OpsPulse

1. Who We Are

OpsPulse (“we”, “us”, “our”) provides a restaurant operations platform that helps restaurants manage daily tasks, compliance checks, and food safety logs. This Privacy Policy explains how we collect, use, and protect personal data when you use our services, including our web application, kiosk interfaces, and future mobile applications.

2. Data We Collect

Restaurant Operators (Customers)

Account information: name, email address, organization name
Location details: restaurant name, address, operating hours
Billing information (processed by our payment provider)

Restaurant Team Members (End Users)

Name and role within the restaurant
PIN (stored using one-way cryptographic hashing — we cannot view your PIN)
Task completions, timestamps, and compliance check results
Temperature logs and food safety records
Device information (browser type, device fingerprint for security)

Data We Do Not Collect

Biometric data (fingerprints, facial recognition, voice prints)
Precise geolocation of individuals (we only verify device proximity to the restaurant)
Personal email addresses or phone numbers of team members
Browsing history or cross-site tracking data

3. Legal Basis for Processing

We process personal data under the following legal bases as defined by the GDPR and equivalent regulations:

Performance of contract (Article 6(1)(b) GDPR): Processing employee names, PINs, and task completion data is necessary for the performance of the employment relationship and the service contract with the restaurant.
Legitimate interest (Article 6(1)(f) GDPR): Operational monitoring, food safety accountability, and security measures such as rate limiting and device fingerprinting.
Legal obligation (Article 6(1)(c) GDPR): Food safety and health code compliance data that restaurants are legally required to maintain (temperature logs, cleaning records, compliance checks).

We do not rely on employee consent as the legal basis for processing workplace data, because GDPR recognizes that the employer-employee power imbalance makes consent problematic in this context. Instead, we inform team members about data collection through a clear notice on first use.

4. How We Use Your Data

Operating and maintaining the OpsPulse platform
Recording task completions and compliance checks for operational accountability
Generating reports and analytics for restaurant operators
Maintaining food safety audit trails as required by law
Securing the platform (rate limiting, fraud prevention, session management)
Improving the service based on aggregated, anonymized usage patterns

5. Data Retention

Active team members: Data is retained for the duration of employment and active use of the platform.
After departure: Personal identifiers (name, PIN hash) are anonymized within 90 days of deactivation. Operational records (task completions, temperature logs) are retained in anonymized form to preserve the food safety audit trail.
Legal holds: Data may be retained longer when required by law (food safety records, tax records) or when necessary for legal claims.
Account deletion: When a restaurant operator closes their account, all associated data is permanently deleted within 30 days, except where retention is legally required.

6. Data Sharing

We do not sell personal data. We share data only in these circumstances:

With the restaurant operator: Team member activity data is visible to authorized managers and administrators within the same organization.
Service providers: We use Supabase for database hosting and authentication. Sub-processors are bound by data processing agreements.
Legal requirements: We may disclose data when required by law, regulation, or legal process.

7. Your Rights

Under GDPR (EU/UK)

If you are located in the European Economic Area or the United Kingdom, you have the right to:

Access your personal data
Correct inaccurate data
Request erasure or anonymization of your data
Restrict or object to processing
Data portability
Lodge a complaint with your local supervisory authority

Under CCPA (California)

If you are a California resident, you have the right to:

Know what personal information we collect and why
Access your personal information
Request deletion of your personal information
Non-discrimination for exercising your rights

We do not sell personal information and do not use it for cross-context behavioral advertising.

How to Exercise Your Rights

Team members should contact their restaurant manager, who can submit requests through the OpsPulse dashboard. Restaurant operators can contact us directly at privacy@opspulse.app. We respond to all requests within 30 days.

8. Data Controller and Processor

The restaurant operator is the data controller— they determine the purposes and means of processing team member data. OpsPulse acts as a data processor, processing data on behalf of the restaurant operator according to our Data Processing Agreement.

9. Security

All data is encrypted in transit (TLS 1.2+) and at rest
PINs are stored using bcrypt one-way hashing
Rate limiting and lockout mechanisms prevent brute-force attacks
Session tokens expire automatically (4–12 hours depending on context)
Row-level security policies restrict data access at the database level

10. Cookies and Local Storage

OpsPulse does not use third-party tracking cookies. We use browser localStorage and sessionStorage to maintain kiosk sessions, store user preferences, and manage authentication tokens. These are strictly necessary for the service to function and are not shared with third parties.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify restaurant operators of material changes via email. The “Last updated” date at the top of this page reflects the most recent revision.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at privacy@opspulse.app.