Legal Documents

Privacy Policy

Effective: 2025-01-15

Version: 1.0

Executive Summary

This Privacy Policy describes how Beltra Industries LLC (DBA "TAB POS") collects, uses, and protects personal information from restaurant staff, administrators, and waitlist guests using our point-of-sale system, companion mobile apps, and public waitlist portal. We collect contact information, location data (for waitlist geofencing), operational data (orders, time tracking), and payment tokens (processed by Stripe). We use Twilio for transactional SMS notifications with explicit opt-in. We do not sell personal information. Data is stored on Supabase with encryption at rest and in transit. You have rights to access, correct, delete, and port your data under CCPA/CPRA and GDPR.

📱 For Twilio Compliance Reviewers

Opt-In Mechanism: Guests explicitly provide phone numbers on our waitlist form labeled "Phone Number (for SMS updates)" with disclosure "We'll send you a text when your table is ready."

STOP/HELP Handling: All SMS include standard STOP/HELP instructions. Replying STOP unsubscribes from all messages from our shared Toll-Free number across all participating restaurants. HELP provides support contact.

Consent Logging: Waitlist entries record timestamp, phone number, restaurant ID, and consent context (waitlist signup). Records retained for compliance auditing.

Waitlist Portal URL: https://waitlist.tab-pos.com

1. Data Controller

Business Name: Beltra Industries LLC (DBA "TAB POS")

Mailing Address: [PLACEHOLDER - INSERT PHYSICAL ADDRESS]

Contact Email: support@tab-pos.com

Privacy Inquiries: privacy@tab-pos.com

TAB POS is the data controller for personal information collected through our services. For restaurant tenant data (customer orders, staff information managed by restaurant owners), TAB POS acts as a processor on behalf of the restaurant.

2. Scope of This Policy

This Privacy Policy applies to all TAB POS products and services, including:

POS Desktop Applications: Point-of-sale systems for restaurant staff (servers, managers, kitchen staff)
Manager Desktop & Portal: Administrative interfaces for restaurant management
Mobile Companion Apps: iOS and Android apps for staff and managers
Public Waitlist Portal: Customer-facing waitlist at waitlist.tab-pos.com (and tenant-specific subdomains)
Marketing Website: www.tab-pos.com and associated sign-up flows
Supporting APIs/Services: Backend infrastructure supporting the above applications

This policy does not cover third-party websites or services linked from our platform. Please review their respective privacy policies.

3. Data We Collect

We collect personal information from different sources based on how you interact with our services:

3.1 Waitlist Portal Data (Guest Users)

When you join a restaurant waitlist via our public portal, we collect:

Contact Information: Name, mobile phone number (optional but required for SMS notifications)
Party Details: Party size, seating preferences (indoor, outdoor, accessible seating)
Geolocation Data: Real-time location coordinates (latitude/longitude) obtained via browser Geolocation API
Queue Information: Position in waitlist, estimated wait time, status (waiting, notified, seated, cancelled, no-show)
Consent Records: Timestamp of opt-in, source of consent (waitlist form submission), phone number for SMS
Technical Data: IP address, browser user agent (collected automatically by server logs)
Preferences: Dark/light theme preference (stored in browser localStorage, not transmitted to servers)

Important: Location data is used only for real-time geofence verification. We do notstore precise location coordinates long-term. Location tracking stops when you leave the waitlist or your session ends.

3.2 POS Applications & Staff Data

When restaurant staff and managers use our POS, manager portal, or companion apps, we collect:

Staff Accounts: Employee number, full name, email address, phone number, role(s) (server, host, cook, manager, admin), assigned restaurant(s), hire date, hourly rate
Authentication: Encrypted passwords, active roles, session tokens, device identifiers (for Electron apps)
Order & Transaction Data: Table assignments, menu items ordered, seat numbers, allergen flags, pricing, discounts, tips, tax calculations, order status, timestamps
Payment Tokens: Stripe payment intent IDs (we do not store raw credit card numbers or CVV codes)
Time Tracking: Clock-in/out timestamps, break durations, total hours worked, location (restaurant ID)
Floor Plans & Table Data: Table numbers, sections, capacity, coordinates, status, server assignments
Audit Logs: User actions (create, update, delete operations), entity types modified, change records (JSONB), IP addresses, user agent strings, timestamps
Menu & Inventory: Menu items, modifiers, categories, kitchen station assignments, allergen info, pricing, inventory quantities

3.3 Website & App Telemetry

We automatically collect technical information when you access our services:

Device Information: Operating system, browser type/version, screen resolution, device type (desktop, mobile, tablet)
Usage Data: Pages viewed, features accessed, click patterns, session duration, referring URLs
Cookies & Local Storage: Session identifiers, authentication tokens, user preferences (theme, language), cached data for performance
Error Logs: Crash reports, exception stack traces, performance metrics (for debugging and service improvement)

We do not currently use third-party analytics services (e.g., Google Analytics, PostHog, Plausible). All telemetry is processed internally.

4. Legal Basis and Uses

We process personal information based on the following legal grounds:

Contract Performance

Processing necessary to provide services you've requested (e.g., joining waitlist, processing orders, managing staff accounts).

Consent

SMS notifications require explicit opt-in. Geolocation access requires browser permission. You may withdraw consent anytime.

Legitimate Interests

Fraud prevention, system security, debugging, service improvement, and operational analytics (balanced against your privacy rights).

Legal Compliance

Tax records, payment processing compliance, labor law requirements, audit trail maintenance, subpoena responses.

Specific Uses:

Manage waitlist queues and notify guests when tables are ready
Process restaurant orders and payments
Track staff time and calculate payroll
Maintain audit trails for compliance and security
Provide customer support and troubleshoot issues
Improve our products and develop new features
Ensure platform security and prevent fraud/abuse

5. SMS/Toll-Free & A2P Compliance

We use Twilio to send transactional SMS notifications about waitlist status. All messaging complies with TCPA, CTIA guidelines, and carrier regulations for Application-to-Person (A2P) messaging.

Explicit Opt-In

Phone numbers are collected only when you voluntarily enter them in the waitlist form. The form clearly states: "Phone Number (for SMS updates)" and "We'll send you a text when your table is ready."Submitting the form with a phone number constitutes express written consent to receive SMS.

Message Types & Frequency

Transactional Messages Only:

Waitlist Confirmation: "Hi [Name]! You're #[Position] on the waitlist at [Restaurant]. Estimated wait: [Time] mins. Check status: [URL]"
Table Ready: "[Name], your table is ready at [Restaurant]! Please head to the host stand within 10 minutes."
Position Updates: "Update: You're now #[Position] on the waitlist at [Restaurant]. Estimated wait: [Time] mins."

Frequency: Typically 1-3 messages per waitlist session. No marketing or promotional messages are sent.

Carrier Charges: Message and data rates may apply. Standard carrier messaging rates apply.

STOP, HELP, START Instructions

Every SMS includes standard opt-out instructions:

STOP: Reply STOP to unsubscribe from all SMS notifications. You will receive one final confirmation message.
HELP: Reply HELP for support information and contact details.
START: Reply START to re-enable notifications if previously opted out.

Multi-Tenant STOP Behavior: We use one verified Toll-Free number shared across multiple restaurants. Replying STOP will unsubscribe you from all SMS notifications from any restaurant using our platform. If you wish to opt out from only one restaurant, please contact that restaurant directly or leave the waitlist via the status URL.

Future Improvement: We are actively working on implementing per-restaurant opt-out functionality to allow granular control over SMS preferences. This enhancement will enable you to manage notifications from individual restaurants independently. This feature is planned for a future release.

