Privacy Policy
Last updated: March 2026
1. Introduction
BevSync ("we," "us," or "our") operates a business-to-business (B2B) software-as-a-service platform for bars, restaurants, and hospitality businesses. Our platform helps you track inventory, optimize pour costs, compare distributor pricing, manage brand deals, and analyze sales data.
This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights regarding your data. It applies to all users of the BevSync platform at bevsync.net, including Organization Owners, Managers, and all team members.
By using BevSync, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.
2. Information We Collect
2a. Information You Provide Directly
- Account information — email address, full name, phone number (optional)
- Organization details — business name, industry, website URL, phone number, billing email, logo
- Location details — venue name, physical address (street, city, state, zip code), geographic coordinates, timezone
- Team member invitations — invitee email address, assigned role, assigned location access
- Distributor contacts — distributor name, contact name, email, phone, sales rep details, account number
- Brand/supplier contacts — brand name, contact name, email, phone, account number
2b. Information Generated Through Use
- Product data — beverage products with names, categories, tiers, bottle sizes, UPC codes, SKUs
- Pricing data — wholesale costs, menu prices, markup percentages, rebates per case
- Inventory data — physical count quantities, par levels, storage area assignments
- Sales data — POS-synced data including sales totals, item quantities, timestamps (customer PII is stripped before storage — see Section 5)
- Financial data — brand deal amounts, purchase order totals, waste cost tracking, savings calculations
- Recipe data — cocktail/recipe names, ingredient quantities, menu prices
- Waste data — waste type (comp, spillage, breakage, shift drink, training, tasting, expired), quantities, approval status
2c. Information Collected Automatically
- Authentication session — a JSON Web Token stored in HTTP-only cookies, managed by Supabase Auth (refreshed on each request)
- Active organization cookie — your current Organization ID for multi-org switching (1 year duration)
- IP address — logged in the audit trail only for unauthorized access attempts
- Last login timestamp — updated on each login
- Audit trail — action type, entity type, entity ID, old/new values, user ID, and timestamp for significant actions
- Browser localStorage — recent search queries only (
bevsync:recent-searches); this stays in your browser and is never transmitted to our servers
2d. Information We Do Not Collect
- No payment card or billing information (no payment processor is integrated)
- No third-party analytics or tracking data (no Google Analytics, Mixpanel, etc.)
- No advertising tracking pixels or retargeting
- No browser fingerprinting
- No geolocation tracking beyond addresses you enter
- No end-consumer (customer) data — PII from POS data is stripped before storage
- No biometric data
3. How We Use Your Information
We use the information we collect for the following purposes:
- Provide the Service — authenticate your identity, display your data, run analytics, generate reports, and enable all platform features
- Sync POS data — import and process sales data from connected point-of-sale systems
- Calculate analytics — generate pour cost calculations, variance analysis, savings opportunities, and inventory valuations
- Send transactional emails — account invitations, welcome messages, password resets, email change confirmations, trial milestone notifications, and report-ready notifications
- Send notification digests — configurable email summaries of in-app notifications (daily, weekly, or monthly — you can set frequency to "never")
- Maintain security — rate-limit authentication endpoints, log audit trails, detect unauthorized access attempts
- Improve the Service — understand usage patterns to prioritize features, fix bugs, and improve performance
- Provide support — respond to your questions and troubleshoot issues
4. Legal Basis for Processing
We process your information on the following legal bases:
- Contract performance (primary basis) — processing is necessary to provide the Service you signed up for, including account management, inventory tracking, analytics, POS synchronization, and email notifications related to your account.
- Legitimate interest — processing for security purposes (rate limiting, audit logging, fraud prevention), service improvement, and maintaining platform integrity. We balance these interests against your privacy rights.
- Consent — where applicable, for optional features such as marketing emails (if introduced in the future) and optional POS connections that you explicitly initiate and authorize.
5. POS Data & PII Handling
When you connect a point-of-sale system, BevSync automatically strips personally identifiable information (PII) from all sales data before it is stored in our database. POS connections are optional and require your explicit authorization.
Data Stripped Before Storage
| PII Category | Fields Redacted |
|---|---|
| Customer names | First name, last name, guest name, customer name |
| Email addresses | All email patterns detected |
| Phone numbers | All phone number patterns detected |
| Payment card data | Full card numbers, CVV/CVC, expiration dates, billing addresses |
| Social Security Numbers | All SSN patterns detected |
| IP addresses | All IP address patterns detected |
| Physical addresses | Billing, shipping, delivery, and street addresses |
| Employee/server names | Server, employee, cashier, and bartender names (replaced with [REDACTED]) |
Data Retained for Analytics
- Sale amounts and quantities (revenue analytics, pour cost calculations)
- Product/menu item identifiers (product mapping and sales attribution)
- Sale timestamps (time-series analytics)
- Card brand, e.g. Visa or Mastercard (payment type aggregation, optional)
- Last 4 digits of card (payment type aggregation, optional and configurable)
6. Data Sharing & Third-Party Processors
We do not sell your personal information. We do not share data with advertising networks. We share data only with the service providers ("sub-processors") necessary to operate the platform.
Required Sub-Processors
| Service | Provider | Purpose | Region |
|---|---|---|---|
| Supabase | Supabase Inc. | Authentication, PostgreSQL database, file storage for generated reports | US |
| Resend | Resend Inc. | Transactional email delivery (invitations, notifications, password resets) | US |
| Netlify | Netlify Inc. | Web hosting, serverless functions, scheduled background tasks | US |
Optional Sub-Processors (User-Initiated)
| Service | Provider | Purpose | Region |
|---|---|---|---|
| Google Places API | Google LLC | Location address autocomplete when adding venues | US |
| Square | Block Inc. | POS integration (OAuth-connected) | US |
| Toast | Toast Inc. | POS integration (API credentials) | US |
| Clover | Fiserv Inc. | POS integration (OAuth-connected) | US |
| Omnivore (NCR) | NCR Corporation | POS integration (API key) | US |
POS integrations are optional and user-initiated. Each requires your explicit authorization via OAuth or API credentials. BevSync accesses only read-only sales transaction and menu item data from these providers.
