Privacy Policy

The data controller is Oak and Anchor Tech LLC, a U.S. limited liability company. LEMON POS is a product of Oak and Anchor Tech.

If you have questions about this policy or wish to exercise any of your rights, contact: support.lemonpos@gmail.com

Identity & contact data: name, email address, business name, phone number (optional), country.

Account data: login credentials, security tokens, language preference.

Operational data (POS): menu items, sales records, staff records, customer-facing content you enter into the product. This data first stores on your device and only syncs to our servers when you choose to.

Technical data: IP address (truncated for analytics), device type, browser, approximate location at country/city level.

Usage data: pages visited, features used, login timestamps, error reports.

Billing data: handled by our payment processor — see Section 5.

We do not collect special categories of data (health, religion, race, sexual orientation, biometric, genetic). If you accidentally enter such data, please notify us so we can delete it.

Performance of contract: to provide the LEMON POS service you signed up for.

Legitimate interests: to operate, secure, debug, and improve our service. Balanced against your rights and freedoms.

Consent: for marketing emails (you can withdraw consent at any time).

Legal obligation: to keep records for tax, accounting, and law-enforcement requests.

We use Plausible Analytics, a privacy-friendly, cookieless analytics tool hosted in the EU. It does not collect personal data, does not use cross-site tracking, and does not require a cookie banner.

We do not use Google Analytics, Facebook Pixel, or any advertising trackers.

When you purchase a paid plan, the transaction is processed by Lemon Squeezy, our Merchant of Record. Lemon Squeezy collects your billing details, processes your payment, calculates and remits applicable taxes (VAT, GST, sales tax) on our behalf, and issues compliant invoices.

Lemon Squeezy is the data controller for your billing data. Their privacy policy applies: lemonsqueezy.com/privacy.

We receive only summary information (your name, email, country, and order details) needed to provide your subscription. We do not see or store your full credit-card number.

We use the following sub-processors:

Hetzner Online GmbH (Germany) — server infrastructure (servers located within the EU).

Lemon Squeezy LLC (USA) — payment processing and Merchant of Record.

Resend (USA) — transactional email delivery.

Plausible Insights OÜ (Estonia) — privacy-friendly analytics.

Cloudflare (USA / global) — DNS, CDN, and DDoS protection.

We have data processing agreements with each sub-processor where required.

We do not sell your personal data, and we do not share it with advertisers, social media platforms, or data brokers.

Some of our sub-processors are located outside the European Economic Area (EEA) or the United Kingdom. Where we transfer personal data internationally, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses (SCCs) or transfers to countries with an adequacy decision.

Active account data: while your account is active.

Closed account data: 90 days, then permanently deleted (in case you change your mind).

Billing records: 7 years (Lemon Squeezy retention policy applies for invoice records).

Analytics: 12 months in aggregated form.

Backups: 30-day rolling backups.

Email correspondence: 24 months, then deleted.

Right of access — receive a copy of your personal data.

Right to rectification — correct inaccurate personal data.

Right to erasure — request deletion of your personal data ('right to be forgotten').

Right to restrict processing.

Right to data portability — receive your data in a structured, machine-readable format.

Right to object to processing based on our legitimate interests.

Right to withdraw consent at any time, where processing is based on consent.

Right to lodge a complaint with your local supervisory authority (e.g., ICO in the UK, CNIL in France, BfDI in Germany).

To exercise any right, email support.lemonpos@gmail.com. We respond within 30 days.

Right to know what personal information we collect, use, disclose, and sell or share.

Right to delete your personal information.

Right to correct inaccurate personal information.

Right to opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising.

Right to limit use of sensitive personal information. We do not collect sensitive personal information as defined by the CPRA.

Right to non-discrimination for exercising any of these rights.

To exercise any right, email support.lemonpos@gmail.com.

If you are located in Thailand, you have rights under the Personal Data Protection Act B.E. 2562 substantially similar to those described under GDPR above.

You may also lodge a complaint with the Personal Data Protection Committee (PDPC) at pdpc.or.th.

All data in transit is encrypted with TLS 1.3.

Data at rest is encrypted with AES-256.

We maintain daily backups and test restores quarterly.

Despite our efforts, no system is perfectly secure. If we discover a personal-data breach affecting you, we will notify you without undue delay, and within 72 hours where required by law.

LEMON POS is not directed at, and we do not knowingly collect personal data from, children under the age of 16. If we learn that we have collected such data, we will delete it promptly.

We may update this policy from time to time. Material changes will be communicated to active users by email and posted on this page with the updated date. Continued use of the service after changes constitutes acceptance of the updated policy.