Privacy Notice

Last updated 30 May 2026.

This notice explains, in plain English, what personal data PosGPT collects, why, how long we keep it, and what your rights are. We comply with the UK GDPR and the EU GDPR.

1. Who is the controller

For data about you as a PosGPT subscriber (your account, billing, support tickets), we are the data controller. Operator: Dev Dutt Choudhary, Indore, India. Contact for data matters: privacy@posgpt.uk.

For data your restaurant captures about your customers (orders, receipts, optional diner email for digital receipt), you are the controller and we are the processor, processing only on your documented instructions.

2. What we collect about subscribers

• Account: name, work email, password (stored hashed with bcrypt cost 12 — we never see your plaintext password).
• Restaurant profile: business name, address, VAT number (optional), opening hours, contact details.
• Billing: Paddle handles card details — we receive only a customer ID, a subscription ID, the price and the billing event timestamps. We never see your card number, CVV, or expiry.
• Support: if you email us we keep the thread.
• Operational logs: IP, user-agent, request path and status. Retained 30 days for abuse-prevention; access restricted to the operator.

3. What we collect about your diners (you control this)

• Order items, prices, modifiers, allergens.
• Optional diner email if they ask for a digital receipt.
• Table number for dine-in.
• Card payment confirmation IDs from Square (no card number).

We do not store diner names or phone numbers unless your staff enters them. We do not sell, share, or use diner data for any purpose other than running your restaurant operations.

4. What we don’t collect

• No third-party advertising / analytics cookies on this marketing site.
• No personal data sold to any third party, ever.
• No marketing emails unless you opt in via the dashboard.
• No card-number storage. Stripe scope is SAQ-A (handled by Paddle/Square).

5. Where the data lives

Subscriber data and diner data are stored in the UK / EU (specifically the AWS Stockholm / London regions). Backups are encrypted and stored in the same region. We do not transfer personal data outside the UK/EU except for limited support access by the operator from India, which is governed by the UK’s adequacy decision for India under the Data Transfer Risk Assessment framework.

6. Sub-processors

• Paddle — subscription billing (UK seller of record).
• Square — card payments (when you connect it).
• Resend — transactional email transport (Ireland).
• AWS — infrastructure hosting (London / Stockholm).
• Cal.com — demo-call scheduling; processes your name, email and chosen time only if you book a demo (EU-hosted).

Each is bound by GDPR-compliant terms. A current list is available on request from privacy@posgpt.uk.

7. How long we keep data

• Account + restaurant data: for as long as your subscription is active, then 90 days grace.
• Diner orders + receipts: 6 years from the transaction date (UK tax law).
• Operational logs: 30 days.
• Support emails: 24 months from last reply.

8. Your rights

Under the UK GDPR you have the right to:

• Ask what personal data we hold about you (subject access);
• Correct inaccurate data;
• Ask us to delete data (right to be forgotten — subject to the tax-law retention above);
• Export your data in a machine-readable format (portability);
• Object to or restrict processing;
• Withdraw consent for anything you opted into (e.g. marketing).

To exercise any of these, email privacy@posgpt.uk. We respond within 30 days. If we don’t satisfy you, you may complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk.

9. Security

• HTTPS everywhere (Let’s Encrypt certificates, TLS 1.2+).
• Passwords hashed with bcrypt cost 12, never logged.
• Square OAuth tokens encrypted at rest (AES-GCM-256).
• Per-tenant data isolation enforced at the database query layer.
• Daily automated backups, weekly restore tests.
• Single-engineer access; access reviewed quarterly.

10. Cookies

This marketing site (posgpt.uk) sets zero third-party cookies and uses no analytics by default. The SPA at app.posgpt.uk uses essential session cookies only (auth tokens, CSRF). Those are first-party, HttpOnly and SameSite=Strict.

11. Changes to this notice

We update the date at the top whenever this changes. Material changes are also announced via email to active account owners.

12. Contact

Privacy: privacy@posgpt.uk
Support: support@posgpt.uk