Privacy policy

GhostPOS is operated by Ghost Technology FZ-LLC ("we", "us", "Ghost Technology"), a free-zone company registered in Dubai, United Arab Emirates. We provide point-of-sale software to cafés and restaurants in the UAE.

This policy explains what personal data we collect when you use GhostPOS, why we collect it, how we use and protect it, and the rights you have under the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, "PDPL").

We collect the minimum data needed to run a multi-tenant POS. The categories below correspond to who is using the product.

From the business that signs up (the tenant)

• Business name, country, currency, timezone.
• Tax Registration Number (TRN), when VAT is enabled.
• The billing details you give us for manual bank-transfer payments (reference, the fact that a transfer was received, the amount). We do not store payment card numbers — GhostPOS has no card-payment integration.

From managers and super-admins

• Name, email address, hashed password (we never store plaintext).
• UAE mobile number, collected at signup as self-attested contact information (no SMS verification). We use it only to contact you about your account (support, billing, and trial follow-up). It is not shared with marketing partners.
• The branches you are permitted to manage.
• The actions you take in the manager dashboard (audit log).

From cashiers

• Display name and the branches you are assigned to.
• A 4-digit PIN, stored only as a salted bcrypt hash — we cannot recover or read the original PIN.
• The orders you open, modify, and close, plus till-session events (audit log).

From customer orders

• Order line items, totals, VAT, payment method, optional table label or order number.
• We do not ask the cashier to capture customer identity, phone numbers, or loyalty data in the current version of the product.

Technical and security data

• A hashed device-pairing token for each paired iPad, plus device ID and the branch it is paired to.
• Server-side request logs (timestamp, function name, duration, outcome) for debugging and security.
• Rate-limiting counters keyed by IP address or device ID to defend against brute-force and abuse.

Each category above is used for one or more of the following purposes, on the legal bases shown:

• To provide the service — authenticate users, record orders, compute VAT, run reports, generate receipts. Legal basis: performance of a contract with the tenant.
• To meet legal and tax obligations — keep VAT and sales records for the period required by UAE law. Legal basis: legal obligation (Federal Tax Authority requirements).
• To protect the service and users — detect abuse, brute-force attempts, and unusual access patterns. Legal basis: legitimate interest.
• To bill the tenant — track installments and overdue amounts, send (when implemented) trial-ending and payment-overdue notices. Legal basis: performance of a contract.

We do not use personal data for marketing, advertising, profiling, or selling to third parties.

We only share data with the sub-processors we need to run the service. We do not sell data to anyone, ever.

• Google Cloud (Google LLC) — hosts our backend (Cloud Functions, Cloud SQL Postgres) and the realtime mirror (Firestore). Bound by Google's enterprise data-processing terms.
• Firebase Authentication (Google LLC) — handles sign-in, session tokens, and password storage for managers and super-admins.
• Firebase Hosting (Google LLC) — serves the public-facing websites at ghostpos.app, dashboard.ghostpos.app, and admin.ghostpos.app.

If we add a new sub-processor (for example an email-delivery provider), we will update this policy and notify affected tenants in advance.

Data is currently stored in Google Cloud's us-central1 region (Iowa, United States). We are evaluating moving production data to a Middle-East region; if we do, we will update this policy and notify tenants.

International transfers outside the UAE are protected by the standard contractual safeguards provided by our sub-processors and, where required by PDPL, by additional agreements with the tenant.

• Financial and VAT records (orders, payments, invoices, audit log of money mutations) — kept for at least the period required by UAE tax law (currently 5 years from the end of the tax period; up to 15 years for real-estate-related records). We retain these even after an account is closed.
• User account data — kept while the tenant account is active. On account closure, we soft-delete user records and hard-delete after a 30-day grace period (subject to the financial-records exception above).
• Server logs — kept for up to 90 days for debugging and security review, then removed.
• Idempotency keys and rate-limit counters — kept for up to 30 days, then automatically pruned.

• All connections use TLS (HTTPS) end-to-end.
• Data is encrypted at rest by Google Cloud.
• Passwords and PINs are stored only as salted hashes (bcrypt). We cannot read your password or PIN.
• Access is role-based: cashiers cannot see other branches, managers cannot see other tenants, super-admin actions are themselves audit-logged.
• The backend re-checks every request against the caller's identity and tenant — we never trust what the client says.
• Every money-affecting action (charge, refund, discount, void) writes an append-only audit row inside the same database transaction.

If we ever experience a personal-data breach that is likely to result in risk to your rights, we will notify the UAE Data Office and affected users without undue delay, and at the latest within the timeframe required by PDPL.

You have the following rights with respect to your personal data:

• Right of access — ask us what data we hold about you and receive a copy.
• Right to correction — ask us to correct inaccurate or incomplete data.
• Right to erasure — ask us to delete your data, subject to our obligation to keep financial records for the tax periods required by UAE law.
• Right to restrict processing — ask us to limit what we do with your data in certain circumstances.
• Right to data portability — receive your data in a machine-readable format (JSON).
• Right to object to processing carried out on the basis of our legitimate interests.
• Right to withdraw consent at any time, where processing relies on consent.
• Right to lodge a complaint with the UAE Data Office if you believe we have not complied with PDPL.

To exercise any of these rights, email admin@ghosttechnology.ae. We will respond within 30 days. We may ask you to verify your identity before acting on a request.

The GhostPOS web apps use only the essential cookies and local storage needed to sign you in and keep you signed in (handled by Firebase Authentication). We do not use:

• Marketing or advertising cookies.
• Cross-site tracking pixels.
• Third-party analytics (Google Analytics, Meta Pixel, etc.).

The iPad cashier app uses only local device storage for the paired device token and short-lived auth state. It does not include third-party trackers or advertising SDKs. See our iOS app privacy manifest for details.

GhostPOS is a business product. We do not knowingly collect data from people under the age of 18. If you believe a child has provided us with data, contact us and we will delete it.

We will update this policy when our practices change. The "Effective" date at the top of the page reflects the most recent change. For material changes, we will notify tenants by email or in-app before the change takes effect.

For privacy-related requests, including any of the rights listed in section 8:

admin@ghosttechnology.ae

For general support questions:

support@ghostpos.app

Ghost Technology FZ-LLC · Dubai, United Arab Emirates