Privacy Policy
Privacy Policy — Nastrum POS
Effective date: April 20, 2026 · Last updated: April 20, 2026
1Who We Are
Nastrum POS is operated by Nastrum. For privacy-related inquiries, contact us at:
- Email: support@nastrumpos.com
- Website: nastrum.com
2Information We Collect
2.1 Information You Provide Directly
Account information:
- Full name and email address (used to create and identify your account)
- Password (stored as a secure hash — we never see your plain-text password)
- Business name, address, country, and currency
Business operational data:
- Products, categories, prices, stock levels, and barcodes you enter into the app
- Customers' names and phone numbers (if you choose to capture them at point of sale)
- Transaction records including items sold, amounts, payment methods, and dates
- Staff profiles including display names, email addresses, assigned roles, and PIN hashes (PINs are never stored in plain text)
- Purchase orders and supplier information
Subscription and billing information:
Plan selection (Starter, Pro, or Business). Billing is processed entirely by Stripe. We do not store credit card numbers, card expiry dates, or CVV codes at any time. See Section 5 for details.
2.2 Information Collected Automatically
- Device information: device model, operating system version, and app version (used for debugging and compatibility)
- Usage logs: feature usage patterns, crash reports, and error logs (used to improve the app)
- IP address: collected by our infrastructure providers as part of normal network operation
2.3 Information We Do Not Collect
- We do not collect precise GPS location
- We do not access your contacts, photos, or files outside of the app's own functions
- We do not collect biometric data
- We do not run advertising trackers or sell your data to any third party
3How We Use Your Information
We use the information we collect to:
| Purpose | Basis |
|---|---|
| Create and manage your account | Contract performance |
| Operate the POS, process sales, manage stock | Contract performance |
| Send receipts and transactional notifications | Contract performance |
| Process subscription billing via Stripe | Contract performance |
| Provide customer support | Legitimate interest |
| Detect and prevent fraud or abuse | Legitimate interest |
| Comply with legal obligations (tax records, law enforcement requests) | Legal obligation |
| Improve the app through aggregated, anonymised analytics | Legitimate interest |
We do not use your business transaction data for advertising, profiling, or sale to third parties.
4Data Sharing
We share data only with the following categories of recipients, and only as necessary to operate the Service:
4.1 Infrastructure and Technology Providers
| Provider | Role | Data shared | Privacy policy |
|---|---|---|---|
| Supabase | Database and authentication | All account, business, and transaction data | supabase.com/privacy |
| Cloudflare | Product image and branch logo storage | Uploaded images only | cloudflare.com/privacypolicy |
| Stripe | Subscription billing | Account owner name, email, and subscription plan | stripe.com/privacy |
| Expo / EAS | App build and delivery | App binary only — no user data | expo.dev/privacy |
All providers are contractually bound to handle data securely and are prohibited from using your data for their own marketing purposes.
4.2 Legal Disclosure
We may disclose information if required by law, court order, or government authority, or where we believe in good faith that disclosure is necessary to:
- Comply with a legal obligation
- Protect the safety of any person
- Prevent fraud or illegal activity
- Protect our legal rights
4.3 Business Transfers
If Nastrum is acquired, merged, or sells substantially all of its assets, user data may transfer to the acquiring entity. We will notify you via email or in-app notice before your data is transferred and becomes subject to a different privacy policy.
4.4 What We Never Do
We never sell, rent, or trade your personal data or your customers’ data to any third party for commercial purposes.
5Payment Data
Subscription payments are handled entirely by Stripe, Inc.When you enter payment details, they go directly to Stripe’s secure servers. Nastrum never receives or stores your full card number, expiry date, or CVV.
What we do store:
- Your Stripe Customer ID (an anonymised reference token)
- Your current subscription plan and billing status
- Subscription start date and next renewal date
For Stripe’s data practices, see: stripe.com/privacy
6Data Stored on Your Device
Nastrum POS is offline-first. The app stores a local copy of your business data (products, transactions, settings) on your device using encrypted local storage. This allows the app to work without an internet connection.
- This data is not accessible to other apps on your device
- If you uninstall the app, all local data is deleted from your device
- Your data is synchronised to Supabase when an internet connection is available
7Data Retention
| Data type | Retention period |
|---|---|
| Account and business data | Retained for the life of your account, plus 90 days after deletion request |
| Transaction records | Retained for 7 years (required for business accounting compliance in most jurisdictions) |
| Staff profiles | Deleted when deactivated, or when the business account is deleted |
| Device and usage logs | 90 days rolling |
| Stripe billing records | Retained as required by Stripe and applicable financial regulations |
When you request account deletion (by emailing support@nastrumpos.com), we will delete your account and all associated data within 30 days, except where retention is required by law (e.g. financial records).
8Your Rights
Depending on your location, you may have the following rights regarding your personal data:
All users
- Access: Request a copy of the data we hold about you
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your account and associated data
- Portability: Request your transaction data in CSV format (available in-app via Reports > Export)
European Union and United Kingdom users (GDPR)
In addition to the above:
- Right to object: Object to processing based on legitimate interests
- Right to restrict: Request that we restrict processing of your data in certain circumstances
- Withdraw consent: Where processing is based on consent, you may withdraw it at any time
- Lodge a complaint: You have the right to lodge a complaint with your local data protection authority
Indian users (IT Act 2000 / DPDP Act)
You have the right to access, correct, and request erasure of your personal data.
Saudi Arabian users (PDPL)
You have the right to be informed, access, correct, and request deletion of your personal data.
To exercise any of these rights, email us at support@nastrumpos.com with the subject line “Privacy Request”. We will respond within 30 days.
9Data Security
We implement the following security measures:
- All data in transit is encrypted using TLS 1.2 or higher
- All data at rest is encrypted by Supabase and Cloudflare using AES-256
- Passwords are hashed using bcrypt — plain-text passwords are never stored
- Staff PINs are hashed — plain-text PINs are never stored
- Row-Level Security (RLS) is enforced at the database level — each business can only access its own data
- Account access is protected by email + password authentication
- Suspicious login activity triggers account review
No system is 100% secure. If you discover a security vulnerability, please report it to support@nastrumpos.com.
10Children's Privacy
Nastrum POS is a business management application intended for use by adults (18 years of age or older). We do not knowingly collect personal information from children under 18. If we become aware that a child under 18 has provided personal information, we will delete it promptly. If you believe a child has used our Service, please contact us at support@nastrumpos.com.
11International Data Transfers
Your data is stored on servers operated by Supabase and Cloudflare, which may be located outside your country of residence. These transfers are subject to appropriate safeguards (Standard Contractual Clauses for EU users, or equivalent mechanisms for other regions).
By using the Service, you consent to the transfer of your information to these infrastructure providers in accordance with this Privacy Policy.
12Third-Party Links and Services
The app may contain links to third-party websites or services (e.g. WhatsApp for receipt sharing). These third parties have their own privacy policies. We are not responsible for their practices and encourage you to review their policies before using them.
13Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the “Last updated” date at the top of this page
- Send a notification to your registered email address
- Show an in-app notice on your next login
Continued use of the Service after changes are posted constitutes your acceptance of the updated policy.
14Contact Us
For any privacy-related questions, requests, or complaints:
- Email: support@nastrumpos.com
- Subject line:“Privacy Request”
- Response time: Within 30 days