Overview
Stellar POS, Inc. ("Stellar POS," "we," "us," or "our") is committed to protecting the privacy of merchants and their customers. This Privacy Policy explains what information we collect through our point-of-sale platform, dashboard, mobile applications, and related services (collectively, the "Services"), how we use it, and your rights regarding that information.
We do not sell personal information. We do not rent personal information. We never will.
Information We Collect
Information You and Your Business Provide
| Category | Examples | Why We Need It |
|---|---|---|
| Account Information | Business name, owner name, email address, phone number, billing address | Account creation, billing, support communications |
| Payment Information | Credit/debit card details (processed and tokenized by Stripe — we never store full card numbers) | Subscription billing |
| Staff Information | Employee names, roles, 4-digit PINs (hashed), clock-in/clock-out times, hourly rates, payroll records | Time tracking, payroll calculations, access control |
| Business Operations Data | Menu items, prices, orders, transactions, inventory levels, daily sales figures | Core POS functionality, reporting |
| End-Customer Data | Restaurant guest names, email addresses, order history, loyalty point balances (collected through QR ordering and loyalty features) | Loyalty programs, QR ordering, re-engagement marketing |
Information Collected Automatically
- Usage Data: Features used, pages visited, button clicks, session duration, error logs
- Device Information: Device type, operating system version, app version, tablet identifier
- Network Information: IP address, general geographic location (city/region derived from IP)
- Performance Data: Load times, crash reports, API response times
Information from Third Parties
- Payment processors (Elavon, TSYS, Fiserv, Stripe) — transaction status, verification results
- Delivery platforms (DoorDash, Uber Eats, Grubhub) — order status and delivery confirmations
How We Use Your Information
- Provide the Services: Process orders, payments, manage your POS system, generate reports
- Payroll and Time Tracking: Calculate hours worked, wages, overtime, and generate payroll summaries
- Customer Support: Diagnose issues, respond to inquiries, provide remote assistance
- Security and Fraud Prevention: Detect unauthorized access, prevent fraudulent transactions, monitor anomalous refund patterns
- Product Improvement: Analyze aggregated usage patterns to improve features, fix bugs, and enhance performance
- Communications: Send transactional emails (receipts, alerts), security notifications, and — with explicit consent — product updates and marketing emails
- Legal Compliance: Comply with applicable laws, respond to lawful requests, enforce our Terms
We will never use your data to train AI models without your explicit consent.
Sharing and Disclosure
We do not sell, rent, or trade personal information. We share information only in the following limited circumstances:
Service Providers (Sub-Processors)
| Provider | Purpose | Data Shared |
|---|---|---|
| Railway | Cloud hosting and database infrastructure | All operational data (encrypted at rest) |
| Stripe | Subscription billing | Billing information only |
| Resend | Transactional email delivery | Email address, message content |
| Elavon / TSYS / Fiserv | Payment processing | Transaction data per processor requirements |
All sub-processors are bound by data processing agreements requiring them to protect data and use it only for specified purposes.
Legal Requirements
We may disclose information if required by law, court order, subpoena, or government request, or if necessary to protect the safety of any person, prevent fraud, or defend our legal rights. We will provide notice to affected merchants before disclosure where legally permitted.
Business Transfers
If Stellar POS is acquired, merged, or sells substantially all of its assets, Merchant Data may be transferred to the acquiring entity. We will provide 30 days' notice and merchants will have the option to export their data before the transfer.
Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account & Business Data | Duration of active subscription + 30 days | Service provision; export window |
| Transaction Records | 7 years | IRS and state tax law requirements |
| Payroll Records | 4 years | IRS record-keeping requirement |
| Time & Attendance Records | 3 years | FLSA (Fair Labor Standards Act) |
| Security & Access Logs | 90 days | Security investigation |
| Backup Snapshots | 30 days rolling | Disaster recovery |
After retention periods expire, data is permanently deleted using industry-standard secure deletion methods and cannot be recovered.
Security
We implement the following security measures to protect your information:
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for sensitive data at rest
- Staff PINs stored as one-way cryptographic hashes — never in plaintext
- Full card numbers never stored — payment tokenization via certified processors
- Role-based access control with Manager PIN verification for high-risk actions
- Automatic rate limiting: 10 login attempts per 15 minutes per IP address
- Security headers: HSTS, X-Content-Type-Options, X-Frame-Options
- Automated anomaly detection for suspicious refund patterns
- Regular security assessments
Data Breach Notification: In the event of a confirmed data breach affecting personal information, we will notify affected merchants within 72 hours of discovery via email, as required by Washington State law (RCW 19.255) and applicable federal law.
California Privacy Rights (CCPA/CPRA)
Your Rights as a California Resident
- Right to Know: Request disclosure of the specific personal information we have collected about you in the past 12 months, including categories, sources, and purposes.
- Right to Delete: Request deletion of personal information we have collected about you, subject to legal retention obligations.
- Right to Correct: Request correction of inaccurate personal information we maintain about you.
- Right to Opt-Out of Sale: We do not sell personal information. No opt-out action is required.
- Right to Limit Use of Sensitive Information: We use sensitive personal information (staff PINs, payroll data) only to provide the Services.
- Right to Non-Discrimination: We will not penalize you for exercising your CCPA rights.
To exercise these rights: privacy@stellarpos.us
We will respond within 45 days. We may need to verify your identity before processing your request.
Other Privacy Rights
Washington State. Washington residents have rights under the Washington My Health MY Data Act and other state laws. Contact privacy@stellarpos.us to exercise these rights.
European Users. If your business serves customers in the European Union or UK, GDPR may apply to your processing of EU customer data through our platform. Contact us for a Data Processing Addendum (DPA).
Opt-Out of Marketing. You may unsubscribe from marketing emails at any time via the unsubscribe link in any email. Transactional emails (receipts, security alerts) cannot be opted out of.
Children's Privacy
The Services are designed for use by businesses and are not directed to individuals under 18. We do not knowingly collect personal information from minors. If we discover we have inadvertently collected such data, we will delete it promptly. If you believe a minor's information has been submitted, contact privacy@stellarpos.us.
Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, the Services, or applicable law. For material changes, we will notify merchants via email at least 30 days before the effective date. The "Effective" date at the top reflects the most recent update. Continued use of the Services after the effective date constitutes acceptance of the updated Policy.
Contact
Privacy inquiries and rights requests:
privacy@stellarpos.us
Stellar POS, Inc., Washington State, United States
We respond to privacy inquiries within 5 business days and to verified rights requests within 45 days.