Legal

Privacy Policy

Last updated: June 4, 2026

1. Who we are

SBBPOS is a SaaS Point of Sale platform developed and operated by SBB Solutions AB, a company registered in Sweden under organisation number 559588-1433, with registered address at Östra Gränsgatan 2, 283 72 Lönsboda, Sweden ("we", "us", "our"). Our service is available at app.sbbpos.com and our main website is at www.sbbpos.com.

For privacy-related questions, contact us at: webmaster@sbbpos.com

2. What data we collect

We collect only the data necessary to operate the service:

  • Account data — your name, email address, and password (hashed) when you register an account.
  • Business data — business unit names, device identifiers, and product catalogues you create inside the app.
  • Transaction data — sales receipts, refunds, and payment records created through the POS.
  • Usage data — log data such as login times, actions taken within the app, and device type, used for security and audit purposes.

We do not collect or store end-customer (shopper) personal data. Receipts are issued per transaction without identifying the buyer unless you explicitly attach customer information.

3. How we use your data

  • To operate and provide the SBBPOS service
  • To send transactional emails — account registration confirmation, password reset, and (if enabled) email receipts to your customers
  • To maintain security logs and audit trails required for POS compliance
  • To provide customer support when you contact us

We do not sell your data. We do not use your data for advertising or marketing profiling.

4. Transactional email

SBBPOS sends transactional emails only — these are emails triggered directly by your actions (e.g. signing up, requesting a password reset, or sending an email receipt). We do not send unsolicited marketing emails.

Transactional email is delivered via SendGrid (by Twilio), a third-party email delivery provider. SendGrid processes your email address solely to deliver messages on our behalf and is located in the USA. Transfers to the USA are covered by EU Standard Contractual Clauses (SCCs) and Twilio's Data Processing Agreement. No transaction data or payment information is shared with SendGrid. Their privacy policy is available at twilio.com/en-us/legal/privacy.

5. Card payments

Card payment processing is handled via Stripe (stripe.com). SBBPOS does not store card numbers or payment credentials. All card data is handled directly by Stripe in accordance with PCI DSS standards. Stripe's privacy policy is available at stripe.com/privacy.

6. Data storage and security

Your data is stored in a cloud-hosted MongoDB database. Each account's data is isolated by a unique account identifier — no tenant can access another tenant's data. Access to the database is restricted to the SBBPOS application and authorised developers only.

Authentication uses short-lived JWT tokens stored in httpOnly cookies, which are not accessible from JavaScript. Passwords are hashed using bcrypt before storage.

7. Sub-processors

We use the following third-party sub-processors to operate the service. All sub-processors are bound by data processing agreements that impose at least equivalent data protection obligations as this policy.

  • MongoDB Atlas (AWS Stockholm, EU) — primary database hosting for operational data.
  • SendGrid / Twilio (USA) — transactional email delivery. Data transfer covered by EU SCCs + Twilio DPA.
  • Stripe Payments Europe Ltd (Ireland, EU) — card payment processing for accounts using the Stripe module.

We will notify Account Holders by email at least 30 days before adding or replacing a sub-processor.

8. Security incidents

In the event of a personal data breach, we will notify affected Account Holders without undue delay and, where required by GDPR, within 72 hours of becoming aware of the incident. The notification will include a description of the nature of the breach, the categories of data affected, and the measures we have taken or propose to take in response.

9. Data retention

  • Sales and refund receipts — retained for 365 days from the date of the transaction for accounting and audit purposes.
  • User and authentication logs — retained for 180 days.
  • Other operational logs — retained for 90 days.
  • Account data — retained for the lifetime of your account. Deleted upon confirmed account closure.

10. Your rights (GDPR)

If you are based in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — request correction of inaccurate data.
  • Right to erasure — request deletion of your personal data, subject to legal retention obligations.
  • Right to restrict processing — request that we limit how we use your data.
  • Right to data portability — receive your data in a structured, machine-readable format.
  • Right to object — object to processing based on legitimate interests.

To exercise any of these rights, email us at webmaster@sbbpos.com. We will respond within 30 days.

11. Cookies

SBBPOS uses a single authentication cookie (httpOnly, Secure) to maintain your login session. This cookie is strictly necessary for the service to function and does not track you across other websites.

We do not use advertising cookies, analytics tracking cookies, or third-party cookies on app.sbbpos.com.

12. Changes to this policy

We may update this policy from time to time. When we do, we will update the "Last updated" date at the top of this page. Continued use of the service after changes constitutes acceptance of the updated policy. For significant changes, we will notify account holders by email.

13. Contact

For any privacy-related questions or requests (including GDPR requests — data access, correction, deletion, or export), email us with the subject line "GDPR Request". We will respond within 30 days.

SBB Solutions AB
Östra Gränsgatan 2, 283 72 Lönsboda, Sweden
Organisation number: 559588-1433
Email: webmaster@sbbpos.com
Website: www.sbbpos.com