Consent Record Storage

We store the following for compliance auditing:

Phone number and consent timestamp
Source of consent (waitlist form URL, restaurant ID)
Copy of consent language displayed at signup
IP address and user agent at time of consent

Consent records are retained for 7 years after opt-out or account deletion, as required by TCPA compliance.

7. Data Retention

We retain personal information only as long as necessary for the purposes outlined in this policy:

Data Type	Retention Period
Waitlist Entries	90 days after status change to seated/cancelled/no-show
SMS Consent Records	7 years after opt-out (TCPA compliance)
Order & Payment Data	7 years (tax/financial compliance)
Staff Accounts (Active)	Duration of employment + 3 years
Time Tracking Records	7 years (labor law compliance)
Audit Logs	3 years (security/compliance investigations)
Geolocation Data	Real-time only (not stored after session ends)
Support/Contact Requests	3 years after resolution

After retention periods expire, data is either securely deleted or anonymized. Some aggregated/anonymized data may be retained indefinitely for analytics.

8. Security Controls

We implement industry-standard security measures to protect personal information:

Encryption: All data transmitted via HTTPS/TLS 1.3. Database encryption at rest (AES-256). Passwords hashed with bcrypt.

Access Controls: Role-based access control (RBAC), multi-factor authentication for admin accounts, employee number-based authentication for staff.

Multi-Tenant Isolation: Row-Level Security (RLS) policies in Supabase prevent cross-tenant data access. Each restaurant can only query their own data.

Audit Logging: All sensitive operations logged with user ID, IP address, timestamp, and action details.

Least Privilege: Service accounts and API keys granted minimum necessary permissions.

Monitoring: Real-time anomaly detection, automated alerts for suspicious activity, regular security audits.

Vulnerability Management: Dependency scanning, regular penetration testing, timely security patches.

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. Report security concerns to security@tab-pos.com.

9. International Transfers

TAB POS is based in the United States. Our infrastructure providers (Supabase, Vercel, Twilio) operate globally and may process data in multiple jurisdictions.

Primary Data Locations: United States (US East, US West regions)

Sub-processor Locations: See Appendix for specific data residency details.

Safeguards for EU/EEA Data: If you are located in the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission for data transfers to the U.S. You may request a copy of SCCs at privacy@tab-pos.com.

UK & Swiss Transfers: We comply with UK GDPR and Swiss Federal Data Protection Act requirements via appropriate transfer mechanisms.

10. Children's Data

TAB POS services are not directed to individuals under 13 years of age (or 16 in the EEA). We do not knowingly collect personal information from children.

The waitlist portal may be used by parents/guardians on behalf of minors (e.g., family dining). In such cases, the adult providing information is responsible for obtaining any necessary consents.

If you believe we have inadvertently collected information from a child, contact us immediately at privacy@tab-pos.com and we will delete it promptly.

11. Your Privacy Rights

Depending on your location, you may have the following rights:

CCPA/CPRA Rights (California Residents)

Right to Know: Request disclosure of personal information we collect, use, disclose, and sell (we do not sell data).
Right to Delete: Request deletion of your personal information, subject to legal/compliance exceptions.
Right to Correct: Request correction of inaccurate personal information.
Right to Opt-Out of Sale/Share: We do not sell or share personal information for cross-context behavioral advertising.
Right to Limit Sensitive Personal Information: Request limits on use of sensitive data beyond service provision (we do not use sensitive data for secondary purposes).
Right to Non-Discrimination: We will not discriminate against you for exercising your rights.

GDPR Rights (EEA/UK Residents)

Right of Access: Obtain a copy of your personal data.
Right to Rectification: Correct inaccurate or incomplete data.
Right to Erasure ("Right to be Forgotten"): Request deletion, subject to legal retention requirements.
Right to Data Portability: Receive data in structured, machine-readable format (CSV/JSON).
Right to Object: Object to processing based on legitimate interests.
Right to Restrict Processing: Limit processing in certain circumstances.
Right to Withdraw Consent: Withdraw consent for SMS or location tracking at any time.
Right to Lodge a Complaint: File complaint with your local data protection authority.

