1. Who we are & Scope

POSuna Ltd ("POSuna", "we", "us") provides a multi-tenant back-office platform for point-of-sale operations (the "Services"). This policy applies to visitors to our websites and to users of the Services, including their authorised personnel.

This document is a comprehensive template. You should validate it with your solicitor and update company details such as registered address, company number, and DPO contact (if appointed).

2. Roles (Controller vs Processor)

Depending on context, POSuna may act as:

  • Controller for account, billing, product analytics, support communications, security and abuse prevention.
  • Processor for customer business data entered into the Services (e.g., products, employees, customers, sales, receipts). In this case, your organisation is the Controller.

Where we are a Processor, our processing is governed by a Data Processing Agreement ("DPA").

3. Data we collect

3.1 Account & business data

  • Names, emails, role/permission assignments, PIN length (hashed PINs only), BusinessID, audit logs.
  • Business profile (legal name, VAT, company number, address, contact details).

3.2 Operational data (Processor)

  • Catalog (categories, products, variants, modifiers, images).
  • Sales & payments (totals, tax, tender types, receipt content).
  • Inventory, suppliers, purchase orders, returns.
  • Customer records if you enable CRM/loyalty.

3.3 Device & usage

  • Log data (IP, user agent, timestamps), page-level permission checks, session identifiers.
  • Diagnostics and performance metrics to improve reliability.

3.4 Support & communications

  • Tickets, emails, chat transcripts, attachments, and environment details if you consent to include them.

4. Purposes & legal bases

PurposeExamplesLegal basis (UK/EU)
Provide & secure ServicesAuth, permissions, backups, fraud/abuse monitoringContract; Legitimate interests
Billing & accountSubscriptions, invoices, payment processingContract; Legal obligation (tax)
Product improvementAggregated analytics, feature usageLegitimate interests; Consent where required
Support & communicationsRespond to requests, incident noticesContract; Legitimate interests
ComplianceRespond to lawful requestsLegal obligation; Vital interests (rare)

5. Sharing & sub-processors

We do not sell personal data. We share data only as necessary with trusted providers under contract, including:

  • Cloud hosting and database services.
  • Email and notification providers.
  • Payment processors (if you connect a gateway).
  • Analytics and error monitoring (aggregated where possible).

We will publish a list of current sub-processors on our website and notify customers before materially adding or replacing any sub-processor where required by the DPA.

6. Retention & deletion

We keep personal data only as long as necessary for the purposes described or as required by law. Tenant-level retention defaults can be configured in Settings ? Data & Export (e.g., logs and receipt retention).

Data categoryDefault retentionNotes
Access logs12 monthsFor security and audit.
Receipts5 yearsAccounting/Tax obligations may require longer.
Support tickets24 monthsTo improve support and track issues.
Backups30–90 daysRolling encrypted backups for disaster recovery.

Upon contract termination, we will disable access and delete or return Customer Content per the DPA, subject to legal retention duties.

7. Security measures

  • Least-privilege, role-based access controls; page-level permission checks.
  • Encryption in transit (TLS) and at rest for sensitive data (incl. hashed PINs).
  • Network hardening, monitoring, and regular software patching.
  • Backups with defined retention; disaster recovery procedures.
  • Vendor due diligence and contractual safeguards for sub-processors.

8. Cookies & local storage

We use cookies and local storage to keep sessions active and to remember preferences (e.g., theme, BusinessID-scoped settings). You can control cookies via your browser; disabling some may affect functionality.

StorageWhatWhyExpiry
CookieSession tokenAuthenticate and keep you signed inSession / configurable
localStorageTheme, permissions cache, BusinessIDImprove UX; faster permission checksUntil cleared
IndexedDB (if enabled)Offline cacheEnable limited offline functionalityUntil cleared

9. International transfers

Where personal data is transferred outside the UK/EU, we use appropriate safeguards (e.g., Standard Contractual Clauses and technical measures) to protect it.

10. Your rights

Subject to law, you may have the right to access, rectify, erase, restrict, port, or object to processing of your personal data. For Customer Content where your employer is the Controller, please contact your organisation first; we will assist the Controller per the DPA.

  • Access/Export: Export data via built-in reports or by request.
  • Rectification: Update account details in Settings.
  • Erasure: Request deletion where applicable.
  • Objection/Restriction: Manage marketing preferences and analytics where offered.
  • Complaint: You may lodge a complaint with the ICO (UK) or your local authority.

11. Children’s data

The Services are not directed to children under 16 and we do not knowingly collect their data.

12. Automated decisions

POSuna does not make decisions producing legal or similarly significant effects based solely on automated processing. We may use non-intrusive analytics to improve product experience.

13. Changes to this policy

We may update this policy from time to time. If changes materially affect your rights, we will provide additional notice (e.g., email or in-app notice). The “Effective date” above will be updated.

Contact

Questions about privacy? Contact our team at privacy@posuna.co.uk or via the Contact page.

Controller: POSuna Ltd · Registered in England & Wales · (insert registered office & company number)

Need a signed DPA?
We can provide a standard Data Processing Agreement on request.
Request a DPA