Privacy Policy

Last updated: 2026-05-05 | Version 1.0 (v1.3.4) | Tingting POS

Your data, your rights. Tingting POS is built for Lao businesses. This policy explains exactly what we collect, why, and how you can control it. Questions? Email bangkeokhonsamai@gmail.com

1. Introduction

Tingting POS ("we", "our", or "us") is operated by Bangkeo Khonsamai, Vientiane, Lao PDR. This Privacy Policy explains how we collect, use, store, and protect information when you use the Tingting POS mobile application ("the App").

By using the App you agree to the practices described in this policy. If you do not agree, please do not use the App.

2. Data Controller

App name: Tingting POS
Operator: Bangkeo Khonsamai
Location: Vientiane, Lao PDR
Privacy contact: bangkeokhonsamai@gmail.com

3. Data We Collect

3.1 Account Information

When you register, we collect:

Email address
Phone number
Full name (display name)
Shop name / business name

3.2 Business Data

Generated through your use of the App:

Orders and sales records (items, quantities, amounts, cashier ID, timestamps)
Customer records you create (name, phone, loyalty points)
Inventory records (products, stock levels, adjustments)
Staff/member records (role, join date, attendance records)
Shop settings (tax rate, receipt template, printer configuration)

3.3 Device & Technical Data (via Firebase Crashlytics)

Device model and operating system version
App version number
User ID (anonymous — never your name, email, or phone)
Printer hardware type and paper width (for print quality diagnostics)
App crash reports and error logs

3.4 Data We Do NOT Collect

Precise or approximate location / GPS coordinates
Device contacts or address book
Photos beyond those you voluntarily upload (shop logo, product images)
Microphone audio or voice recordings
Biometric data beyond on-device Face ID (Face ID data never leaves your device)
Financial account numbers or card details

4. How We Use Your Data

Purpose	Legal Basis
Provide core POS functionality (sales, inventory, staff management)	Contract performance
Send push notifications for offline alerts and threshold warnings	Legitimate interests
Diagnose crashes and improve app stability via Crashlytics	Legitimate interests
Respond to privacy requests (export, deletion, correction)	Legal obligation
Retain tax records for 5 years per Lao tax law	Legal obligation
Process AI assistant queries (with your explicit action)	Consent

5. Sub-Processors (Third Parties)

We share data with the following services to operate the App:

Processor	Purpose	Data Shared	Region
Google Firebase (Firestore, Auth, Storage, Functions, Crashlytics)	Database, authentication, file storage, serverless compute, crash reporting	Account info, business data, anonymised device info	asia-southeast1 (Singapore)
Anthropic (Claude API)	AI assistant — answers business questions, generates reports	Text of your query only; no PII beyond session context	United States
Google (Gemini API)	AI assistant — visual recognition, report generation	Text of your query only; no PII beyond session context	United States
DeepSeek (DeepSeek API)	AI assistant — alternative AI engine	Text of your query only; no PII beyond session context	China

* Gemini API and DeepSeek API are planned integrations scheduled before V1.4 launch. They will be verified as active before the app is published on Google Play Store.

6. Data Storage & Retention

Storage location: Google Firebase, asia-southeast1 region (Singapore)
Active accounts: Data retained while your account is active
Account deletion: Personal information (name, email, phone) anonymised immediately. Orders and inventory records retained for 5 years from deletion date to comply with Lao tax and audit law, then archived. All retained records reference a synthetic anonymous user ID, not your personal details.
Crash data: Retained per Google Firebase retention policy (90 days for raw data)

7. Your Rights

You have the following rights regarding your personal data:

Access — View your profile and business data within the App
Export — Download your data as a JSON file via Settings → Export My Data (1 export per 24 hours)
Deletion (Right to be Forgotten) — Delete your account via Settings → Delete My Account. Personal information will be anonymised immediately. Orders and inventory data retained 5 years per legal requirements.
Correction — Update your profile information in App settings
Withdrawal of Consent — Stop using the AI assistant to withdraw consent for AI data processing. Crash reporting is disabled in debug builds.
Complaint — Lodge a complaint with Lao PDR data protection authority

To exercise any right, contact: bangkeokhonsamai@gmail.com. Response within 30 days.

8. Security

Firebase Security Rules restricting data access to authorised users only
All data transmitted over HTTPS/TLS
Firebase Authentication for account access control
Re-authentication required before account deletion
Server-side validation via Cloud Functions for privileged operations
No personally identifiable information stored in crash logs (user ID only)

9. Children's Privacy

Tingting POS is a business point-of-sale application intended for adults operating retail businesses. We do not knowingly collect personal data from individuals under 18 years of age.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via an in-app notification at least 30 days before the change takes effect. The "Last updated" date at the top of this page always reflects the most recent revision.

Continued use of the App after changes take effect constitutes acceptance of the updated policy.

11. Contact

For any privacy-related questions, requests, or complaints:
Email: bangkeokhonsamai@gmail.com
Response time: Within 30 days