StorefrontsPOSBETA
Download
Legal

Privacy notice
& policies

Last updated: 2026-04-14

How we collect, use and protect personal data — and your rights under the GDPR and equivalent data protection laws.

Jump to section+

1. Introduction

Novalink Enterprises Ltd. ("Novalink Enterprises", "we", "us", "our") provides Storefronts POS, a desktop point-of-sale application for retail, hospitality, restaurant and warehouse businesses. This notice explains how we collect, use and protect personal data, and how you can exercise your rights under the EU General Data Protection Regulation (GDPR), the UK GDPR, the Kenya Data Protection Act 2019 and other applicable data protection laws.

For the purposes of this notice, Storefronts is the data controller for personal data we collect about you when you visit this website, register for an account or contact us. When you use Storefronts POS to process information about your own customers, employees or suppliers, you are the data controller of that information and Storefronts is your data processor. The terms of our Data Processing Addendum (DPA) apply.

2. Personal data we collect

Account & identity data — provided directly by you when you sign up:

  • Full name and email address
  • Business name, country and business type
  • Hashed authentication credentials

Billing data — collected by our payment processor on our behalf:

  • Billing name and address
  • Subscription plan and billing history
  • We never see or store full payment card numbers

Usage & technical data — collected automatically:

  • IP address, browser type and operating system
  • Pages viewed on this marketing site and timestamps
  • Anonymised, aggregated crash reports from the desktop app (opt-out in Settings → Privacy)

Customer data you process through Storefronts POS:

  • Storefronts POS is offline-first — your business data lives on your own device by default
  • When you enable cloud sync, the data your business chooses to upload is processed by us strictly under your instructions, as your processor
  • We do not access, mine, sell or train models on customer data you process through the application

3. How we use your data and our legal basis

We process personal data only where we have a lawful basis under Article 6 of the GDPR. The table below summarises the purposes for which we process data and the corresponding legal basis.

Performance of a contract (Art. 6(1)(b)):

  • Creating and managing your account
  • Providing the Storefronts POS service and cloud sync where enabled
  • Processing subscription payments and issuing invoices
  • Providing customer support

Legitimate interests (Art. 6(1)(f)):

  • Securing our service against fraud, abuse and unauthorised access
  • Improving product quality through aggregated, anonymised usage analytics
  • Communicating service updates and security advisories

Legal obligation (Art. 6(1)(c)):

  • Retaining invoicing records to meet tax and accounting requirements
  • Responding to lawful requests from public authorities

Consent (Art. 6(1)(a)):

  • Sending optional marketing communications — you can withdraw consent at any time
  • Setting non-essential cookies

4. Sharing and sub-processors

We do not sell, rent or trade personal data. We share data only with vetted sub-processors who help us run the service, and only to the extent strictly necessary. Each sub-processor is bound by a written contract requiring confidentiality and GDPR-equivalent protections.

Categories of sub-processors we engage:

  • Cloud infrastructure provider — hosts the optional cloud sync backend
  • Payment processor — handles subscription billing
  • Email delivery provider — sends transactional and account notifications
  • Error monitoring service — receives anonymised crash reports when opted in

A current list of named sub-processors is available on request from privacy@novalinklabs.com. We notify customers of material changes to our sub-processor list before they take effect.

5. International data transfers

Where personal data is transferred outside the European Economic Area, the United Kingdom or Kenya to a country that has not received an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (or the UK International Data Transfer Addendum) and carry out a transfer impact assessment to ensure your data continues to receive an essentially equivalent level of protection.

6. Data retention

  • Account data — retained for the lifetime of your account and deleted within 90 days of account closure, unless we are required to retain it longer to meet a legal obligation.
  • Billing records — retained for 7 years to comply with tax and accounting laws.
  • Support correspondence — retained for 3 years from the date of last contact.
  • Anonymised analytics — retained indefinitely as it no longer identifies you.
  • Customer data you process through Storefronts POS — retained and deleted in accordance with your instructions as the controller.

7. Your data protection rights

Under the GDPR and equivalent laws you have the following rights in relation to your personal data. To exercise any of these rights, contact privacy@novalinklabs.com. We will respond within one month and there is no charge for routine requests.

  • Right of access (Art. 15) — request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — ask us to correct inaccurate or incomplete data.
  • Right to erasure (Art. 17) — ask us to delete your personal data, subject to legal retention requirements.
  • Right to restriction (Art. 18) — ask us to limit how we process your data.
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
  • Right to object (Art. 21) — object to processing based on legitimate interests, including direct marketing.
  • Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint — contact your local supervisory authority if you believe we have not handled your data properly.

8. Cookies and analytics

This marketing site uses a small number of strictly necessary cookies to remember your preferences (such as light or dark mode). We do not use third-party advertising cookies. If we introduce optional analytics cookies in future, we will request your consent through a cookie banner before any non-essential cookie is set.

9. Children's data

Storefronts POS is a business application and is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@novalinklabs.com and we will delete it.

10. Security

We protect personal data using appropriate technical and organisational measures consistent with industry good practice and Article 32 of the GDPR. This includes encryption of data in transit and at rest, strict access controls, continuous monitoring, regular security reviews and prompt application of security updates.

For the protection of all our customers we do not publish details of our internal security architecture. If you have a contractual need for additional information, our security team is available to walk qualified customers through our controls under NDA.

If you believe you have discovered a vulnerability in Storefronts POS, please report it responsibly to security@novalinklabs.com. We acknowledge reports within 48 hours and will keep you informed as we investigate. We do not pursue legal action against researchers acting in good faith.

11. Changes to this notice

We may update this notice from time to time to reflect changes in our service, our sub-processors or applicable law. Material changes will be announced on this page and via in-app notice at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.

12. Terms of service

By installing or using Storefronts POS you agree to these terms. The software is provided on an "as is" basis under the licence shipped with the build, without warranty of any kind to the maximum extent permitted by applicable law. Nothing in these terms limits any rights you have as a consumer that cannot lawfully be excluded.

You are responsible for the data you enter into the system, for keeping your credentials safe, and for complying with the laws of the jurisdictions in which you operate. You must not attempt to reverse engineer, decompile or interfere with the security of the application except to the extent expressly permitted by law.

13. Refund policy

The Demo plan has no charge, so there is nothing to refund.

Paid plans (Starter, Growth, Business and Enterprise) include a 30-day money-back guarantee. If you are not satisfied within the first 30 days of a new subscription, contact us and we will issue a full refund.

After 30 days, monthly subscriptions can be cancelled at any time and will end at the close of your current billing period. We do not pro-rate refunds for partial months unless required by applicable consumer law.

14. Acceptable use

You agree not to use Storefronts POS to sell goods or services that are illegal in your jurisdiction, to defraud customers, to launder money, to evade taxes, or to process the personal data of any individual unlawfully.

We reserve the right to suspend or terminate accounts that violate this policy or that put other customers at risk. Where possible we will give notice and an opportunity to remedy before suspension.

15. Contact us

For privacy or data protection enquiries, including to exercise any of the rights set out in section 7, contact privacy@novalinklabs.com. For security reports, contact security@novalinklabs.com. For all other legal enquiries, contact legal@novalinklabs.com.

If you are not satisfied with our response, you have the right to lodge a complaint with the data protection supervisory authority in your country of residence.

Privacy enquiries: privacy@novalinklabs.com · Security: security@novalinklabs.com