Privacy Policy
Last updated: June 21, 2026
This Privacy Policy explains how posq ("posq", "we", "us") collects, uses, shares, and protects personal data in connection with the posq restaurant point-of-sale platform — the posq iPad POS app, the posq web admin portal, and the posq cloud API (together, the "Service"). We are committed to the principles of the EU General Data Protection Regulation (GDPR) and applicable Dutch law, and we apply equivalent protections to users in the United States and Canada.
1. Our role: controller and processor
For data about our own customers (the businesses that subscribe to posq) and for our marketing and account administration, posq acts as a data controller.
For data that a restaurant ("Customer") processes through the Service about its own staff and guests — such as orders and transaction records — the Customer is the controller and posq acts as a data processor on the Customer's behalf, governed by a Data Processing Agreement (DPA).
2. Data we collect
| Category | Examples |
|---|---|
| Account & operator data | Business name, contact name, email, phone, role, hashed credentials, location and team configuration. |
| Order & transaction data | Menu items ordered, prices, VAT amounts, discounts, payment method/result, timestamps, receipt and fiscalization records. |
| Device & technical data | Device identifiers, app version, IP address, log and diagnostic data, and security event records. |
| Support data | Messages and information you send us when requesting help. |
| Payment data | Card payments are processed by certified third-party processors. posq does not store full card numbers; we receive limited transaction metadata (e.g. amount, status, last digits). |
Order and transaction data generally relate to the business rather than to identified guests. Where a guest is identifiable (for example, a named reservation or loyalty record), that data is processed under the Customer's instructions.
3. Purposes & lawful bases
| Purpose | Lawful basis (GDPR Art. 6) |
|---|---|
| Provide, operate and secure the Service | Performance of a contract (Art. 6(1)(b)) |
| Process orders, payments and produce fiscal/VAT records | Contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) |
| Comply with tax, accounting and record-keeping law | Legal obligation (Art. 6(1)(c)) |
| Security, fraud prevention, and service improvement | Legitimate interests (Art. 6(1)(f)) |
| Customer support and communications | Contract (Art. 6(1)(b)) / legitimate interests (Art. 6(1)(f)) |
| Marketing emails (where applicable) | Consent (Art. 6(1)(a)) or legitimate interests, with opt-out |
4. Data retention
We retain personal data only as long as necessary for the purposes above. Order, transaction, VAT and fiscalization records are retained for the period required by applicable tax and accounting law — in the Netherlands this is generally seven years. Account data is retained for the life of the subscription and for a limited period afterwards to allow export and to meet legal obligations. Diagnostic logs are kept for a short, rolling window. When data is no longer required, it is deleted or irreversibly anonymised.
5. EU data residency & international transfers
We host the Service and store personal data within the European Union (EU/EEA data residency). Where a sub-processor needs to process data outside the EU/EEA — for example to provide support to our US and Canadian operations — we rely on appropriate safeguards under the GDPR, such as European Commission adequacy decisions or Standard Contractual Clauses (SCCs), together with supplementary measures where needed. For US and Canadian customers, data may be processed in-region in line with local expectations; details are available on request.
6. Processors & sub-processors
We use a limited set of vetted vendors to run the Service. Each is bound by data protection terms. The categories are:
| Sub-processor category | Purpose |
|---|---|
| Cloud infrastructure & hosting (EU region) | Compute, database and storage for the Service. |
| Payment processors (PCI-DSS certified) | Card payment authorisation and settlement. |
| Email & communications | Transactional and support email. |
| Error monitoring & analytics | Reliability, diagnostics and security. |
A current, named list of sub-processors is available on request at privacy@posq.app. We provide advance notice of material changes to enable controllers to object.
7. Your rights
Subject to applicable law, you have the right to access your personal data, to rectify inaccurate data, to request erasure ("right to be forgotten"), to restrict or object to certain processing, and to data portability. You may also withdraw consent at any time where processing is based on consent. US and Canadian residents may have comparable rights under state and provincial privacy laws (such as the right to access, delete, or opt out of certain processing).
To exercise your rights, contact privacy@posq.app. Where posq acts as a processor for a restaurant, we will refer your request to the relevant Customer (controller) and support them in responding. You also have the right to lodge a complaint with a supervisory authority — in the Netherlands, the Autoriteit Persoonsgegevens.
8. Security
We apply appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls and role-based permissions, tenant isolation, audit logging, and least-privilege access for staff. No system is perfectly secure; we maintain processes to detect, respond to, and — where legally required — notify affected parties and authorities of personal data breaches.
9. Cookies & tracking
Our marketing website uses only the cookies necessary for the site to function and, where applicable, privacy-respecting analytics. The web admin portal uses cookies and similar technologies that are strictly necessary to keep you signed in and secure. We do not sell personal data, and we do not use third-party advertising trackers. Where consent is required for non-essential cookies, we will ask for it.
10. Children
The Service is a business tool and is not directed to children. We do not knowingly collect personal data from children under 16. If you believe a child has provided us personal data, contact privacy@posq.app and we will take appropriate steps to delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time. We will post the updated version here with a new "last updated" date and, for material changes, provide additional notice. Continued use of the Service after changes take effect constitutes acceptance.
12. Contact & Data Protection Officer
For any privacy question or to exercise your rights, contact our privacy team at privacy@posq.app.
Data Protection Officer (DPO): privacy@posq.app
[DPO name and direct contact to be appointed/confirmed].
Controller: posq · [Registered legal name, KvK number, and registered EU address to
be completed] · The Netherlands.