This Privacy Policy ("Policy") explains how RapidPay ("we", "us", or "our") collects, uses, stores, shares, and protects information when you ("you", "user", or "merchant") use the RapidPay POS applications for Android and iOS, the RapidPay desktop application, our administrative web portal, and the supporting backend services (collectively, the "Service").
By installing, accessing, or using the Service you agree to the practices described in this Policy. If you do not agree, please do not use the Service.
RapidPay POS is operated by RapidPay (the "Operator"). The Operator is the data controller for the personal data processed in connection with the Service, except where the merchant using the Service acts as the data controller for end-customer data they collect (see Section 2).
For privacy questions, data subject requests, or to reach our Data Protection Officer, contact us at privacy@rapidpaygroup.com.
This Policy covers all RapidPay applications and services, including:
rapidpaygroup.com and related subdomains.Two-tier processing model. RapidPay is sold to businesses (merchants). When merchants use RapidPay to serve their own customers (e.g., taking restaurant orders, issuing invoices), the merchant is the controller of their end-customer data and RapidPay acts as a processor for that data on the merchant's behalf, governed by a separate Data Processing Agreement. RapidPay is the controller for merchant-account data, application telemetry, and subscription billing data described in this Policy.
When a merchant signs up or is provisioned to use the Service, we collect:
While the Service is in use, we process:
To comply with country-specific cash register and electronic invoicing regulations, we process:
If the merchant enables integrations:
| Purpose | Data used |
|---|---|
| Operate the point-of-sale system (process orders, print receipts, manage tables, generate Z-reports) | Operational, transactional, device, and merchant data |
| Comply with cash-register and electronic-invoicing law (Fiskaly, VeriFactu, etc.) | Fiscal compliance data, transactional data |
| Authenticate users and devices, prevent unauthorized access | Account data, device unique keys, login timestamps |
| Manage subscriptions, deliver licensed features, prevent fraud against subscriptions | Subscription/billing data, device unique keys |
| Provide customer support and troubleshoot incidents | Account data, crash reports, device/technical data |
| Improve product reliability and performance | Aggregated/anonymized telemetry, crash reports |
| Send service-critical notifications (license expiration, security alerts, mandatory updates) | Account data, contact details |
| Comply with legal obligations (tax records, requests by competent authorities) | Any of the above as required by law |
For users in the European Economic Area, the United Kingdom, and other jurisdictions where the GDPR or equivalent applies, we rely on the following legal bases:
We share data only with the categories of recipients necessary to deliver the Service:
| Recipient / Processor | Purpose | Region |
|---|---|---|
| Apple Inc. | App distribution, App Store subscription billing | USA, Ireland |
| Google LLC (Google Play) | App distribution, Play Store subscription billing | USA, Ireland |
| RevenueCat, Inc. | Subscription entitlement verification, webhook lifecycle | USA |
| Fiskaly GmbH | German TSE signing service | Germany / Austria |
| VeriFactu / AEAT | Spanish e-invoice verification (statutory) | Spain |
| DATEV eG | German bookkeeping export (when merchant connects) | Germany |
| Hubrise | Delivery-platform order routing (when merchant connects) | EU |
| Cloudflare, Inc. (R2) | Object storage for receipts, reports, backups | EU / global |
| Amazon Web Services / Google Cloud | Backend hosting, transactional database, observability | EU regions, where available |
| Twilio, Inc. / Vonage | Outbound SMS notifications (when feature enabled) | USA, EU |
| Google LLC (Drive) | Optional document storage (when merchant authorizes) | USA, EU |
| MongoDB, Inc. | Sales-data datastore | EU (managed) |
| Competent authorities | Tax, fiscal, or legal compliance — only when legally compelled | Country of operation |
All third-party processors are bound by contractual obligations to process data only on our instructions and to apply technical and organizational measures consistent with applicable data-protection laws.
Data may be transferred to and processed in countries outside your country of residence, including the United States. Where data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, additional safeguards (encryption in transit and at rest, access controls, regional data residency where supported).
| Data type | Retention period |
|---|---|
| Account and merchant data | Duration of the active subscription, plus up to 24 months after termination for billing reconciliation and legal claims, unless deletion is requested earlier (subject to statutory requirements). |
| Transactional and fiscal data | Up to 10 years where required by tax/fiscal law (Germany §147 AO, Spain LGT Art. 66, Turkey VUK), even after subscription termination. |
| Subscription/billing webhook events | Up to 7 years for accounting and audit purposes. |
| Crash reports, error logs | 90 days, then automatically purged. |
| Authentication tokens | Until expiry or logout (typically 30 days for refresh tokens). |
| Security and audit logs | 12 months, longer if needed to investigate an incident. |
We apply technical and organizational measures appropriate to the risks of the processing, including:
Despite these measures, no system is 100% secure. If we become aware of a security incident affecting your data, we will notify you and the relevant authorities as required by applicable law.
Subject to applicable law (GDPR, UK GDPR, Turkish KVKK, California CCPA/CPRA, etc.), you have the right to:
To exercise these rights, contact us at privacy@rapidpaygroup.com. We will respond within 30 days (or the period required by applicable law).
The Service is intended for use by businesses and adults responsible for a business operation. It is not directed to children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.
The Android and iOS apps request only the permissions necessary for the features the merchant uses:
| Permission | Reason | When requested |
|---|---|---|
| Internet / Network state | Communicate with the backend API | Always required |
| Camera | Scan barcodes / QR codes for products and discount codes | Only when the user opens a barcode scanner |
| Bluetooth (Android) / Local Network (iOS) | Connect to printers, payment terminals, scales, kitchen displays | Only when the merchant pairs a peripheral |
| Notifications | Order alerts, payment status, license alerts | At app start (user can decline) |
| Storage / Photos (Android) | Save reports and receipts to device storage if exported | Only when the user exports a file |
| Foreground service (Android) | Keep the POS responsive while orders are being processed | While the app is open |
You can revoke any permission at any time through your operating-system settings. Some features will be unavailable when the corresponding permission is denied.
Subscription billing for the RapidPay POS apps is handled exclusively by:
We use RevenueCat to verify your subscription entitlement and to deliver lifecycle webhooks to our backend. RevenueCat receives an anonymized App User ID and the product identifier you purchased; we map that App User ID to your device installation key.
Refunds are governed by the platform you used to subscribe. To request a refund, contact Apple Support or Google Play Support directly. Cancelling a subscription does not delete your account or your fiscal records, which are retained as described in Section 8.
The mobile apps do not use browser cookies. The web administrative portal uses strictly necessary cookies for authentication (session cookies, anti-CSRF tokens) and JWT bearer tokens passed via HTTPS. We do not use third-party advertising cookies or cross-site tracking.
We may update this Policy from time to time. The "Last Updated" date at the top of this page reflects the most recent revision. Material changes will be communicated through the app, by email, or through a notice in the administrative portal at least 14 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.
For privacy-related questions, requests under Section 10, or to report a concern:
If you believe your data-protection rights have been violated and we have not resolved your concern, you have the right to lodge a complaint with your local data-protection authority. For users in the EEA, a list of authorities is available at edpb.europa.eu.