OpticPOS
Start free trial
Legal

Privacy Policy

Updated

OpticPOS (“we”, “us”, or “OpticPOS”) operates a cloud-native point-of-sale and practice-management platform for optical retailers. This policy explains what personal data we collect, why we collect it, how we use it, and the rights you have under India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”) and other applicable laws.

1. Who we are

OpticPOS is owned and operated by Moneti Consulting Services Pvt. Ltd., incorporated in India with its registered office in Jangaon, Telangana. For questions about this policy or your data, you can write to us at [email protected].

2. Our role

OpticPOS plays two distinct roles in the DPDP framework:

  • Data Fiduciary — when you (a store owner or staff user) register for OpticPOS, subscribe to a plan, or use our marketing site. We decide how and why your personal data is processed.
  • Data Processor — when your store captures customers’ records (prescriptions, contact details, purchase history) inside OpticPOS. You remain the Data Fiduciary for your customers; we process that data strictly on your instructions under our Data Processing Addendum.

3. What we collect

From store users (admins, managers, staff):

  • Account data — name, email, password hash, role, tenant membership, store assignments.
  • Security data — 2FA secrets, PIN hashes, recovery codes, IP addresses, device fingerprint, login timestamps.
  • Billing data — plan, subscription status, invoice history. (Card details are handled by our payment processor; we never store raw card numbers.)
  • Operational data — actions you perform (sales, returns, voids) in audit logs, support tickets, email correspondence.

From customer records entered by store users:

  • Identification — name, phone, email, address.
  • Clinical — eye prescriptions (SPH/CYL/AXIS/ADD/PD), Rx history, appointment notes, lens preferences.
  • Transactional — invoices, payment method (never full card numbers), loyalty points, returns.
  • Communications — consent flags for SMS, WhatsApp, email marketing and review requests.

4. Why we collect it

  • To provide the service you signed up for — billing, inventory, customer records, analytics.
  • To keep the service secure — block brute-force logins, detect anomalous activity, enforce RBAC.
  • To comply with law — GST invoicing, DPDP audit logs, lawful requests from authorities.
  • To improve the product — aggregated, anonymized usage analytics (we do not sell personal data, ever).
  • To communicate with you — onboarding, product updates, security alerts, sales conversations.

5. Legal basis

We process personal data on the basis of your consent (captured during sign-up and feature-specific opt-ins), contract necessity (to deliver the services you’ve paid for), legal obligation (GST, DPDP, tax records), and legitimate business interests (product security, fraud prevention, service improvement) where those interests are not overridden by your rights.

6. Who we share data with

  • Sub-processors (hosting, email delivery, analytics) — all under signed Data Processing Addendums. See Cookie Policy for the current list.
  • Payment processors — Razorpay, Stripe, and similar, solely to process subscription billing.
  • Law enforcement — only on receipt of a valid legal order under the DPDP Act or other applicable law.
  • Your tenant admins — other authorized users inside your organisation can see your activity in audit logs as part of normal RBAC.

We do not sell personal data. We do not rent mailing lists. Ever.

7. Where data is stored

Primary data is stored in India. Backups and sub-processor systems (for example, email delivery) may briefly route data through servers in Singapore, the EU, or the US in compliance with DPDP cross-border transfer rules. In every case, the receiving system is contractually bound to the same protections described here.

8. How long we keep it

  • Active account data — for as long as your subscription is active.
  • Audit logs — 3 years (regulatory requirement) after which they are either rotated or anonymized.
  • Customer records entered by your store — retained for as long as your tenant exists, plus 90 days post-cancellation for restoration, then deleted.
  • Marketing site cookies — see our Cookie Policy.

9. Your rights (DPDP Act)

As a Data Principal in India, you have the right to:

  • Access the personal data we hold about you.
  • Correct or update inaccurate data.
  • Erase your personal data (subject to legal retention obligations).
  • Nominate another person to exercise these rights on your behalf.
  • Withdraw consent at any time (for processing that relies on consent).
  • Lodge a complaint with the Data Protection Board of India.

To exercise any of these rights, email [email protected]. Logged-in users can also export their data as CSV from Security → DPDP Export inside the product.

10. Security measures

  • Encryption in transit (TLS 1.2+) for every API request.
  • bcrypt-hashed passwords; TOTP-based 2FA available to every user.
  • Tenant-scoped access controls — one tenant can never see another’s data, ever.
  • IP allowlisting, idle-lock, cashier PIN switching and audit logs for sensitive actions.
  • Daily encrypted backups with point-in-time restore.

11. Children

OpticPOS is not designed for direct use by children under 18. We only process children’s data where it’s entered by a store as a patient record, with verifiable parental consent collected by the store under the DPDP Act.

12. Changes to this policy

We’ll notify you by email when this policy changes materially, with at least 14 days’ notice before the new version takes effect. The latest version always lives at this URL with its “Updated” date at the top.

13. Contact

Email [email protected]. Our registered office is in Jangaon, Telangana — email us first for the exact postal address.