Privacy Policy

At IOSnack ("we," "our," or "us"), we are committed to protecting your privacy and data security. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our SaaS platform services, including our business management modules (POS, IMS, HRM, LMS, MEDIA, Courier).

1. Information We Collect

1.1 Account Information

When you register for our platform, we collect:

• Full name and email address (required for account creation)
• Phone number (optional but recommended for account recovery)
• Company name and business information
• Password (encrypted using bcrypt hashing with salt)
• Profile image (if you choose to upload one)
• Google account information (if you sign in with Google OAuth)

1.2 Business Data by Module

Depending on which modules you subscribe to, we process the following types of data on your behalf:

1.3 Automatically Collected Information

When you use our platform, we automatically collect:

• IP address and geolocation data (for security and fraud prevention)
• Browser type, version, and device information
• Operating system and screen resolution
• Pages visited, features used, and session duration
• Referring website and search terms
• Login timestamps and activity logs (for security auditing)

1.4 Cookies and Tracking Technologies

We use the following types of cookies:

• Essential Cookies: Required for authentication, CSRF protection, and session management (cannot be disabled)
• Analytics Cookies: Google Analytics to understand usage patterns and improve our platform
• Preference Cookies: Remember your settings, language, and display preferences

You can control cookies through your browser settings. However, disabling essential cookies will prevent you from using the platform.

2. How We Use Your Information

We use collected information for the following purposes:

• Service Delivery: Provide, maintain, and improve our SaaS platform and modules
• Account Management: Create and manage your account, process subscriptions, and handle billing
• Customer Support: Respond to your inquiries, troubleshoot issues, and provide technical assistance
• Security: Protect against fraud, unauthorized access, and security threats
• Communications: Send you service updates, billing notifications, and important announcements (with your consent for marketing)
• Analytics: Understand usage patterns to improve features and user experience
• Legal Compliance: Comply with legal obligations, tax requirements, and regulatory requests
• Backup and Recovery: Maintain automated backups to protect your data from loss

3. Data Processing Roles

3.1 You are the Data Controller

For business data stored in your modules (POS transactions, employee records, student information, etc.), you are the data controller. You determine what data to collect, how to use it, and who can access it. You are responsible for ensuring you have legal basis to process data in your business operations.

3.2 We are the Data Processor

IOSnack acts as a data processor for your business data. We process data only according to your instructions through the platform. We implement appropriate security measures to protect your data but do not control how you use it for your business purposes.

3.3 Your Responsibilities as Controller

As the data controller, you must:

• Obtain proper consent from your customers, employees, or students before entering their data
• Comply with local data protection laws (GDPR, Pakistan PECA 2016, etc.)
• Inform data subjects about how their information will be used
• Respond to data subject requests (access, deletion, correction)
• Use appropriate access controls and train your staff on data protection
• Maintain your own backup copies of critical business data

4. Data Security Measures

We implement comprehensive security measures to protect your data:

4.1 Encryption

• Data in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3
• Data at Rest: Database encryption using AES-256 for sensitive fields (passwords, payment tokens, personal data)
• Password Security: All passwords are hashed using bcrypt with salt (never stored in plain text)
• File Encryption: Uploaded documents and media files are stored with encryption

4.2 Access Controls

• Role-based access control (RBAC) in every module
• Multi-factor authentication (MFA) available for all accounts
• Device PIN authentication for sensitive operations
• Session timeout after 30 minutes of inactivity
• Granular permissions (owners, admins, members, viewers)
• IP whitelisting option for enterprise clients

4.3 Application Security

• CSRF token protection on all forms
• SQL injection prevention (parameterized queries)
• XSS protection and input sanitization
• OWASP Top 10 compliance
• Regular security audits and vulnerability scanning
• Rate limiting to prevent brute force attacks

4.4 Infrastructure Security

• Secure hosting with DDoS protection
• Web Application Firewall (WAF)
• 24/7 server monitoring and intrusion detection
• Isolated databases per company (data segregation)
• Regular security patches and updates
• Automated backup systems (see Section 5)

4.5 Monitoring and Logging

• Real-time security event monitoring
• Comprehensive audit logs for all critical actions
• User activity tracking (login attempts, data access, changes)
• Failed login attempt monitoring and alerts
• Suspicious activity detection and automatic blocking
• Security logs retained for 90 days

5. Backup and Data Recovery

5.1 Our Backup Commitments

We maintain comprehensive backup systems:

• Automated Daily Backups: Full database backups performed daily at 2:00 AM UTC
• Incremental Backups: Database changes backed up every 6 hours
• File Backups: Uploaded media and documents backed up daily
• Geo-Redundancy: Backups stored in multiple geographic locations
• Retention Period: 30-day backup retention (rolling)
• Backup Testing: Weekly backup integrity verification
• Point-in-Time Recovery: Ability to restore to any point within the last 30 days

5.2 Your Backup Responsibilities

We recommend you:

• Export critical data monthly (or weekly for high-frequency operations)
• Use the built-in data export features in each module
• Store exported files securely offline or in your own cloud storage
• Maintain documentation of your data structure and workflows
• Test your ability to restore from your own backups periodically

5.3 Disaster Recovery

• Recovery Time Objective (RTO): Service restoration within 4 hours of a major incident
• Recovery Point Objective (RPO): Maximum data loss of 6 hours (time of last incremental backup)
• Failover Systems: Automated failover to backup servers
• Testing: Disaster recovery procedures tested quarterly

6. Data Sharing and Third Parties

6.1 We Do Not Sell Your Data

We never sell, rent, or trade your personal or business data to third parties for marketing purposes.

