1. Introduction

Welcome to NexPOS, a product of StackNex Technologies LLP ("StackNex Technologies," "we," "us," or "our"). We are committed to protecting your privacy and ensuring the security of your personal information.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our NexPOS point-of-sale system, website (stacknex.io), mobile applications, and related services (collectively, the "Services").

By accessing or using our Services, you agree to this Privacy Policy. If you do not agree with our policies and practices, please do not use our Services.

2. Data Controller

StackNex Technologies LLP is the data controller responsible for your personal data. Our contact details are:

3. Information We Collect

3.1 Information You Provide Directly

• Account Information: Name, email address, phone number, company name, business type, and business address when you create an account
• Payment Information: Billing address, payment card details (processed securely through our payment partners Stripe, Razorpay, or other integrated gateways)
• Business Data: Product catalogs, inventory data, customer records, sales transactions, employee information, and other business data you enter into the POS system
• Communications: Information you provide when contacting our support team, participating in surveys, or providing feedback
• Identity Verification: Government-issued ID documents when required for compliance purposes

3.2 Information Collected Automatically

• Device Information: Device type, operating system, unique device identifiers, browser type and version
• Usage Data: Features used, actions taken, time spent on pages, navigation paths, and interaction patterns
• Log Data: IP address, access times, pages viewed, system activity, and hardware settings
• Location Data: Approximate location based on IP address, and precise location if you enable location services for features like store locator
• Cookies and Tracking: Information collected through cookies, pixels, and similar technologies (see our Cookie Policy)

3.3 Information from Third Parties

• Payment Processors: Transaction confirmation and fraud prevention data from Stripe, Razorpay, PayPal, and other payment partners
• Business Partners: Information from accounting software, e-commerce platforms, or other integrated services you connect
• Public Sources: Business registration information from public databases for verification purposes

4. How We Use Your Information

We use the collected information for the following purposes:

4.1 Service Delivery

• Providing, maintaining, and improving our POS system and Services
• Processing transactions and managing your subscription
• Enabling features like inventory management, sales reporting, and customer relationship management
• Providing customer support and responding to your inquiries
• Syncing data across your devices and locations

4.2 Business Operations

• Analyzing usage patterns to improve our products and user experience
• Developing new features and services
• Conducting research and analytics
• Managing our business relationships

4.3 Communication

• Sending service-related notifications, updates, and alerts
• Providing information about new features, products, or promotions (with your consent where required)
• Responding to your comments, questions, and requests

4.4 Security and Compliance

• Protecting against fraud, unauthorized access, and other illegal activities
• Enforcing our terms of service and other agreements
• Complying with legal obligations and regulatory requirements
• Responding to law enforcement requests and legal processes

5. Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide our Services as per our agreement with you
• Legitimate Interests: Processing for our legitimate business interests, such as improving our Services, preventing fraud, and ensuring security
• Consent: Where you have given explicit consent for specific processing activities
• Legal Obligations: Processing necessary to comply with applicable laws and regulations

6. How We Share Your Information

We do not sell your personal information. We may share your data in the following circumstances:

6.1 Service Providers

We share data with trusted third-party service providers who assist us in operating our platform:

• Cloud Infrastructure: Amazon Web Services (AWS), Google Cloud Platform for hosting and data storage
• Payment Processing: Stripe, Razorpay, PayPal, Mollie for secure payment handling
• Analytics: Google Analytics, Mixpanel for usage analytics (anonymized where possible)
• Communication: SendGrid, Twilio for email and SMS notifications
• Customer Support: Intercom, Zendesk for support ticket management

6.2 Business Transfers

In connection with any merger, acquisition, or sale of company assets, your personal data may be transferred. We will notify you before your data becomes subject to a different privacy policy.

6.3 Legal Requirements

We may disclose your information if required by law, court order, or government request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

7. Data Security

We implement comprehensive security measures to protect your data:

• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access controls and multi-factor authentication
• Infrastructure Security: SOC 2 Type II compliant cloud infrastructure
• Regular Audits: Periodic security assessments and penetration testing
• Employee Training: Regular security awareness training for all staff
• Incident Response: Documented procedures for security incident handling

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to maintaining industry-standard protections.

8. Data Retention

We retain your personal data for as long as necessary to:

• Provide our Services while you maintain an active account
• Comply with legal, accounting, and regulatory requirements
• Resolve disputes and enforce our agreements

After account closure, we retain certain data for up to 7 years for tax and legal compliance. Transaction records may be retained longer as required by financial regulations. You may request earlier deletion of non-essential data.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

9.1 Access and Portability

You have the right to access your personal data and receive a copy in a structured, machine-readable format. You can export your data from your account settings.

9.2 Correction

You can update or correct inaccurate personal data through your account settings or by contacting us.

9.3 Deletion

You can request deletion of your personal data, subject to legal retention requirements. We will delete or anonymize your data within 30 days of a valid request.

9.4 Objection and Restriction

You can object to certain processing activities or request restriction of processing in specific circumstances.

9.5 Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time without affecting the lawfulness of prior processing.

9.6 Exercising Your Rights

To exercise any of these rights, please contact us at [email protected] or through your account settings. We will respond to valid requests within 30 days.

10. Data Storage & GDPR Compliance

10.1 Where We Store Your Data

10.2 GDPR Compliance

We are fully committed to complying with the General Data Protection Regulation (GDPR) for all users. Our compliance measures include:

• Lawful Basis: We process your data only with valid legal grounds (consent, contract performance, legitimate interests, or legal obligation)
• Data Minimization: We collect only the data necessary for providing our services
• Purpose Limitation: Your data is used only for the purposes disclosed in this policy
• Storage Limitation: We retain data only for as long as necessary
• Accuracy: We take steps to ensure your data is accurate and up-to-date
• Security: We implement appropriate technical and organizational measures to protect your data
• Accountability: We maintain records of processing activities and can demonstrate compliance

10.3 International Data Transfers

While our primary database is hosted in the EU, some of our service providers may process data outside the European Economic Area. We ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable (e.g., UK, Canada, Japan)
• Data processing agreements with all service providers
• Regular assessment of third-party compliance

10.4 US Customer Data Protection

For customers in the United States, we apply GDPR-equivalent protections and also comply with:

• California Consumer Privacy Act (CCPA) for California residents
• State-specific privacy laws as applicable
• PCI DSS for payment card data handling

11. Children's Privacy

Our Services are intended for business use and are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal data, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on our website and, where appropriate, by email. Your continued use of our Services after such changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us:

14. Governing Law

This Privacy Policy is governed by the laws of India, including the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. For users in the European Union, the General Data Protection Regulation (GDPR) applies to the extent of its applicability.