Privacy Policy

Effective date: October 10, 2025

At Sciometa Oy ("Sciometa", "we", "our", or "us"), your privacy matters. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our comprehensive restaurant management ecosystem, including our Point of Sale (POS) applications, Kitchen Display Systems (KDS), Back Office Systems (BOS), Server Display Systems (SDS), and web applications.

We are committed to handling personal data responsibly, transparently, and in compliance with the General Data Protection Regulation (EU 2016/679) ("GDPR") and other applicable privacy laws in Finland and the European Union.

If you have any questions about this Policy or your personal data, please reach us at hello@sciometa.com.

1. Who We Are

Sciometa Oy develops and provides a comprehensive restaurant management ecosystem that includes point-of-sale (POS) systems, kitchen display systems, back office management tools, and customer-facing displays that help restaurants run their operations efficiently across mobile applications, web platforms, and dedicated hardware devices.

Depending on the context, Sciometa may act as:

  • a Data Controller, when we collect and process information directly from you (e.g., account registration); or
  • a Data Processor, when we process information on behalf of our business customers (for example, customer or employee data entered into the POS system).

2. What Data We Collect

Our restaurant management ecosystem processes various types of data to provide comprehensive POS, kitchen management, back office, and customer display services. The data we collect varies depending on which applications and services you use:

a. Personal Data

User Registration & Authentication:

  • Email addresses (primary identifier for authentication)
  • Full names and phone numbers
  • Avatar URLs (profile pictures)
  • Login credentials and account settings
  • Authentication tokens and session data
  • Last login timestamps and account creation dates
  • Google OAuth data (when using Google Sign-In)

Business Information:

  • Organization names, business addresses, and contact information
  • Business registration numbers and tax identifiers
  • Logo URLs and branding assets
  • Store locations, addresses, and operational details
  • Employee information including roles and permissions

Customer Data (Limited):

  • Customer email addresses and phone numbers (optional, for receipts and notifications)
  • Order preferences and special requests
  • Table numbers and call numbers for order identification

b. Business Operations Data

Transaction & Order Data:

  • Order details including items, quantities, prices, and modifications
  • Payment information including payment types, amounts, and transaction IDs
  • Order status tracking and kitchen preparation times
  • Receipt data and billing information
  • Tax calculations and discount applications
  • Dining options (dine-in, takeout, delivery)

Inventory & Product Data:

  • Product information including names, descriptions, prices, and SKUs
  • Inventory levels, stock tracking, and movement history
  • Product categories, images, and barcode data
  • Cost information and pricing data

Analytics & Performance Data:

  • Sales performance metrics and business intelligence
  • Kitchen efficiency scores and preparation time analytics
  • Staff performance metrics and operational insights
  • Peak hours analysis and demand patterns

c. Technical Data

Device Information:

  • Device IDs, MAC addresses, and hardware identifiers
  • Device types (POS terminals, kitchen displays, tablets, mobile devices)
  • IP addresses and network connectivity data
  • Device configuration settings and status information
  • Screen resolution, display settings, and audio preferences

Usage & System Data:

  • Application logs, error reports, and diagnostic data
  • Performance metrics and system monitoring data
  • API usage statistics and connection logs
  • Session information and authentication tokens
  • WebSocket connection data and real-time synchronization logs

Camera & QR Code Data:

  • QR code scanning for device setup and configuration (KDS, SDS systems)
  • Barcode scanning for inventory management
  • Note: No photos or videos are stored; only scanning results are processed

d. Third-Party Data

  • Payment processing data from SumUp and other payment providers
  • Google authentication data when using Google Sign-In
  • Email service data from our communication providers
  • Cloud infrastructure data from our hosting providers (Supabase)

3. How We Use Your Information

We use personal data only when we have a valid legal reason to do so. Common purposes include:

  • Creating and managing your account
  • Providing and maintaining our Services
  • Processing payments and fulfilling transactions
  • Offering customer support and troubleshooting issues
  • Sending service updates or essential notices
  • Improving and developing new features
  • Meeting legal and regulatory requirements
  • (With your consent) sending marketing or educational content you may find useful

We never sell your personal data, and we only share it when it's necessary to operate or improve our Services.

4. Sharing Your Information

We may share your personal data with the following categories of third parties:

Service Providers:

  • Supabase - Cloud database hosting, authentication, and real-time data synchronization
  • SumUp - Payment processing
  • Google - Authentication services (when you choose to sign in with Google)
  • Resend - Email delivery services for receipts and notifications
  • Sentry - Error tracking and performance monitoring

Other Sharing:

  • Business partners or integrations you choose to connect with
  • Legal authorities if required by law or to protect our legal rights
  • Professional advisors (lawyers, accountants, auditors) under confidentiality agreements
  • Potential buyers in case of business sale or merger (with prior notice)

All third parties that process data on our behalf are bound by strict confidentiality agreements and GDPR-compliant data processing agreements. We ensure they implement appropriate security measures and only process data for the specific purposes we've authorized.

5. Data Retention

We keep your personal data only for as long as it's needed for the purposes stated in this Policy, or as required by law.

Data Deletion:

We keep your personal information only for as long as we need it to operate our restaurant management services or as required by law.

After you close your account, we may still need to keep some of your information and transaction records. This could be necessary to meet legal requirements, respond to government requests, handle disputes, fix service issues, conduct security investigations, enforce our terms of service, or fulfill other lawful business purposes. We only retain data for these purposes when we have a legitimate reason and for the minimum time period required.

Once we no longer have a valid business or legal reason to keep your personal information, we will permanently delete it or remove all identifying details to make it anonymous.

6. International Data Transfers

Sciometa stores and processes most customer data within the European Union.

If we transfer data outside the EEA, we use Standard Contractual Clauses or other approved safeguards to ensure your information remains protected.

7. Your Rights

Under the GDPR, you have several rights regarding your personal data:

  • Access – Request a copy of the data we hold about you.
  • Correction – Ask us to update or fix inaccurate information.
  • Deletion – Request removal of your data when it's no longer necessary.
  • Restriction – Limit how we process your data in certain cases.
  • Portability – Request your data in a machine-readable format.
  • Objection – Object to processing, including direct marketing.
  • Withdraw consent – If you've given consent for specific processing, you can withdraw it at any time.

To exercise any of these rights, email us at hello@sciometa.com. We may need to verify your identity before fulfilling your request.

8. Security

We use industry-standard technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction.

This includes encryption (TLS/HTTPS), access control, and secure data storage environments. While no system is 100% secure, we take all reasonable steps to minimize risk.

9. Children's Privacy

Our Services are designed for business users and are not intended for children under 16.

We do not knowingly collect personal data from minors. If you believe a child has provided us with personal data, please contact us immediately at hello@sciometa.com.

10. Updates to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal obligations.

When we make material updates, we will notify you through our website or by email. The updated version will always include a revised "Effective Date."

11. Contact Us

If you have any questions about this Privacy Policy or how your personal data is handled, please contact us:

Sciometa Oy

Mekaanikonkatu 19, Helsinki, Finland

📧 hello@sciometa.com