Back to Home

Privacy Policy

BrewOS POS | Bscale Labs

Effective Date: May 7, 2026 · Version 1.0

This Privacy Policy explains how Bscale Laboratories, Incorporated, doing business as Bscale Labs ("Bscale Labs," "we," "us," or "our") collects, uses, stores, protects, and discloses information in connection with BrewOS POS, including the BrewOS back office, POS terminal, API, support services, and related websites or documentation (collectively, the "Service").

BrewOS POS is built for business operations such as point-of-sale recording, order management, inventory tracking, shift management, reporting, device management, and audit logging. It is not a tax-integrated POS, payment processor, payroll system, or tax advisory service.

This Privacy Policy should be read together with the BrewOS POS Terms of Service and any separate order form, service agreement, statement of work, data processing agreement, or written contract between Bscale Labs and the customer organization.

This Privacy Policy covers BrewOS POS as a product and service. The bscalelabs.com marketing website where this policy is published has its own site Privacy Policy.

1. Roles Under Privacy Law

For purposes of the Philippine Data Privacy Act of 2012 and its implementing rules:

  • For account administration, billing, customer relationship management, support, security, product operations, and communications between Bscale Labs and a customer organization, Bscale Labs generally acts as a Personal Information Controller.
  • For data that a customer organization, its staff, or its authorized devices enter into BrewOS POS while running their business, the customer organization generally acts as the Personal Information Controller, and Bscale Labs generally acts as a Personal Information Processor or service provider.
  • A customer organization is responsible for giving any required privacy notices to its owners, managers, employees, contractors, cashiers, baristas, customers, suppliers, and other people whose information may be entered into the Service.

If a separate written agreement assigns different privacy roles, that written agreement controls.

2. Information We Collect

Account and Staff Information. We may collect and process information about users authorized by a customer organization, including name or display name, email address, assigned branch, role and permission assignments, account status, login history, failed login or PIN attempt metadata, password and PIN hashes, and session records. Passwords and POS PINs are stored as hashes, not as plain text.

Business and Branch Information. The Service may collect and process business configuration data, including branch names and addresses; branch payment settings such as e-wallet QR codes; device names, types, activation status, activation timestamps, and sync timestamps; menu categories, products, variants, modifiers, SKUs, descriptions, pricing, and availability; and inventory categories, items, stock units, reorder thresholds, deduction rules, stock movements, and stock alerts.

Sales and Operational Information. The Service may collect and process operational records, including orders, order line items, payment method records for cash and e-wallet payments, payment amounts and proof references, open tickets and cart data, shift records and cash movements, receipts, X-reports and Z-reports, exports, and audit events showing who performed an action, when, from which branch or device, and whether the action succeeded or failed.

BrewOS POS does not currently process card numbers through an integrated card processor. If a customer organization records e-wallet proof information, the organization should avoid entering unnecessary sensitive personal information.

Device, Sync, and Local Storage Information. The POS terminal may store information locally on the device so the business can continue operating during limited connectivity. Local information may include the device token and details, the current staff session, cached menu, staff, order, payment, ticket, shift, print, audit, and sync data, offline authorization proofs, and sync outbox records.

The browser-based back office stores an access token in browser local storage. The POS terminal stores device and staff session tokens in local storage and stores offline records in local device storage through the Tauri SQL layer. Customer organizations should secure their devices, restrict access to authorized staff, and promptly disable lost, stolen, or retired POS devices from the back office.

Security, Log, and Technical Information. We may collect technical information needed to secure and operate the Service, including IP address, user agent, request path, status code, duration, request ID, device identifiers, authentication mode, rate-limit records, error records, and audit metadata. We redact sensitive headers such as authorization tokens, cookies, API keys, device tokens, and session tokens from structured logs where implemented.

Support and Communications. If you contact us, we may collect your name, email address, organization name, role or job title, message contents, and any screenshots, files, logs, or other materials you choose to send. Please do not send passwords, PINs, bearer tokens, device tokens, payment proof images containing unnecessary personal information, or other sensitive data through support channels unless we specifically request it through a secure process.