How to Exercise Your Rights

Submit privacy requests via:

Email: privacy@tab-pos.com
Subject Line: "Privacy Rights Request – [Your Name]"
Include: Name, contact information, specific right(s) you wish to exercise, sufficient detail to locate your data

Response Time: We will respond within 45 days (CCPA) or 30 days (GDPR), with one possible extension if needed.

Verification: We may request additional information to verify your identity before fulfilling requests.

Authorized Agent (CCPA)

California residents may designate an authorized agent to make requests on your behalf. The agent must provide written authorization, and we may require you to verify your identity directly.

12. Cookies and Tracking

We use cookies and similar technologies to provide and improve our services:

Cookie/Storage	Type	Purpose	Duration
supabase-auth-token	1st Party (Strictly Necessary)	User authentication & session management	7 days
waitlist-theme	1st Party (Functional)	Remember dark/light mode preference	Persistent (localStorage)
csrf-token	1st Party (Strictly Necessary)	Security - prevent cross-site request forgery	Session
Geolocation (browser API)	Browser Permission	Waitlist geofencing & proximity verification	Session only (not stored)

Third-Party Cookies: We do not use third-party advertising or analytics cookies. Stripe may set cookies during payment processing (subject to Stripe's privacy policy).

Managing Cookies: You can control cookies via browser settings. Disabling strictly necessary cookies may impair service functionality.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Notification of Material Changes: If we make material changes that significantly impact how we handle your personal information, we will notify you by:

Email notification to registered users (sent at least 30 days before changes take effect)
Prominent notice on www.tab-pos.com homepage
In-app notification for POS/mobile app users

Version Control: The "Effective Date" and "Version" at the top of this policy indicate the latest update. Previous versions are available upon request at privacy@tab-pos.com.

Continued Use: Your continued use of TAB POS services after changes become effective constitutes acceptance of the updated policy.

Changelog

Version 1.0 (2025-01-15): Initial Privacy Policy published.

14. Contact Us

For privacy-related questions, concerns, or requests, please contact us:

Beltra Industries LLC (DBA "TAB POS")

Attn: Privacy Officer

[PLACEHOLDER - INSERT PHYSICAL MAILING ADDRESS]

Email: privacy@tab-pos.com

General Support: support@tab-pos.com

Security Issues: security@tab-pos.com

EEA/UK Data Protection Officer: [PLACEHOLDER if DPO required by GDPR Article 37]

EU Representative: [PLACEHOLDER if required by GDPR Article 27 - applicable if no EU establishment but targeting EU data subjects]

15. Appendix: Sub-processors

TAB POS engages the following third-party service providers ("sub-processors") to process personal information on our behalf. All sub-processors are contractually bound to data protection and security standards consistent with this Privacy Policy.

Sub-processor	Purpose	Data Categories	Location(s)
Twilio Inc. Privacy Policy	SMS delivery, Toll-Free messaging	Phone numbers, message content, delivery status, opt-in/out records	United States (data processed globally)
Supabase Inc. Privacy Policy	Database hosting, authentication, real-time services	All user data, waitlist entries, orders, staff info, audit logs	United States (US East), configurable regions available
Vercel Inc. Privacy Policy	Application hosting, CDN, edge functions	Access logs, IP addresses, request metadata, cached responses	Global edge network (primary: United States)
Stripe Inc. Privacy Policy	Payment processing, PCI-DSS compliance	Tokenized payment methods, transaction amounts, customer billing info (Stripe is PCI Level 1 Service Provider)	United States, global processing infrastructure

Updates to Sub-processors: We may add or change sub-processors from time to time. Material changes will be announced via email to registered customers at least 30 days in advance. You may object to a new sub-processor by contacting privacy@tab-pos.com.

Data Processing Addendum (DPA): Enterprise customers may request a formal DPA at support@tab-pos.com.