All Legal Documents

Privacy & Security Policy

Version 1.0.0 — Effective January 1, 2025

Privacy & Security Policy

Last Updated: January 1, 2025

In Simple Terms

  • We only collect the data needed to run your restaurant operations effectively.
  • We don't sell your data to advertisers or third parties—ever.
  • All payments are processed securely by Stripe (PCI-DSS Level 1 certified).
  • You control your account and can request data export or deletion anytime.

Privacy Policy

SSP Systems Ltd. ("we," "us," or "our") operates the SSP Manager platform (the "Service"). This Privacy & Security Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

Company Information

  • Legal Name: SSP Systems Ltd.
  • Location: Ontario, Canada
  • Contact: support@ssppos.com

We are committed to protecting your privacy and complying with applicable privacy laws, including Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, the European Union's General Data Protection Regulation (GDPR).

Age Requirement

The Service is intended for business use and is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, please contact us immediately.

Data We Collect

1. Identity & Access Information

Name, email address, phone number, role, and organization/restaurant association for account creation and authentication.

2. Business Data

Restaurant details including locations, menus, categories, tables, staff information, and shift schedules necessary to operate your business through our platform.

3. Transaction Data

Orders, sales records, tips, discounts, payment information (processed securely via Stripe), and invoices for financial reporting and compliance.

4. Operational Data

Staff clock-in/out times, performance metrics, and table assignments to facilitate workforce management and operational efficiency.

5. Guest Data (Scan Split Pay)

Guest orders, payment preferences, and QR code session data when using our Scan Split Pay feature.

How We Use Your Data

We use the collected information for the following purposes:

  • Providing and maintaining the Service
  • Processing payments and transactions
  • Managing your account and authentication
  • Generating business analytics and reports
  • Communicating with you about updates, support, and service-related notices
  • Complying with legal obligations (tax reporting, financial audits)
  • Improving our Service and developing new features
  • Ensuring security and preventing fraud

Third-Party Services

Payment Processing

We use Stripe (Stripe Connect, Stripe Terminal, Tap-to-Pay, Checkout, and Billing Portal) for payment processing. Stripe is PCI-DSS Level 1 certified. We do not store raw credit card data; only secure tokens provided by Stripe.

Hosting & Infrastructure

We use Amazon Web Services (AWS) for hosting and infrastructure, including RDS (databases), Lightsail, Redis, RabbitMQ, Soketi (websockets), and S3 for media storage. All data is stored in encrypted volumes with regional redundancy.

Email & SMS Communications

We use Laravel Mail + SMTP for email delivery and AWS SNS for SMS notifications.

Development & Collaboration

We use GitHub Actions for continuous integration and Pusher for certain real-time websocket events.

Data Sharing

We do not sell or commercially share your data. We only share data with:

  • Payment processors (Stripe) to process transactions
  • Government authorities when required for financial, tax, or legal compliance
  • Service providers who assist in operating our platform (under strict data protection agreements)

Security Measures

We implement industry-standard security measures to protect your data:

Encryption

  • In Transit: All connections are encrypted using TLS/SSL protocols
  • At Rest: Database encryption via PostgreSQL RDS encrypted volumes; backups are encrypted on AWS
  • Secrets Management: Environment variables are used for sensitive data and rotated per environment

Authentication & Access Control

  • Standard Authentication: Email/password with salted and hashed credentials (Laravel Fortify)
  • Multi-Factor Authentication (MFA): Support for TOTP, email, and SMS-based 2FA
  • Role-Based Access Control (RBAC): Fine-grained permissions using Spatie Laravel Permission with custom role enums
  • Single Sign-On (SSO): Planned for enterprise tier

Backups & Disaster Recovery

  • Database Backups: Daily automated snapshots via RDS, retained for 14-30 days
  • Application Data: S3 versioning and backup scripts for redundancy
  • Location: AWS with regional redundancy for disaster recovery

Payment Security

All payment processing is handled by Stripe, which is PCI-DSS Level 1 certified. SSP Systems Ltd. does not store raw cardholder data—only secure Stripe tokens and identifiers.

Security Monitoring

We actively monitor our systems for security threats and maintain comprehensive logs. Our monitoring includes:

  • Unauthorized access attempts and failed login spikes
  • Suspicious transaction patterns and anomalous behavior
  • System intrusion detection and prevention
  • Regular security audits and vulnerability assessments

Security logs are typically retained for 12-24 months depending on system rotation policies and compliance requirements.

Data Retention

  • Core Business Data: Retained as long as your organization account is active
  • Payment Data: Stored by Stripe according to their retention policies; we only store tokens and identifiers
  • Logs & Backups: Typically retained for 12-24 months, depending on system rotation
  • Account Deletion: Upon account closure, your data is permanently deleted within 90 days unless we are legally required to retain it for tax, audit, or regulatory compliance purposes. You may request immediate deletion by contacting us.

Your Privacy Rights

Under PIPEDA (Canada) and GDPR (EU, where applicable), you have the following rights:

  • Right to Access: Request a copy of the personal data we hold about you
  • Right to Rectification: Request corrections to inaccurate or incomplete data
  • Right to Erasure: Request deletion of your personal data (subject to legal retention requirements)
  • Right to Data Portability: Request your data in a structured, machine-readable format
  • Right to Restrict Processing: Request limitation on how we process your data
  • Right to Withdraw Consent: Withdraw consent for data processing where consent was the legal basis
  • Right to Object: Object to certain types of data processing

To exercise any of these rights, please contact us at support@ssppos.com.

International Data Transfers

SSP Manager is designed for international use across Canada, the United States, and Europe. Currently, we primarily serve Canadian customers, with readiness to support multiple jurisdictions.

When data is transferred internationally, we ensure appropriate safeguards are in place, including:

  • Data Processing Agreements with service providers
  • Standard Contractual Clauses (where applicable)
  • Compliance with PIPEDA and GDPR requirements

Cookies & Tracking

We use essential cookies to maintain your session and authentication state. We do not use third-party analytics services like Google Analytics.

Current Practice: Only essential, functional cookies are used for authentication and session management.

Future Analytics: If we introduce analytics in the future (such as Amplitude, PostHog, or similar), we will update this policy and provide opt-out options where required. Any analytics implemented will be first-party and used solely for operational improvement and product development—never for advertising or commercial data sharing.

Changes to This Policy

We may update this Privacy & Security Policy from time to time. We will notify you of any significant changes by posting the new policy on this page and updating the "Last Updated" date.

We encourage you to review this policy periodically for any changes. Your continued use of the Service after any modifications indicates your acceptance of the updated policy.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy & Security Policy or our data practices, please contact us:

SSP Systems Ltd. Location: Ontario, Canada Email: support@ssppos.com

For privacy-related inquiries, please include "Privacy Request" in the subject line.

This policy is effective as of January 1, 2025.