3. Information Entered by Customer Organizations

Customer organizations control what they enter into the Service. Depending on how the Service is used, personal information may appear in free-text fields such as open ticket names, order notes, refund/void/discount reasons, inventory movement notes, shift close notes, petty cash notes, payment proof references, and support attachments.

Customer organizations should not use these fields to store sensitive personal information unless necessary for a lawful business purpose and covered by an appropriate privacy notice.

4. How We Use Information

  • To provide, operate, secure, and maintain the Service.
  • To authenticate users and authorized POS devices.
  • To manage staff roles, permissions, and access controls.
  • To process operational records such as orders, shifts, inventory movements, reports, receipts, sync events, and audit trails.
  • To support offline-capable POS operation and later synchronization.
  • To detect, prevent, investigate, and respond to abuse, unauthorized access, fraud, security incidents, and operational errors.
  • To provide customer support, troubleshooting, maintenance, deployment, migration, and implementation assistance.
  • To generate operational reports and exports requested by authorized users.
  • To improve reliability, performance, usability, and security.
  • To comply with legal obligations, enforce agreements, and protect rights, property, and safety.

5. Legal Bases and Lawful Grounds

Depending on the context and applicable law, we may process personal information based on consent where required and validly obtained; contractual necessity, including providing the Service to a customer organization; compliance with legal obligations; legitimate business interests such as security, fraud prevention, service reliability, support, and product improvement; and the lawful instructions of a customer organization when we act as its service provider or Personal Information Processor.

6. Cookies and Browser Storage

The Service may use cookies, browser local storage, device storage, and similar technologies for authentication and session management, device activation and identification, local POS operation, offline caching and sync, user interface state and reliability, and security and abuse prevention.

The BrewOS POS product itself does not currently use product analytics or error-monitoring tools that profile end users. If analytics, error monitoring, or marketing cookies are added later, this policy and the sub-processor list will be updated accordingly.

7. Local POS Storage and Offline Mode

BrewOS POS is designed to keep stores operating during connectivity issues. The POS terminal may store business and operational records locally until the device can sync with the server. Local records may include staff snapshots, menu snapshots, orders, payments, open tickets, shifts, refunds, cash movements, Z-reports, print attempts, audit events, and sync outbox events.

Customer organizations are responsible for:

  • Keeping POS devices physically secure.
  • Using device lock screens and operating-system protections.
  • Limiting device access to authorized staff.
  • Disabling lost or stolen devices promptly.
  • Avoiding unnecessary personal information in notes and ticket names.
  • Syncing devices regularly so local records are transferred to the server.

8. How We Share Information

We do not sell personal information.

We may share information in the following limited circumstances:

  • With the customer organization and its authorized users.
  • With service providers and sub-processors that help us host, operate, secure, back up, maintain, or support the Service.
  • With professional advisers, such as lawyers, accountants, auditors, insurers, or security consultants, where reasonably necessary.
  • With government authorities, courts, regulators, or law enforcement when required by law or valid legal process.
  • In connection with a business transfer, merger, acquisition, financing, restructuring, or sale of assets, subject to appropriate confidentiality protections.
  • To protect the rights, property, safety, security, and integrity of Bscale Labs, the Service, customer organizations, users, or others.

9. Service Providers and Sub-Processors

The Service may use infrastructure and service providers for hosting, database services, cache services, network protection, backup storage, monitoring, support, and similar operations. Categories may include hosting and application runtime providers such as Railway or equivalent; managed database and cache infrastructure for PostgreSQL and Redis; network protection or rate-limiting providers such as Cloudflare or equivalent; S3-compatible object storage providers for encrypted backups, if configured; and email, support, monitoring, or analytics providers, if later added and disclosed.

Sub-processors may process information in the Philippines or other countries. Where required, we use reasonable contractual and technical safeguards for cross-border processing.

10. Data Retention

We retain information for as long as reasonably necessary for the purposes described in this policy, unless a longer retention period is required by law, contract, audit requirements, accounting requirements, dispute resolution, security, or legitimate business needs.

