www.twilio.com/legal/privacy

4.3 Neon (Database Hosting)

• Purpose: Securely store business and order data
• Data shared: All application data (encrypted in transit and at rest)
• Privacy Policy: https://neon.tech/privacy

4.4 Cloudflare (Infrastructure)

• Purpose: Host and secure our API services
• Data shared: API request data
• Privacy Policy: https://www.cloudflare.com/privacypolicy/

4.5 Cloud Storage (S3-Compatible)

• Purpose: Store product images and business assets
• Data shared: Uploaded images and files
• Note: No personal data is stored in image files

5. Data Security

We implement robust security measures to protect your information:

• Encryption: All data is transmitted using HTTPS/TLS encryption
• Secure Storage: Sensitive credentials are stored using platform-specific secure storage (iOS Keychain, Android KeyStore)
• Token-Based Authentication: JWT tokens with short expiry periods (15 minutes)
• Tenant Isolation: Database-level security ensures business data is isolated
• PCI Compliance: Payment card details are handled entirely by Stripe; we never store card numbers
• Access Controls: Role-based permissions restrict data access to authorised personnel

6. Data Retention

We retain your information for as long as necessary to provide our services and comply with legal obligations:

• Active accounts: Data is retained while the account remains active
• Order history: Retained for accounting and legal compliance purposes
• Deleted accounts: Personal data is removed within 30 days of account deletion, except where retention is required by law
• Backup data: May be retained for up to 90 days for disaster recovery purposes

7. Your Rights

Under applicable data protection laws (including UK GDPR), you have the following rights:

7.1 Right of Access

You can request a copy of the personal data we hold about you.

7.2 Right to Rectification

You can request correction of inaccurate or incomplete personal data.

7.3 Right to Erasure

You can request deletion of your personal data, subject to legal retention requirements.

7.4 Right to Restrict Processing

You can request that we limit how we use your data.

7.5 Right to Data Portability

You can request your data in a machine-readable format.

7.6 Right to Object

You can object to certain types of data processing.

7.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, please contact us using the details in Section 12.

8. How to Request Data Deletion

To request deletion of your data:

1. Email us at privacy@maksud.co.uk with the subject line "Data Deletion Request: Maksud - Restaurant POS"
2. Include your name and the email address associated with your account
3. We will verify your identity and process your request within 30 days

Data that will be deleted:

• Staff account information (name, email, PIN)
• Business owner account details
• Customer order information associated with your account

Data that may be retained:

• Order history may be retained for up to 7 years for accounting and legal compliance purposes
• Backup data may persist for up to 90 days after deletion
• Anonymised data that cannot be linked back to you

9. Children's Privacy

The App is designed for business use by adult staff members. We do not knowingly collect personal information from children under 13 years of age. If you believe we have inadvertently collected such information, please contact us immediately so we can delete it.

10. International Data Transfers

Your data may be processed in countries outside the UK/EEA, including:

• United States (Stripe, Twilio, Cloudflare)
• European Union (Database hosting)

Where data is transferred internationally, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by:

• Posting the updated policy in the App
• Updating the "Last Updated" date at the top of this policy
• Sending an email notification for material changes

We encourage you to review this policy periodically.

12. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

Maksud Limited
Email: privacy@maksud.co.uk

13. Supervisory Authority

If you are not satisfied with our response to your data protection concerns, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Website: https://ico.org.uk
Helpline: 0303 123 1113