Taply Retail POS
Privacy Policy
Effective Date: April 3, 2026 | Last Updated: June 12, 2026
Version: 2026-06-12
This Privacy Policy describes how 2D Data LLC ("Company", "we", "us") collects, uses, shares, and protects information when you use Taply Retail POS ("Service"). This policy applies to merchants who use our point-of-sale software and to customers whose data merchants collect through the Service.
1. Information We Collect
1.1 Merchant Account Information
| Data Type | Examples | Purpose |
|---|---|---|
| Account credentials | Email address, password (hashed) | Authentication |
| Business information | Store name, address, phone, tax ID | Service operation, receipts |
| Payment credentials | Stripe account ID (no card numbers) | Payment processing |
| Staff information | Names, roles, PINs (hashed) | Access control |
| Device information | Device model, OS version, app version | Debugging, compatibility |
1.2 Transaction Data
| Data Type | Examples | Purpose |
|---|---|---|
| Sales records | Items, prices, quantities, totals | Business operations, reporting |
| Payment records | Payment method (cash/card), last 4 digits, amount | Transaction tracking |
| Refund records | Refund amount, reason, timestamp | Financial records |
| Audit logs | Actions performed, timestamps, staff member | Security, compliance |
1.3 Customer Data (Collected by Merchants)
| Data Type | Examples | Purpose |
|---|---|---|
| Contact information | Customer name, email, phone | CRM, receipts |
| Purchase history | Visit count, total spent | Loyalty tracking |
1.4 Optional Permission-Based Data
| Data Type | Examples | Purpose |
|---|---|---|
| Approximate location | Store city and state suggested during setup | Optional store setup auto-fill |
| Precise location | Device location used by Stripe Terminal on Android Tap to Pay devices | Card-present payment security, fraud prevention, and Terminal availability |
| Selected photos | Store logo image chosen from your photo library | Store branding on receipts and in the app |
| Nearby device information | Receipt printer or card reader connection state | Printer and payment-device connectivity |
Approximate location is requested only when you choose the setup auto-fill action. It is used to suggest your store city and state and is not stored as latitude or longitude. The business address, city, state, and country that you save during setup are stored as store profile information.
Precise location is requested on Android only when you use Stripe Terminal features such as Android Tap to Pay. Stripe requires device location to enable card-present payments, reduce fraud, and minimize disputes. Taply Retail POS does not store continuous location history.
1.5 Diagnostics and Reliability Data
| Data Type | Examples | Purpose |
|---|---|---|
| Crash reports | Stack traces, error messages, app version, operating system version | Debugging and service reliability |
| Performance diagnostics | Launch timing, app hangs, sampled performance traces | Performance monitoring and stability improvement |
| Product interaction diagnostics | Masked, sampled session replay around errors and sampled app sessions | Reproducing crashes and fixing usability defects |
We use Sentry for crash reporting, performance diagnostics, and sampled session replay. Sentry is configured not to collect default personally identifiable information, not to track users across apps or websites, and to mask text and images in session replay.
1.6 Information We Do NOT Collect
- Credit or debit card numbers
- Bank account numbers
- Social Security numbers
- Biometric data (Face ID/Touch ID is processed on-device by Apple only)
- Continuous location history
2. How We Use Information
- Service operation: Processing transactions, generating receipts and reports
- Account management: Authentication, authorization, staff access control
- Cloud sync: Synchronizing data between your device and our cloud infrastructure
- Customer support: Responding to support requests
- Service improvement: Analyzing usage patterns to improve the Service (aggregated, anonymized)
- Legal compliance: Meeting regulatory and legal obligations
3. How We Store and Protect Information
3.1 Data Storage
- Local storage: POS data is stored locally on your device in app-private JSON cache files for offline functionality
- Cloud storage: Data syncs to Supabase (hosted on AWS) with PostgreSQL database, encrypted at rest
- Region: US-West-2 (Oregon)
- Retention: Data is retained for the life of your account plus 30 days after deletion
3.2 Security Measures
- All data transmitted via HTTPS/TLS encryption
- Database encrypted at rest (AES-256)
- Row Level Security (RLS) ensures merchants can only access their own data
- Staff PINs stored as SHA-256 hashes with unique salts
- Tamper-evident audit logs with hash chains
- JWT-based authentication with token refresh
- Payment credentials stored in Stripe's PCI-compliant infrastructure, not our database
4. Information Sharing
We do not sell your personal information. We share information only as follows:
| Recipient | Data Shared | Purpose |
|---|---|---|
| Stripe, Inc. | Business info, transaction amounts, Stripe Terminal location signals | Payment processing, card-present payment security, and fraud prevention |
| Supabase (AWS) | All account and transaction data | Cloud storage and sync |
| Sentry | Crash reports, performance diagnostics, masked sampled session replay | Error monitoring and app reliability |
| Apple (Sign in with Apple) | Authentication tokens | Account authentication |
| Google (Google Sign-In) | Authentication tokens | Account authentication |
| Law enforcement | As required by law | Legal compliance |
5. Your Rights
5.1 All Users
- Access: View all your data through the app
- Correction: Update your information in Settings
- Deletion: Delete your account and all associated data through Settings > Legal & Privacy > Delete Account
- Export: Export transaction data via CSV through Analytics and Tax Report screens
5.2 California Residents (CCPA)
Under the California Consumer Privacy Act, you have the right to:
- Know what personal information we collect, use, and disclose
- Request deletion of your personal information
- Opt out of the sale of personal information (we do not sell personal information)
- Non-discrimination for exercising your rights
To exercise these rights, contact support@taplypos.com.
5.3 EU/EEA Residents (GDPR)
Under the General Data Protection Regulation, you have the right to:
- Access, rectify, or erase your personal data
- Restrict or object to processing
- Data portability
- Withdraw consent at any time
- Lodge a complaint with a supervisory authority
Our legal basis for processing is: (a) performance of a contract (providing the Service), (b) legitimate interests (improving the Service), and (c) consent (optional features like marketing).
6. Merchant Obligations Regarding Customer Data
As a merchant using Taply Retail POS, you act as the data controller for your customers' personal information. You are responsible for:
- Obtaining appropriate consent from your customers before collecting their data
- Informing your customers how their data will be used
- Complying with applicable privacy laws in your jurisdiction
- Responding to your customers' data access and deletion requests
We act as a data processor on your behalf and process customer data only as necessary to provide the Service.
7. Children's Privacy
The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children.
8. Data Breach Notification
In the event of a data breach affecting your personal information, we will notify you within 72 hours of becoming aware of the breach, in accordance with applicable laws.
9. Account Deletion
When you delete your account:
- Your account credentials are immediately deactivated
- All business data (transactions, products, customers, staff) is permanently deleted within 30 days
- Your Stripe connected account remains active (managed directly with Stripe)
- Backup copies are purged within 90 days
- Aggregate, anonymized analytics data may be retained
10. Cookies and Tracking
The Taply Retail POS mobile app does not use cookies, advertising identifiers, or third-party tracking. We use Supabase service metrics and Sentry diagnostics for crash reports, API performance, app hangs, and masked sampled session replay. These diagnostics are used to operate and improve the Service and are not used to track users across apps or websites.
11. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of material changes by updating the "Last Updated" date and providing notice through the app. Continued use constitutes acceptance.
12. Contact
For privacy questions, data requests, or complaints:
2D Data LLC
Privacy Team
Email: support@taplypos.com
Website: taplypos.com