Privacy Policy

This policy describes how Commerce OS handles personal data. We act as a processor on behalf of our merchant customers; merchants are the controllers for their customers’ data and have their own privacy obligations.

We comply with GDPR, UK GDPR, CCPA, and CPRA. Specific endpoints implementing data-subject rights are documented on our security page.

Account data: email, name, phone, password hash, MFA enrollment, role assignments, location scope.

Operational data: orders, payments (last-4 + brand only — no PAN), tips, time entries, schedule shifts, audit log entries.

Customer data on behalf of merchants: name, email, phone, order history, loyalty enrollment.

Telemetry: page views, named UI events with the actor’s user id (used for usage analytics + product improvement; anonymizable on request).

To provide the platform’s core functionality — running orders, processing payments, generating reports.

To maintain a security audit trail (every write-path operation is logged with before/after diff for 7 years).

To enable merchant-facing product improvement (which dashboards do operators actually use? where do they spend time?).

To comply with legal obligations (IRS retention for financial records, FLSA for time-clock entries).

Sub-processors named in our security page (Stripe, Twilio, SendGrid, DoorDash, Uber Direct, Sentry, Render). Each receives only the data necessary to perform its function.

Legal compliance: we may disclose data to comply with valid subpoenas or court orders. We’ll notify the affected merchant unless legally prohibited.

We do not sell personal data. We do not share with marketing networks. We do not use customer or employee data for cross-merchant ML training.

Right of access (GDPR Art. 15 / CCPA §1798.110): request a copy of all PII we hold via GET /auth/export-data.

Right of erasure (GDPR Art. 17 / CCPA §1798.105): request account deletion via DELETE /auth/account. 30-day grace period; financial records retained per regulation with PII anonymized.

Right to rectification (GDPR Art. 16): standard PATCH /users/:id surface.

Right to data portability (GDPR Art. 20): same /auth/export-data endpoint returns machine-readable JSON.

Right to object (GDPR Art. 21): contact [email protected] to discuss specific processing activities.

Financial records: 7 years (IRS).

Time-clock entries: 3 years (FLSA).

Audit log: 7 years.

Page-view + UI-event telemetry: 13 months (anonymized on GDPR-erasure events earlier).

Sentry crash reports: 30 days.

Backups: 30 days rolling.

Commerce OS is built for businesses + their employees + their adult customers. We do not knowingly collect personal data from anyone under 16. Merchants targeting minors (e.g. youth-focused services) are responsible for parental consent under COPPA / GDPR-K.

Commerce OS is hosted in the United States. Merchants in the EEA / UK relying on Commerce OS as a processor benefit from Standard Contractual Clauses included in our Data Processing Addendum (request via [email protected]).

Material changes will be communicated via email at least 30 days before they take effect. Sub-processor additions are flagged in the same channel.

Privacy questions: [email protected]

DPA requests: [email protected]

Security disclosure: [email protected]