7. Cookies & Local Storage
BevSync uses only two cookies — both are necessary for the platform to function. We do not use any third-party, tracking, analytics, or advertising cookies.
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| sb-* | Strictly Necessary | Authentication session (JWT) | Session (refreshed each request) |
| bevsync_active_org | Functional | Active organization ID for multi-org switching | 1 year |
Browser localStorage is used for recent search queries only (bevsync:recent-searches). This data stays entirely in your browser and is never sent to our servers. For full details, see our Cookie Policy.
8. Data Retention
We retain data for specific periods depending on the data type and your subscription plan:
Automated Retention
| Data Type | Retention Period |
|---|---|
| POS sales records & summaries | Configurable per connection; default 2 years |
| POS sync logs | 90 days |
| Read notifications | Cleaned up periodically |
| Audit log entries | Retained indefinitely |
Inventory History Retention by Plan
| Plan | History Retained |
|---|---|
| Free | 30 days |
| Starter | 180 days |
| Professional | 365 days |
| Enterprise | 730 days (2 years) |
Account Lifecycle
- Account cancellation — 30-day grace period; data retained during grace period; account may be reactivated
- Account deletion by user — user deactivated in application database; all memberships deleted; authentication record permanently deleted via Supabase Auth; if the user is an Owner, the Organization is also cancelled
- After grace period — data deletion is permanent and cannot be reversed
9. Data Security
We implement the following security measures to protect your data:
- Encryption in transit — all traffic is served over HTTPS, enforced by Netlify
- Encryption at rest — Supabase-managed PostgreSQL encryption and Supabase Storage encryption
- POS credential encryption — API keys and OAuth tokens for POS connections are encrypted using AES-256-GCM before storage
- Secure authentication — passwords hashed exclusively by Supabase Auth (never stored in the application database); sessions managed via HTTP-only, Secure cookies
- Multi-factor authentication — optional TOTP-based MFA available for all users
- Rate limiting — login, registration, and password reset endpoints limited to 10 requests per 60 seconds per IP
- Multi-tenancy isolation — every database query is scoped to the authenticated user's Organization ID
- Location access control — users are restricted to authorized Locations, validated on every server action
- Row-level security — RLS enabled on Supabase database tables
- Audit logging — significant actions logged with user ID, action type, entity details, old/new values, and timestamp
- PII stripping — customer PII from POS sales data is automatically removed before storage (see Section 5)
- Webhook verification — HMAC-SHA256 signature verification for POS webhooks
While we implement robust security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your data using industry best practices.
10. Your Rights
You have the following rights with respect to your personal data:
| Right | How to Exercise |
|---|---|
| Access | All business data is viewable through the platform UI; profile data is viewable in Settings > Profile |
| Correction | Update your profile (name, email, phone), organization details, and all business data through the platform UI |
| Deletion | Delete your account via Settings > Security (requires email confirmation) |
| Portability / Export | Export all data via Settings > Data in JSON or CSV format (products, inventory, brand deals, sales, locations, or complete backup) |
| Restrict Processing | Disconnect POS integrations, disable locations, or deactivate products to stop processing specific data |
Most rights can be exercised self-service through the platform. If you need assistance or wish to submit a formal request, contact us at support@bevsync.net. We will respond to verified requests within 30 days.
11. International Data Transfers
All data is stored and processed in the United States. Our infrastructure providers — Supabase (database, authentication, storage), Netlify (hosting, functions), and Resend (email) — are all US-based.
If you access BevSync from outside the United States, your data will be transferred to and stored in the US. By using the Service, you consent to this transfer. We do not currently offer EU or other regional data residency options.
12. Children's Privacy
BevSync is a B2B platform designed for bars, restaurants, and hospitality businesses. The Service is not directed at children under the age of 13 (or under 16 in the European Union).
We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected data from a child under the applicable age, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at support@bevsync.net.
13. Data Breach Notification
In the event of a confirmed data breach that affects your personal information, we will:
- Notify affected users via email within 72 hours of confirming the breach
- Provide details about the nature of the breach, the data affected, and steps we are taking to address it
- Notify relevant regulatory authorities as required by applicable law
- Recommend any actions you should take to protect your account (e.g., password changes)
14. California Privacy Rights (CCPA)
If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information:
- Right to know — you may request details about the categories of personal information we collect and the purposes for collection (see Section 2)
- Right to delete — you may request deletion of your personal information (see Section 10)
- Right to opt-out of sale — BevSync does not sell personal information to any third party. No "Do Not Sell" mechanism is necessary because no sale of data occurs.
- Right to non-discrimination — we will not discriminate against you for exercising your privacy rights
We do not offer financial incentives in exchange for personal information. To exercise your California privacy rights, contact us at support@bevsync.net.
15. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' advance notice via email to the address associated with your account and by updating the "Last updated" date on this page.
Your continued use of the Service after the effective date of the revised policy constitutes acceptance of the changes. We encourage you to review this page periodically.
16. Contact
Questions or concerns about this Privacy Policy or our data practices? Contact us at:
Email: support@bevsync.net
Website: bevsync.net
For enterprise customers, our Data Processing Agreement is available.