Privacy Policy

1 Data Controller

The data controller responsible for your personal information is:

If you have any questions about how we handle your data, contact us at the email above.

2 What We Collect

Account & Identity Data

• Email address (used for login and account management)
• Password (stored as a cryptographic hash — we never see the plaintext)
• Name or display name (optional, for team features)
• User role within your team (owner, manager, bartender)

Business & Inventory Data

• Inventory items you create: names, quantities, barcodes, par levels, prices
• Supplier details you enter
• Stock take records, waste logs, shrinkage logs, and stockout logs
• Delivery notes and order records
• Location names and settings (e.g. "Front Bar", "Cellar")

Team Data

• Email addresses of team members you invite
• Activity logs (who updated which item and when)
• Shift leaderboard points (if enabled)

Payment Data

• Subscription plan and billing status
• Payment card details are processed directly by Stripe — BarSync never stores or sees your full card number

Device & Usage Data

• Device type and operating system version (for crash reporting and compatibility)
• App version
• Feature usage patterns (e.g. which screens you visit) to improve the product
• IP address (collected by our backend infrastructure, Supabase)

Camera

BarSync requests camera permission solely to scan product barcodes during inventory management. We do not store, transmit, or process any photos or video. Camera access is used only in real-time while you are actively scanning a barcode.

Uploaded Documents

If you use the delivery note / document analysis feature, you may upload images or PDF files. These are sent to our AI processing pipeline for text extraction and are not stored permanently after processing.

3 How We Use Your Data

• Providing the service: Authenticating your account, storing and displaying your inventory data, enabling team collaboration.
• Billing: Managing your subscription and processing payments via Stripe.
• Notifications: Sending low-stock alerts and system notifications relevant to your account.
• Support: Diagnosing bugs and responding to support requests.
• Improvement: Analysing aggregated, anonymised usage patterns to improve features. We do not build individual profiles for advertising.
• Legal compliance: Retaining records as required by applicable law.

We do not sell, rent, or trade your personal data to third parties. We do not use your data for advertising or profiling.

4 Legal Basis (GDPR)

For users in the United Kingdom and European Economic Area, we process your data under the following lawful bases:

• Contract (Article 6(1)(b)): Processing necessary to provide the BarSync service you signed up for.
• Legitimate interests (Article 6(1)(f)): Product analytics and security monitoring, where your rights and freedoms are not overridden.
• Legal obligation (Article 6(1)(c)): Retaining billing records as required by financial regulations.
• Consent (Article 6(1)(a)): Where we ask for specific consent, such as camera access — you may withdraw consent at any time in your device settings.

5 Third-Party Services

BarSync uses the following sub-processors. Each has been selected for GDPR compliance and industry-standard security practices.

All data is stored on Supabase infrastructure. Supabase uses Amazon Web Services data centres. Data for UK/EU users is stored in the EU (eu-west region) unless your account was configured otherwise.

6 Data Retention

• Active accounts: Data is retained for as long as your account is active.
• Deleted accounts: Personal data is deleted within 30 days of account deletion. Anonymised, aggregated usage statistics may be retained indefinitely.
• Billing records: Payment records are retained for 7 years to comply with UK financial regulations.
• Uploaded documents: Processed and discarded — not stored after analysis is complete.
• Backups: Database backups are retained for up to 30 days and then deleted automatically.

7 Your Rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate data.
• Erasure: Request deletion of your data ("right to be forgotten").
• Portability: Receive your data in a machine-readable format.
• Restriction: Request that we restrict processing of your data.
• Objection: Object to processing based on legitimate interests.
• Withdraw consent: Withdraw camera permission at any time in iOS Settings → BarSync.

To exercise any of these rights, email dadosantosg@gmail.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you are in the UK.

8 Security

• All data is transmitted over HTTPS/TLS.
• Passwords are hashed using bcrypt and never stored in plaintext.
• Database access is restricted by Row Level Security (RLS) — users can only access their own team's data.
• API keys and secrets are stored as environment variables, never in the app bundle.
• Payment data is handled entirely by Stripe — BarSync never touches raw card details.

If you discover a security vulnerability, please report it responsibly to dadosantosg@gmail.com.

9 Children's Privacy

BarSync is a professional business tool designed for adults operating bars and restaurants. We do not knowingly collect personal data from anyone under the age of 18. If you believe a minor has created an account, please contact us immediately and we will delete the account.

10 Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you by email and/or through an in-app notice at least 14 days before the change takes effect. The "Last updated" date at the top of this page reflects the most recent revision.

Continued use of BarSync after the effective date of a change constitutes acceptance of the updated policy.

11 Contact Us

For any privacy-related questions, data requests, or concerns: