Privacy Policy
1. About This Policy
Retail Stack (“Retail Stack,” “we,” “our,” or “us”) operates a software platform that retail and wholesale businesses use to run their operations. Our platform includes a back office (web), a point-of-sale application, a mobile inventory and stock application, a mobile and web procurement application, and supporting websites, APIs, and infrastructure (together, the “Service”).
This Privacy Policy explains what personal information we collect through the Service, how we use it, with whom we share it, where it is stored, and the rights and choices you have. It applies to all Retail Stack Products and across every channel on which we deliver them.
By accessing or using the Service, you confirm that you have read this Privacy Policy. If you do not agree, please stop using the Service.
2. Who This Policy Applies To and Who Is in Control
The Service is a business-to-business platform. Most personal data processed through the Service relates to either (a) the merchant business itself and its employees, or (b) the merchant’s own customers, suppliers, and counterparties.
For data about merchants and their employees, the relevant Retail Stack contracting entity is the data controller. The contracting entity is determined by the country in which the merchant operates, as set out in Schedule A of our Terms of Service.
For data about merchants’ customers, suppliers, and other counterparties that the merchant enters into the Service, the merchant is the data controller and Retail Stack is the data processor acting on the merchant’s behalf. If you are a customer, supplier, or other counterparty of a merchant who uses Retail Stack and you have questions about how your data is used, please contact the merchant directly. We will support the merchant in handling any data rights requests you make.
3. Information We Collect
3.1 Account and profile information
When you register, sign in, or are invited to a Retail Stack Account, we collect:
email address and hashed password
full name and, optionally, profile photo
phone number where provided
role, permissions, and back-office access flags assigned by your merchant
tenant or store identifier (the merchant organisation you belong to)
cashier identifier or employee identifier assigned by your merchant
email verification status and any one-time codes used to verify your identity
PIN code for in-app re-authentication on mobile applications, where used
If you sign in with a third-party identity provider (such as Google or Apple), we receive an identity token from the provider containing your email address and, where you grant the relevant scope, your name. We do not receive your social-network contacts, photos, or any other account data.
3.2 Business and store information
To operate the Service, we collect:
store name, address, contact details, business hours, and logo
social media links (where provided)
multi-store configuration and tenant domain identifiers
subscription, billing, and payment method details
direct debit mandates and authorisations linked to your payment partner
3.3 Operational data
We collect data generated through normal business operations on the Service, including:
inventory records (product names, stock keeping units, stock levels, pricing, categories, expiry dates, batch numbers, images)
purchase orders, requests for quotation, line items, expected delivery dates, payment terms, and internal notes
supplier records (business name, contact details, locations served, lead times, payment terms, business registration numbers, and supplier bank or payment details where you provide them)
sales transactions (transaction identifiers, items sold, amounts, payment methods, discounts, tax, and refunds)
stock counts, audit entries, end-of-day reports, alerts, and analytics
invoices captured via camera or file upload, including text extracted using automated techniques
3.4 Customer data entered by merchants
Where you, as a merchant, choose to use the customer management features of the Service, you may enter data about your customers, including:
name, phone number, email address
city, state, and physical address
purchase history, order summaries, total spend, and visit frequency
loyalty programme enrolment and promotional status
internal notes you add about customers
You are the data controller for this data. Your obligations are described in Section 7.
3.5 Device, technical, and usage data
We automatically collect technical data when you use the Service:
authentication tokens stored in your browser’s local storage or your device’s secure storage
device platform information (operating system, application version, browser, viewport)
usage logs (pages visited, actions taken, error events)
API request logs (for performance monitoring and troubleshooting)
push notification device tokens for mobile applications
3.6 Permissions on your device (mobile applications)
Depending on the application and the feature you use, we may request the following permissions on your device. We use this access only for the stated feature.
Permission | Purpose |
|---|---|
Camera | Barcode scanning, product image capture, invoice capture |
Photo library | Selecting or saving product, invoice, or profile images |
Notifications | Delivering push notifications and operational alerts |
Biometric unlock (Face ID, fingerprint) | Local unlock of the application; biometric data never leaves your device and is handled by your device operating system |
The Service does not collect precise location or GPS data, contacts, calendar events, advertising identifiers, or health data.
3.7 Analytics and diagnostic data
We use product analytics and crash reporting tools to understand how the Service is used and to diagnose issues. These tools collect anonymous and pseudonymous event data (screen views, button taps, feature usage), crash reports, uncaught exceptions, network telemetry, and, in some cases, session recordings in which text inputs are masked by default. Where session recordings are used, we apply masking to reduce the risk of capturing sensitive data.
3.8 What we do not collect
The Service does not collect, and we have no use for:
the personal contents of communications between you and individuals outside the Service
biometric templates (we use only on-device biometric unlock managed by your device)
precise location data
advertising identifiers used for cross-context behavioural advertising
health, genetic, or biometric data of any kind
4. How We Use Information
We use the information we collect to:
provide, operate, secure, and maintain the Service
authenticate users and enforce role-based access controls
process subscriptions, GMV-based fees, and other billing
generate reports, analytics, dashboards, and operational outputs for you
support intelligence features such as inventory forecasting, price recommendations, smart purchase orders, fraud detection, and operational alerts
communicate with you about your account, billing, security, support, and material changes to the Service or this Policy
improve our products, develop new features, and conduct research
detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms of Service
comply with legal, regulatory, and tax obligations
We do not sell your personal data. We do not engage in cross-context behavioural advertising. We do not use your data to build advertising profiles.
5. Aggregated and De-identified Data
We may combine data from across the Service to create aggregated and de-identified information. This may include market trends, category performance, pricing benchmarks, regional movement patterns, and other insights. Aggregated and de-identified information does not identify any individual merchant, customer, supplier, or other person.
We use aggregated and de-identified information to operate, secure, and improve the Service, to develop intelligence products and features, and to produce benchmarking and industry insights that we may share or commercialise. We apply industry-standard techniques to reduce the risk that aggregated or de-identified information can be re-identified.
Aggregated and de-identified information is not considered personal data and is not subject to the data subject rights described in Section 11.
6. Legal Bases for Processing
Where data protection laws require a legal basis for processing, we rely on the following:
Performance of a contract. Processing necessary to provide the Service to you and your merchant under our Terms of Service.
Legitimate interests. Improving the Service, securing our platform, preventing fraud and abuse, diagnosing issues, developing aggregated insights, and operating our business, balanced against your rights and interests.
Compliance with legal obligation. Processing required to comply with applicable laws and regulatory obligations.
Consent. Where you have given specific consent, for example for optional marketing communications or for certain device permissions you grant on your device.
You may withdraw consent at any time where processing is based on consent. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
7. Customer Data: Your Responsibilities as a Merchant
When you enter personal data about your customers, employees, suppliers, or other individuals into the Service, you are the data controller and Retail Stack is your data processor. This means you must:
have a lawful basis under applicable law to collect and process such data
provide appropriate privacy notices to the individuals whose data you collect
maintain your own privacy policy covering your customers and other counterparties
respond to data subject rights requests directed at you
not enter data into the Service that you are not authorised to process
promptly notify us of any data subject rights request that we, as your processor, are required to assist with
We will support you in meeting your data protection obligations to the extent required by applicable law and our agreement with you. Where required by law, we will enter into a Data Processing Addendum with you on request.
8. Who We Share Information With
We share personal information only as described below.
8.1 Within your merchant organisation
Because the Service is a workplace tool, the merchant whose Account you belong to has access to your profile, the records you create or modify, and audit metadata linking actions to your user identifier. Your merchant may also export this data and use it for legitimate business or employment purposes.
8.2 Service providers and sub-processors
We engage trusted service providers who process data on our behalf. The categories of sub-processors we engage include:
cloud infrastructure and hosting providers
payment partners that handle direct debit, card, transfer, and other payment instruments in your market
email, SMS, and messaging providers used to deliver transactional communications and supplier outreach
push notification delivery providers
identity providers (where you choose to sign in with a third-party identity)
product analytics, error monitoring, and session replay providers
document and image storage providers
automated text extraction (OCR) providers used by the procurement Product, where applicable
A current list of the sub-processors we engage is maintained at retailstack.co/legal/sub-processors. All processors are bound by data processing terms that limit how they may use the data and require appropriate security measures.
The specific service providers in use at any given time depend on the country in which you operate and the Products you use. In each market, we work with the payment partners, banking partners, communications providers, and other infrastructure providers that are available and appropriate locally. We may add, change, or remove sub-processors from time to time.
8.3 Suppliers (procurement Product)
When you dispatch a request for quotation or purchase order from the procurement Product, the supplier contact details you have entered are used to deliver the communication. The recipient receives the information needed to respond, including the requesting merchant’s identity and the items or terms requested.
8.4 Legal, regulatory, and safety disclosures
We may disclose information if required by law, court order, or competent regulator, or where we believe disclosure is necessary to:
protect the rights, safety, or property of Retail Stack, our merchants, our users, or the public
investigate fraud, abuse, or violations of our Terms of Service
enforce or defend our legal rights
8.5 Corporate transactions
If Retail Stack is involved in a merger, acquisition, restructuring, financing, or sale of assets, personal information may be transferred as part of that transaction. We will notify affected merchants where required by law.
9. Where Your Data Is Stored
Our long-term commitment is to store merchant data within the country or region in which the merchant operates, wherever the local infrastructure, security posture, and economics make this feasible. Our intention is that data for African merchants is hosted on African infrastructure, data for North American merchants is hosted on North American infrastructure, and so on for each region we operate in.
Currently, our primary infrastructure is hosted in Germany (European Union). As we expand and as suitable infrastructure becomes available in each region we serve, we will migrate merchant data to in-region hosting and update this Policy accordingly.
Some of our service providers may operate globally and may process data outside the country in which you operate. Where required by applicable law, we rely on appropriate safeguards for international data transfers, including Standard Contractual Clauses, equivalent contractual mechanisms, or other transfer mechanisms recognised under the applicable law.
10. Data Retention
We retain personal information for as long as your Account is active or as needed to provide the Service. Specific retention periods include:
Account data: retained for the duration of your subscription and for up to ninety (90) days following Account closure, to allow for export, dispute resolution, and billing reconciliation
Transaction and financial records: retained for up to seven (7) years, or longer where required by tax and accounting laws applicable to you or to us
Customer data you input as controller: retained according to your instructions; you may delete records at any time through the Service
Authentication tokens and cached data: stored on your device with limited lifetimes; cleared on sign-out
Logs, diagnostics, and analytics: retained for limited periods consistent with our security, monitoring, and product improvement needs
Where we are required by law to retain data longer, we will do so for the required period and then delete it.
11. Your Rights
Depending on the laws of the country in which you are located, you may have the following rights in relation to your personal data.
Right | What it means |
|---|---|
Access | Request a copy of the personal data we hold about you |
Rectification | Request correction of inaccurate or incomplete data |
Erasure | Request deletion of your personal data (subject to legal retention requirements) |
Restriction | Request that we limit how we process your data |
Portability | Receive your data in a structured, machine-readable format |
Objection | Object to processing based on legitimate interests |
Withdraw consent | Withdraw consent at any time where processing is based on consent |
Complaint | Lodge a complaint with your local data protection authority |
To exercise any of these rights, contact us at support@retailstack.co. We will respond within the timeframes required by applicable law (generally within thirty (30) days, with extensions where permitted).
If your data is processed by Retail Stack on behalf of a merchant, we may need to direct your request to the merchant. We will let you know if that is the case.
12. Children
The Service is a business tool intended for use by adults operating retail and wholesale businesses. It is not directed at children, and we do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected data from a child, please contact us so we can delete it.
13. Security
We implement technical and organisational measures designed to protect personal information against unauthorised access, alteration, disclosure, or destruction. These include:
transport encryption (HTTPS and TLS) for all data in transit
hashed password storage and bearer-token authentication
role-based access controls and tenant isolation
biometric unlock for mobile applications, managed by your device operating system
masking of text input fields in session replay tools
monitoring, logging, and incident response procedures
No method of transmission or storage is completely secure. While we work to protect your data, you are responsible for protecting your credentials, securing your devices, managing the access you grant to your team, and maintaining your own backups where appropriate. If we become aware of a personal data breach affecting you, we will notify you and the relevant regulator where required by applicable law.
14. Cookies and Local Storage
The Service uses browser local storage, device storage, and similar technologies (rather than traditional advertising cookies) to:
maintain your sign-in session and authentication tokens
cache data to improve performance and offline capability
persist workflow state across multi-step processes
store user preferences
You can clear local storage and device storage at any time through your browser or device settings. Doing so will sign you out of the Service.
We do not use cookies or similar technologies for advertising or cross-site tracking.
15. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will provide notice by email, by in-product notification, or both, and we will update the “Last Updated” date at the top of this Policy.
Your continued use of the Service after the effective date of an updated Policy constitutes acceptance of the updated Policy.
16. Contact
For privacy questions, requests, or complaints, contact:
Retail Stack
Email: support@retailstack.co
Web: retailstack.co
Postal address (Nigerian merchants): Retail Stack Limited, 4 Moleye Street, Alagomeji-Yaba, Lagos State, Nigeria
Postal address (other jurisdictions): Ricive Inc., 256 Chapman Road, STE 105-4, Newark, New Castle, Delaware 19702, United States
In-product: Settings > Help > Privacy
For data protection enquiries under any applicable framework, you may also contact your local data protection authority. In Nigeria, this is the Nigeria Data Protection Commission. In Canada, this is the Office of the Privacy Commissioner of Canada, and, where applicable, the privacy commissioner of your province.
Appendix A: Permissions Summary for App Stores
This appendix summarises the data types we collect and how they are handled, for the purposes of Apple App Store and Google Play Store privacy disclosures.
Data type | Status |
|---|---|
Email address | Collected; linked to user; not used for tracking; purpose: account and authentication |
Name | Collected (optional); linked to user; not used for tracking; purpose: account and display |
User ID | Collected; linked to user; not used for tracking; purpose: app functionality and analytics |
Phone number | Collected (optional); linked to user; not used for tracking; purpose: account and operational communication |
Precise location | Not collected |
Coarse location | Not collected |
Photos and camera content | Collected (user-initiated); linked to user when attached to a record; not used for tracking; purpose: product and invoice imagery |
Audio | Not collected |
Contacts | Not collected |
Crash data | Collected; linked to user via user ID; not used for tracking; purpose: diagnostics |
Performance and usage data | Collected; linked to user via user ID; not used for tracking; purpose: product analytics |
Advertising data | Not collected |
Health and fitness | Not collected |
Financial information (supplier bank details entered by user) | Collected; not linked to the user (third-party business data); not used for tracking; purpose: procurement workflows |
By using the Retail Stack Service, you confirm that you have read this Privacy Policy.
