Anywhere POS

Privacy policy

Last updated: 27 May 2026

This Privacy Policy explains how [Trading Entity Name] (ABN [ABN]) ("we", "us", "our") collects, uses, stores, and discloses personal information when you use Anywhere POS. We comply with the Australian Privacy Principles (APPs) set out in the Privacy Act 1988 (Cth) and, where it applies, the EU General Data Protection Regulation (GDPR).

Anywhere POS is a multi-tenant point-of-sale platform used by hospitality operators (our "customers"). When a venue uses Anywhere POS to take your order, the venue is the data controller for the personal information it collects from you; we process that information on the venue's behalf as their service provider.

1. Personal information we collect

We collect the following categories of personal information:

  • Order information from diners and customers — name, email address, phone number, delivery or table address (when supplied), order history, and marketing preferences. This is collected when you place an order through a kiosk, QR menu, or staff-operated point of sale.
  • Payment information — payment card details are entered directly into Stripe's hosted forms and are never seen or stored by us. We retain only the last four digits, the card brand, and a Stripe-issued fingerprint for reconciliation and fraud detection.
  • Staff and operator information — name, email, phone number, and role for users granted administrative access to a venue's Anywhere POS account.
  • Device and technical information — IP address, browser type, device identifiers, and information about how you interact with our service, collected through cookies and similar technologies (see Section 6).
  • Communications — records of email and SMS messages we send on behalf of a venue (for example, order receipts and scheduled-pickup reminders).

2. How we use personal information

We use personal information to:

  • provide, operate, and improve the Anywhere POS service;
  • process orders and payments;
  • deliver transactional communications (receipts, pickup reminders, refund notifications) on behalf of the venue you ordered from;
  • send marketing messages where you have opted in to receive them from the venue (you can opt out at any time using the unsubscribe link in any message);
  • monitor and debug service errors so we can keep the platform reliable;
  • comply with our legal obligations, including the Australian Taxation Office's record-keeping requirements for financial transactions.

3. Where information is stored and how it is protected

Personal information is stored in a managed PostgreSQL database (Supabase) hosted in Australia. Data is encrypted at rest and in transit (TLS 1.2 or higher). Tenant data is isolated using row-level security so one venue cannot see another venue's information.

Access to production data by our staff is limited to those who need it to operate the service, is logged, and requires multi-factor authentication. Stripe handles all card-data processing; we hold SAQ A scope under PCI DSS. See our PCI compliance documentation for details.

4. Third parties we share information with

We use the following service providers to deliver the Anywhere POS platform. Each is bound by data-processing terms and is permitted to use the information only for the purposes we direct.

  • Stripe — payment processing. Card data is collected and stored by Stripe directly.
  • Supabase — database, authentication, and storage hosting (Australian region).
  • Vercel — application hosting and custom-domain management.
  • Resend or Google (Gmail OAuth) — outbound email delivery, configured per venue.
  • Twilio — outbound SMS delivery for venues that have enabled SMS notifications.
  • Sentry — error monitoring. We strip personal information from Sentry events before they leave the user's browser; see our PCI documentation for the scrubbing rules.
  • PostHog — product analytics. PostHog only runs when you have given consent through our cookie banner.
  • FreshKDS — kitchen-display routing, used by venues that have enabled the integration. Only order information is shared.
  • OpenRouter — AI model routing for the theming assistant. Prompts contain only branding and design data, never customer PII.

We do not sell personal information, and we do not transfer personal information overseas except where one of the third parties listed above operates internationally as part of its standard service. In each case the recipient is bound by privacy obligations substantially similar to the APPs.

5. How long we keep information

Order records (including financial totals, dates, and line items) are retained for a minimum of seven years to comply with the Australian Taxation Office's record-keeping requirements. Identifying information attached to old orders (customer email, phone, and name) is automatically anonymised once the configured retention window passes — by default, seven years from the order date. Venues may shorten this window in their privacy settings.

Anywhere POS account data is retained for as long as the account is active and for a reasonable period afterwards to handle billing disputes and legal obligations.

6. Cookies and analytics

We use cookies and similar technologies for three purposes:

  • Essential — required to operate the service (for example, to keep you signed in and to protect against cross-site request forgery). These cannot be turned off.
  • Analytics — PostHog product analytics, used to understand how the platform is used so we can improve it. Off by default; turned on only when you click "Accept all" or enable analytics in the cookie banner.
  • Session replay — Sentry session replay, used to reproduce errors. Off by default; turned on only when you opt in through the cookie banner.

You can change your cookie preferences at any time by clearing thecookie_consent cookie and refreshing the page, which will re-display the banner.

7. Your rights under the Australian Privacy Principles

You have the following rights:

  • Access (APP 12) — you may request a copy of the personal information we hold about you. Where you placed orders with a specific venue, contact that venue directly; they can run a Data Subject Rights export from their Anywhere POS admin and send it to you.
  • Correction (APP 13) — you may request that we correct information that is inaccurate, incomplete, or out of date.
  • Deletion — you may request that a venue delete your personal information. The venue's administrator can complete this through their Anywhere POS privacy settings. Financial records linked to your orders are retained as required by law, but identifying information is anonymised.
  • Marketing opt-out — every marketing message includes an unsubscribe link; you can also ask the venue to remove you from their list.
  • Complaint — if you believe we have breached the APPs, please contact us. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (oaic.gov.au).

8. Data breach notification

We comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act. If we suffer an eligible data breach that is likely to result in serious harm to you, we will notify you and the Office of the Australian Information Commissioner as soon as practicable.

9. Children

Anywhere POS is not directed at children under 16. We do not knowingly collect personal information from children.

10. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the date of the most recent change. Material changes will be communicated through the service or by email to account administrators.

11. Contact

For privacy questions, requests, or complaints, contact us at hello@anywherepos.io.

Privacy policy · Anywhere POS