Privacy Policy
Last updated: February 14, 2026
1. Information We Collect
Account Information (collected at registration)
- Full name, email address, phone number, country
- Password (stored using industry-standard one-way hashing — we never store plain text passwords)
- Google account ID (if you use Google Sign-In)
- Terms acceptance timestamp
Business Data (entered by you during use)
- Company details (name, address, business type, tax settings)
- Customer records (names, emails, phones, addresses, credit balances)
- Products and inventory (items, SKUs, barcodes, prices, stock levels)
- Financial data (sales, purchases, invoices, payments, accounting entries)
- Employee and HR data (names, salary structures, payroll records)
- Vehicles, work orders, appointments (for auto service businesses)
- Restaurant data (tables, orders, reservations, recipes)
- Uploaded files (logos, photos, documents, inspection images)
Automatically Collected Information
- IP address (used only for GeoIP currency detection; not stored permanently)
- Device type and browser information (from HTTP headers)
- Login timestamps and last active timestamps
- Activity logs within the platform (actions performed within your company)
2. How We Use Your Information
- Provide our services: Process transactions, manage inventory, generate reports, and run your business operations
- AI-powered features: Analyze your business data to provide chat-based insights, detect anomalies, and suggest optimal settings (see Section 5)
- Communications: Send OTP verification codes, staff invitation emails, and configurable business notifications (appointment reminders, order updates, delivery notifications)
- Billing: Process subscription payments, manage wallet credits, and apply volume discounts
- Security: Detect unauthorized access, enforce Row Level Security, and log suspicious activity
- Improvement: Monitor error rates and performance to improve platform reliability
We do NOT:
- Sell your personal or business data to third parties
- Use your business data for advertising purposes
- Share your data with other tenants on the platform
- Intentionally use your data to train AI models (see Section 5 for details on third-party AI processing)
3. Data Storage & Security
- Encryption: All data is encrypted in transit (TLS/HTTPS). Data at rest is encrypted by our infrastructure providers (database and file storage)
- Row Level Security (RLS): Every tenant's data is isolated at the database level using database-level Row Level Security policies across all data tables. Your business data cannot be accessed by other tenants through the application
- Tenant Isolation: Each company operates in a completely isolated data context with unique tenant identifiers
- File Storage: Uploaded files are stored on encrypted cloud storage, organized by tenant with access controls
- Authentication: Secure token-based sessions, industry-standard password hashing, and email OTP verification
- Infrastructure: Hosted on secure cloud infrastructure with managed databases
4. Third-Party Services
We use the following third-party services to operate the platform. We only share the minimum data necessary for each service to function:
| Service | Purpose | Data Shared |
|---|---|---|
| Google Gemini | Primary AI processing | Business metrics for generating AI responses |
| DeepSeek | Fallback AI processing | Same as above (used when primary provider is unavailable) |
| PayHere | Payment processing | Billing name, email, subscription amount |
| Email Service | Transactional email delivery | Email addresses, notification content |
| Cloud Storage | File storage | Uploaded files (logos, photos, documents) |
| GeoIP Service | GeoIP detection | Your IP address (for currency display only; not stored) |
| Google OAuth | Social login (optional) | Google account ID, email, name |
| SMS Providers | SMS notifications (if enabled) | Phone numbers, notification content |
5. AI Data Processing
- What is processed: Aggregated business metrics (daily sales totals, top-selling items, stock levels, customer summaries, staff performance metrics)
- How it's processed: Your questions and relevant business data are sent to AI providers to generate natural language responses
- Rate limits: AI requests are rate-limited per tenant to prevent abuse
- Error analysis: Application errors may be analyzed by AI to improve reliability. Sensitive data (passwords, tokens) is stripped before processing
- Data usage: We do not use your business data to train AI models. Data is sent to third-party AI providers (Google Gemini, DeepSeek) solely to generate responses. These providers have their own data handling policies — we recommend reviewing their respective privacy policies for details
- Optional: AI features are supplementary. The platform is fully functional without AI features enabled
6. Cookies
- Essential Cookies: Authentication session tokens and user preferences (theme, language). Required for the platform to function. Cannot be disabled.
- Analytics Cookies: If analytics services are active, we use cookies to understand usage patterns. You can opt out through Cookie Settings.
- Marketing Cookies: We do not use marketing or advertising cookies.
You can manage your cookie preferences through the Cookie Settings available in the website footer.
7. Email & SMS Communications
System Emails
- OTP verification codes during registration (required)
- Staff invitation emails (triggered by business owner)
Business Notifications
- Appointment confirmations and reminders
- Work order completion and invoicing notifications
- Sale receipts, delivery updates, reservation confirmations
- Configurable per business — can be enabled or disabled by the business owner
We do not send unsolicited marketing emails. You may manage your notification preferences through your account settings.
8. Data Retention
- Active accounts: Your data is retained for as long as your account is active
- Company deletion: When you delete a company, all associated business data is permanently deleted through a cascade deletion process across all data tables, including uploaded files
- Expired subscriptions: Locked companies are permanently deleted 7 days after locking. You will receive warnings before deletion.
- Account data: Your account-level information (email, name, phone, preferences) is retained until you request account deletion
- Account deletion: Upon request, your personal account data will be removed within 30 days, except where required by law
- Backups: Database backups may retain deleted data for up to 30 days for disaster recovery purposes
9. Your Rights
You have the right to:
- Access your personal and business data at any time through the platform
- Correct inaccurate personal information through your account settings
- Export your business data in Excel, CSV, or print formats (18+ report types plus entity-level export)
- Delete your company and all associated data (requires password confirmation)
- Request full account deletion by contacting support
- Opt out of non-essential email and SMS notifications through notification preferences
- Manage cookie preferences through the Cookie Settings
10. Children's Privacy
RetailSmart ERP is a business management platform intended for users aged 18 and above. We do not knowingly collect information from children under 18. If we learn that we have collected data from a child under 18, we will delete it promptly.
11. International Data Processing
Your data may be processed in jurisdictions outside your country of residence (including for AI processing and cloud infrastructure). We ensure that adequate data protection measures are in place regardless of where your data is processed.
12. Changes to This Policy
- We may update this Privacy Policy from time to time
- Material changes will be communicated via email at least 30 days in advance
- The "Last updated" date at the top of this page will reflect the most recent revision
- Your continued use of the platform after changes take effect constitutes acceptance
13. Contact
If you have questions about this Privacy Policy or wish to exercise your data rights, please reach out through our contact page or email [email protected].