  • Account and staff records are retained while the account or customer relationship is active and for a reasonable period afterward.
  • Operational records such as orders, reports, inventory movements, shifts, receipts, audit logs, and financial summaries may be retained for the customer organization's business, accounting, audit, and operational needs.
  • Security logs and audit events may be retained to investigate abuse, prove authorization, preserve operational integrity, and support dispute resolution.
  • Backups may retain copies of data for the configured backup retention period.
  • Local POS records may remain on a POS device until cleared, deactivated, reset, or overwritten by normal device operations.

Unless a separate agreement states otherwise, deletion or return of customer organization data after termination will be handled according to the applicable contract, support arrangement, or written instructions.

11. Security

We use reasonable administrative, technical, and organizational safeguards designed to protect information processed by the Service. Current measures may include, but are not limited to, hashed password and POS PIN storage, token-based authentication with server-side session validation, role-based and permission-based access controls, branch-scoped access checks, device activation and device tokens, rate limits on sensitive routes, account lockouts after repeated failed attempts, audit logging for security and business-critical actions, allowlisted production origins, private networking between application and data services, structured logging with sensitive header redaction, and encrypted backups where configured. Specific implementations may change over time as the Service evolves.

If we become aware of a personal data breach affecting the Service, we will notify affected customer organizations and, where required by the Philippine Data Privacy Act of 2012 and its implementing rules, the National Privacy Commission, within the timeframes required by law.

No internet service, electronic storage system, or security control is perfectly secure. We cannot guarantee absolute security. Customer organizations must also maintain appropriate security practices for their own devices, networks, staff access, and internal procedures.

12. Your Privacy Rights

Depending on your jurisdiction and relationship to the data, you may have rights to be informed about how personal information is processed; access personal information; correct inaccurate or outdated personal information; object to processing; request deletion, blocking, or restriction; withdraw consent where processing is based on consent; file a complaint with the National Privacy Commission or another competent authority; and receive damages where provided by law.

Under the Philippine Data Privacy Act of 2012, data subjects have rights including the right to be informed, object, access, rectify, erase or block, data portability where applicable, file a complaint, and receive damages where legally available.

If your information was entered into BrewOS POS by a customer organization, we may direct your request to that organization or require its authorization before acting, because the organization controls that data. To exercise privacy rights, contact us at hello@bscalelabs.com.

13. Customer Organization Responsibilities

  • Providing required privacy notices to staff, contractors, customers, suppliers, and other people whose information may be entered into the Service.
  • Obtaining any required consent or other lawful basis for processing.
  • Configuring roles and permissions appropriately.
  • Keeping user accounts, passwords, PINs, devices, and activation codes secure.
  • Disabling departed staff accounts and lost or stolen devices promptly.
  • Avoiding unnecessary sensitive personal information in notes and free-text fields.
  • Reviewing exports before sharing them outside the organization.
  • Complying with accounting, tax, employment, consumer, privacy, and business laws that apply to their operations.

14. Children's Privacy

BrewOS POS is a business operations tool. It is not directed to children. Customer organizations should not knowingly enter children's personal information into the Service unless they have a lawful basis, appropriate notices, and any required consent.

15. International Processing

The Service and its providers may process and store information in the Philippines or other countries. Data protection laws in those countries may differ from the laws in your location. Where required, we use reasonable safeguards for cross-border transfers and processing.

16. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the effective date and provide notice in a reasonable manner, such as through the Service, by email, or through the applicable customer organization. Continued use of the Service after an updated Privacy Policy becomes effective means the updated policy applies to future use of the Service.

17. Contact Us

For privacy questions, requests, or concerns, contact:

For data subject rights requests under the Philippine Data Privacy Act of 2012, or to reach our Data Protection Officer, email hello@bscalelabs.com with "DPO" or "Privacy Request" in the subject line.

Bscale Laboratories, Incorporated
Doing business as Bscale Labs
Email: hello@bscalelabs.com
Website: https://bscalelabs.com