6.2 Limited Data Sharing

We may share information only in these specific circumstances:

• Service Providers: Trusted third parties who help us operate our business (hosting providers, email service, payment processors). They are contractually obligated to protect your data and use it only for specified services.
• Legal Requirements: When required by law, court order, or government regulation. We will notify you unless legally prohibited.
• Business Protection: To protect our rights, property, or safety, or that of our users, as required by law
• With Your Consent: When you explicitly authorize us to share data with a third party

6.3 Sub-Processors

We use the following sub-processors to deliver our services:

• Hosting Provider: [Your hosting provider name] (infrastructure and servers)
• Email Service: Brevo/SMTP providers (transactional emails and notifications)
• Analytics: Google Analytics (anonymized usage statistics)
• Payment Processing: [Payment gateway if applicable]

All sub-processors are carefully vetted and sign Data Processing Agreements (DPAs) to ensure GDPR compliance.

7. Data Retention

7.1 Active Account Data

We retain your account and business data for as long as your account remains active and your subscription is valid.

7.2 Module-Specific Retention

After subscription cancellation or account closure:

• POS Transaction Records: Retained for 7 years (tax and financial compliance requirements)
• IMS Inventory History: Retained for 3 years (business audit purposes)
• HRM Employee Records: Retained per labor law requirements (varies by jurisdiction, typically 5-7 years)
• LMS Learning Records: Retained per certification requirements (minimum 3 years for audit purposes)
• MEDIA Files: Deleted 30 days after subscription ends (unless you export)
• Courier Delivery Records: Retained for 2 years (logistics compliance)

7.3 Account Deletion

When you request account deletion:

• Grace Period: 30-day grace period during which you can recover your account
• Data Export: You will be offered the option to export all your data before deletion
• Permanent Deletion: After 30 days, personal data is permanently deleted from active systems
• Backup Retention: Data in backups is deleted within 30 days (as old backups cycle out)
• Legal Holds: Data may be retained longer if required by law or ongoing legal proceedings

7.4 Audit Logs

Security and audit logs are retained for 90 days, after which they are automatically purged unless flagged for investigation.

8. Your Rights and Choices

8.1 Your Data Rights

You have the following rights regarding your personal data:

• Right to Access: Request a copy of all personal data we hold about you
• Right to Rectification: Correct inaccurate or incomplete information
• Right to Erasure: Request deletion of your personal data (subject to legal retention requirements)
• Right to Data Portability: Receive your data in a structured, machine-readable format (CSV, JSON, XML)
• Right to Object: Object to processing of your data for specific purposes
• Right to Withdraw Consent: Withdraw consent for marketing communications or optional processing
• Right to Restriction: Request temporary restriction of processing in certain circumstances

8.2 How to Exercise Your Rights

To exercise any of these rights, contact us at contact@iosnack.com with "Data Privacy Request" in the subject line. We will respond within 30 days.

8.3 Marketing Communications

You can opt out of marketing emails at any time by clicking the "unsubscribe" link in any marketing email or by updating your preferences in your account settings. Note that you cannot opt out of essential service communications (billing notifications, security alerts, system updates).

9. International Data Transfers

Our servers are located in [Your server location]. If you access our services from outside this region:

• Your data may be transferred to and processed in our server location
• We ensure appropriate safeguards are in place (standard contractual clauses, encryption)
• Data transfers comply with GDPR requirements for international transfers
• We do not transfer data to countries without adequate data protection levels unless necessary and with proper safeguards

10. Data Breach Notification

In the event of a data breach that poses a risk to your rights:

• We will notify affected users within 72 hours of discovering the breach
• Notification will include: nature of the breach, data affected, potential consequences, and remedial actions
• We will notify relevant data protection authorities as required by law
• We will take immediate steps to contain the breach and prevent further unauthorized access
• A full incident report will be published to affected users

To report a security concern, email security@iosnack.com

11. Children's Privacy

Our platform is designed for business use and is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately, and we will delete such information promptly.

Exception: The LMS module may be used to manage student information if you are an educational institution. In such cases, you (as the data controller) are responsible for obtaining appropriate consent from parents/guardians as required by local laws.

12. Compliance and Certifications

12.1 GDPR Compliance

Our platform is designed to help you comply with GDPR requirements. We provide tools for data export, deletion, and consent management. As a data processor, we comply with GDPR Article 28 requirements.

12.2 Pakistan PECA 2016

We comply with the Pakistan Electronic Crimes Act 2016 and related data protection regulations applicable in Pakistan.

12.3 Industry Standards

• ISO 27001 Principles: We follow information security management best practices
• OWASP Standards: Secure coding practices to prevent vulnerabilities
• PCI DSS: Payment Card Industry compliance for POS module (where applicable)

13. Third-Party Links

Our platform may contain links to third-party websites or services (e.g., YouTube for MEDIA module, payment gateways). We are not responsible for the privacy practices of these external sites. We encourage you to read their privacy policies before providing any information.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes:

• We will update the "Last updated" date at the top of this page
• We will notify you via email or in-app notification
• For significant changes, we may require you to review and accept the updated policy
• Continued use of our services after changes constitutes acceptance of the updated policy

We maintain a version history of our privacy policy. You can request previous versions by contacting us.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: