Privacy Policy

Zirel POS (“Zirel”, “we”, “us”, “our”) is a point-of-sale application for small businesses. This Privacy Policy explains what personal data we collect, why we collect it, who we share it with, and how you can exercise your rights. It applies to the Zirel mobile app, the web portal at https://zirelpos.com, and any related services (collectively, the “Service”).

Where this Policy refers to “personal data”, we mean any information that relates to an identified or identifiable natural person, as defined under applicable data-protection laws (including the EU and UK General Data Protection Regulation, the California Consumer Privacy Act / CPRA, Brazil’s LGPD, Japan’s APPI, Korea’s PIPA, Singapore’s PDPA, and similar laws).

1. Who is responsible for your data

For data we collect about you, the account holder (your email, business profile, device information, subscription status, and similar) we act as the controller. For data you enter about your customers, employees, suppliers, or other third parties through the Service, you act as the controller (or the equivalent role under applicable law) and we act as your processor: we process that data only on your behalf and on your instructions to provide the Service. You are responsible for having a lawful basis to collect that data, for providing any required notices to the individuals concerned, and for honoring their rights requests.

2. What we collect

• Account data. Email address, business name and type, business address and contact information, business logo, country and locale, and the subscription receipt or purchase token issued by the app store on subscription.
• Staff data. Names, email addresses, phone numbers, photos, role and permission assignments, login PINs, and login activity for staff accounts you create.
• Customer data you record. Names, phone numbers, addresses, notes, loyalty point balances and ledger, outstanding debt and debt payment history, and any photos of payment proofs you upload (e.g. transfer slips). You decide what to record.
• Transactional and operational data. Items, item variants, modifiers, taxes, discounts, payment methods, transactions, orders, shifts, settlements, stock levels and adjustments, receipts, and printable templates.
• Device and technical data. Device model, operating system and version, app version, locale, a per-device identifier and device key used for sync and pairing, push-notification token, IP address, and approximate region derived from it.
• Crash and diagnostic data. Stack traces, performance metrics, and similar runtime information used to detect and fix bugs. We do not intentionally include the contents of your business records in these reports.
• Communications. Messages you send to support and any attachments you provide.

3. How we use your data and the legal bases

• To provide the Service — keeping your data in sync across your paired devices, processing your transactions, generating receipts, sending push notifications, and similar (basis: performance of our contract with you);
• To process payments and subscriptions — through the app store you used to subscribe and through RevenueCat, which validates your subscription on our behalf (basis: performance of our contract);
• To provide customer support when you contact us (basis: performance of our contract and our legitimate interest in resolving your inquiry);
• To improve reliability through aggregated and anonymized crash and usage analytics (basis: our legitimate interest in maintaining a working product);
• To show advertising on the Free tier via third-party ad networks (basis: performance of our contract with you for the ad-supported Free tier, or your consent where required);
• To comply with legal obligations and to protect the rights, safety, or property of Zirel, our users, or the public (basis: legal obligation and legitimate interest).

We do not sell your personal data, and we do not use it for cross-context behavioral advertising or profiling.

4. Who we share data with

We share data only with service providers we rely on to operate the Service, and only to the extent necessary for them to perform their function. Each is bound by appropriate confidentiality and data-processing obligations.

• Google Firebase (Google LLC) — authentication, push messaging, and crash reporting.
• Google Play and Apple App Store — subscription billing and receipt validation. We never see your full payment instrument.
• RevenueCat (RevenueCat, Inc.) — subscription validation and entitlement management.
• Google Drive (Google LLC) — optional encrypted backups, only if you enable this feature, and stored in your own Google Drive account.
• Cloudflare (Cloudflare, Inc.) — edge security, content delivery, and DDoS protection for our website and API.
• Advertising networks used on the Free tier — to serve in-app advertising. These networks may collect device identifiers and similar information as described in their own privacy policies.
• Hosting and infrastructure providers we use to operate our backend.

We may also disclose data when required by law, valid legal process, or a binding order from a competent authority, or to protect the rights, safety, or property of Zirel, our users, or the public. If we are involved in a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction, and we will notify you before it becomes subject to a different privacy policy.

5. Where your data lives and international transfers

We store operational data encrypted at rest on servers operated by us and by our hosting providers. Backups are encrypted and retained for up to 30 days. Some of our service providers (including those listed above) operate globally, which means your data may be transferred to, stored in, or accessed from countries other than the one in which you reside, including countries that may not provide the same level of data-protection law as your own. Where required, we rely on appropriate safeguards for such transfers, such as the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent mechanisms.

6. How long we keep your data

We retain your data for as long as your account is active and for as long as we need it to provide the Service. After you delete your account via https://zirelpos.com/account/delete, we delete or irreversibly anonymize your account and operational data from production systems within a reasonable period (typically 30 days), and remove it from encrypted backups within a further 30 days. We may retain certain information for longer if required to comply with a legal obligation, resolve disputes, or enforce our agreements.

7. Data loss and Free-tier storage

Free-tier data is stored only on your device. We do not back it up and we cannot recover it if your device is lost, stolen, damaged, factory reset, or if the app is uninstalled. The Service is offline-first: changes you make while offline are queued locally and uploaded the next time the device successfully reaches our servers. If the device is wiped, replaced, or reinstalled before that upload completes, the queued changes are lost. You are solely responsible for maintaining your own backups using the export, local backup, and Google Drive backup features available in the Service. Please see our Terms of Service for the full allocation of responsibility regarding data loss.

8. Security

We use technical and organizational measures designed to protect your data, including encryption in transit (TLS) and at rest, access controls, audit logging, device pairing, and the ability to remotely deactivate a paired device. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for safeguarding your account credentials, your staff PINs, and the physical security of the devices on which the Service is installed.

9. Your rights

Depending on the data-protection laws that apply to you, you may have the following rights with respect to personal data we hold about you as the account holder:

• Access and portability — request a copy of your personal data in a structured, commonly used format. Email [email protected] and we will respond within the period required by applicable law (typically 30 days).
• Correction — edit your data inside the app, or contact support.
• Deletion — visit https://zirelpos.com/account/delete to permanently delete your business and all associated data.
• Objection and restriction — object to, or ask us to restrict, certain processing of your personal data.
• Withdraw consent — where we rely on your consent, you may withdraw it at any time, without affecting the lawfulness of processing carried out before withdrawal.
• Lodge a complaint — with the data-protection authority of your country of residence.

For requests relating to data we process on behalf of a business (for example, customer or staff records that a Zirel user has entered into the Service), please contact that business directly. We will assist them in responding to you, but we are not authorized to act on the underlying data without their instructions.

For users in California: we do not sell or share personal information as those terms are defined under the CCPA/CPRA. You have the right to know, delete, correct, and limit the use of sensitive personal information, and the right not to be discriminated against for exercising these rights.

10. Children

The Service is intended for use by businesses and is not directed at children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Changes to this Policy

We may update this Policy from time to time. We will indicate the date of the most recent revision at the top of this page, and where the changes are material we will provide additional notice in the app or by email. Your continued use of the Service after changes take effect constitutes your acceptance of the revised Policy.

12. Contact

Questions, requests, or complaints about this Policy or our handling of your data? Email [email protected].