Privacy Policy

VenaPOS ("we," "us," or "our") is a UK-based company providing restaurant operating system software. This Privacy Policy explains how we process personal data when you visit our website, create an account, or use our services.

Important Distinction: This Privacy Policy applies to your relationship with VenaPOS as a platform subscriber. Your restaurant business is a separate data controller for your own customers' data. You must provide your own privacy policy to your end customers.

VenaPOS is a software-as-a-service provider registered in the United Kingdom. We provide cloud-based POS and restaurant management tools to businesses worldwide.

Data Controller: For platform subscribers (restaurant owners and staff), VenaPOS acts as the data controller for account and operational data processed through our platform.

Data Processor: For end-customer data (your restaurant's customers), VenaPOS acts as a data processor on your behalf. You are the data controller for your customer data.

We collect the following categories of data:

3.1 Account Data (Restaurant Owners/Staff)

• Name, email address, phone number
• Restaurant/business name and details
• Login credentials (encrypted)
• Billing and payment information
• Role and permission settings

3.2 Operational Data

• Menu configuration and item data
• Order history and transaction records
• Inventory and stock data
• Staff schedules and roles
• Kitchen workflow data

3.3 End-Customer Data (Your Customers)

• Customer names, phone numbers, email addresses
• Delivery addresses
• Order history and preferences
• Payment method tokens (not full card details)
• Loyalty program data

Note: You are the data controller for this data. We process it only on your instructions.

3.4 Technical Data

• IP address and device information
• Browser type and version
• Operating system
• Usage logs and analytics
• Cookies and similar technologies

We use personal data for the following purposes:

4.1 Providing the Service

• Operating and maintaining the VenaPOS platform
• Processing orders and transactions
• Managing user accounts and authentication
• Providing customer support
• Sending service-related notifications

4.2 Improving the Platform

• Analyzing usage patterns to improve features
• Debugging and fixing issues
• Developing new functionality
• Conducting research and analytics

4.3 Security and Compliance

• Detecting and preventing fraud or abuse
• Monitoring for security threats
• Complying with legal obligations
• Enforcing our Terms of Service

4.4 Communication

• Sending account and billing information
• Providing product updates and announcements
• Marketing communications (with your consent)
• Responding to inquiries and support requests

We process personal data based on the following legal grounds:

• Contract: Processing necessary to provide our services under our agreement with you
• Legitimate Interests: Platform security, fraud prevention, and service improvement
• Legal Obligation: Compliance with applicable laws and regulations
• Consent: Marketing communications and optional features (where applicable)

We implement comprehensive technical and organizational measures to protect your data:

• Encryption in Transit: All data transmitted between your device and our servers uses TLS 1.3 encryption
• Encryption at Rest: All stored data is encrypted using AES-256 encryption
• Field-Level Encryption: Sensitive fields (API keys, credentials) receive additional encryption layers
• Access Controls: Role-based access with multi-factor authentication options
• Regular Audits: Security assessments and penetration testing
• Secure Infrastructure: Hosted on ISO 27001 certified cloud providers

VenaPOS does not store complete payment card details. Payment processing is handled exclusively by PCI-DSS compliant third-party processors (Stripe, PayPal, etc.).

• Full card numbers never touch our servers
• Payment processors tokenize card data
• We store only transaction references and tokens
• Payment processors are independently PCI-DSS Level 1 certified

We share data only with trusted service providers necessary to operate our platform:

• Cloud hosting providers (AWS, Google Cloud, etc.)
• Payment processors (Stripe, PayPal, etc.)
• Email delivery services
• Analytics providers
• Customer support tools

All subprocessors are contractually bound to process data only on our instructions and maintain appropriate security measures. We do not sell personal data to third parties.

As a UK-based company serving global customers, your data may be processed in multiple jurisdictions. We ensure appropriate safeguards are in place:

• UK/EU Data: For UK and EU customers, data primarily remains within UK/EU data centers
• Standard Contractual Clauses: We use SCCs for any necessary data transfers outside the UK/EU
• Adequacy Decisions: We rely on UK government adequacy decisions where applicable
• Data Localization: Available for enterprise customers requiring data residency

We retain personal data for the following periods:

• Active Accounts: Data retained while your account is active
• Terminated Accounts: Data retained for 30 days after account termination, then securely deleted (unless legal requirements dictate otherwise)
• Backup Retention: Backups may retain data for up to 90 days after deletion
• Legal Requirements: Some data may be retained longer where required by law (e.g., tax records)

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data ("right to be forgotten")
• Restriction: Limit how we process your data
• Portability: Receive your data in a structured, machine-readable format
• Objection: Object to certain types of processing
• Withdraw Consent: Withdraw consent where processing is based on consent

To exercise these rights, please contact us using the details below. We will respond within 30 days (or sooner where required by law).

As you are the data controller for your end customers, they should contact you directly to exercise their data rights. You are responsible for:

• Responding to your customers' data access requests
• Deleting customer data when requested
• Providing data portability for your customers
• Obtaining proper consent for marketing

VenaPOS provides tools to help you comply with these obligations, including data export and deletion capabilities.

We use cookies and similar technologies for:

• Essential platform functionality (authentication, security)
• Preferences and settings
• Analytics and performance monitoring
• Marketing (with consent where required)

You can manage cookie preferences through your browser settings. Essential cookies cannot be disabled as they are necessary for the platform to function.

Our platform is not intended for children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately so we can delete it.

We may update this Privacy Policy from time to time. We will post the revised version on this page and update the "Last updated" date. Material changes will be communicated by email or in-product notice. Continued use after changes constitutes acceptance of the revised Policy.

For questions about this Privacy Policy or to exercise your data rights:

• Contact us via our website
• Email: privacy@venapos.com

For data protection inquiries, you may also contact the UK Information Commissioner's Office (ICO) at https://ico.org.uk.