Privacy Policy

Last updated: April 2025

1. About Us

TillTalk (trading as TillTalk) is a data analytics service for the hospitality industry, operated from Ireland. We act as the data controller for the personal data described in this policy.

Data Controller: TillTalk
Contact: privacy@tilltalk.ie
Country: Republic of Ireland

2. What Data We Collect and Why

Account Data

  • Full name and email address — to identify your account and contact you
  • Business name — to personalise your experience
  • Phone/WhatsApp number — to deliver the TillTalk service via WhatsApp
  • POS API credentials (AES-256 encrypted) — to connect to your point-of-sale system

Usage Data

  • Query counts and report requests — to enforce plan limits and improve the service
  • Aggregated sales totals retrieved from your POS — processed in memory only, not stored individually

Payment Data

  • Stripe customer ID and subscription ID — to manage your subscription. Card details are held exclusively by Stripe.

Cookie Data

  • Essential session cookies — required for authentication and keeping you logged in
  • Cookie consent flag — stored in localStorage to remember your cookie preference

3. Legal Basis for Processing

  • Contract performance (Article 6(1)(b) GDPR) — processing your account data and POS credentials is necessary to provide the TillTalk service you have signed up for.
  • Legitimate interest (Article 6(1)(f) GDPR) — usage analytics to improve service quality and prevent abuse.
  • Legal obligation (Article 6(1)(c) GDPR) — retention of billing records as required by Irish tax law.
  • Consent (Article 6(1)(a) GDPR) — for any optional marketing communications, where applicable.

4. Data Retention

  • Account data — retained for the duration of your subscription plus 90 days after cancellation, unless you request earlier deletion.
  • Billing records — retained for 7 years as required by Irish Revenue legislation.
  • Usage logs — retained for 90 days then permanently deleted.
  • POS credentials — deleted immediately upon account closure or on request.

5. Third-Party Processors

We use the following sub-processors to deliver our service. Each is GDPR-compliant and subject to appropriate data processing agreements:

ProcessorPurposeLocation
SupabaseDatabase and authentication hostingEU (Ireland)
StripePayment processingEU / USA (Standard Contractual Clauses)
Twilio / WhatsAppWhatsApp message deliveryUSA (Standard Contractual Clauses)
AnthropicAI-powered query processingUSA (Standard Contractual Clauses)
SendGridTransactional email deliveryUSA (Standard Contractual Clauses)
RailwayApplication infrastructureEU

6. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

  • Right of access — you may request a copy of all personal data we hold about you.
  • Right to rectification — you may correct inaccurate data through your dashboard or by emailing us.
  • Right to erasure — you may request deletion of your data. We will comply within 30 days, subject to legal retention obligations.
  • Right to data portability — you may request your data in a machine-readable format (JSON/CSV).
  • Right to object — you may object to processing based on legitimate interest.
  • Right to restrict processing — you may request that we limit how we use your data in certain circumstances.

To exercise any of these rights, email privacy@tilltalk.ie. We will respond within 30 days. You also have the right to lodge a complaint with the Data Protection Commission (Ireland).

7. Cookie Policy

TillTalk uses essential cookies only. These are strictly necessary for the website to function and cannot be disabled without breaking core functionality. We do not use tracking, advertising, analytics, or any third-party cookies.

Essential cookies include: authentication session tokens and CSRF protection tokens. These are deleted when you sign out or when they expire naturally.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • AES-256 encryption of POS API credentials at rest
  • TLS encryption for all data in transit
  • Row-level security on all database tables
  • Principle of least privilege for all internal access
  • Regular security reviews

9. Children's Privacy

TillTalk is a business service and is not directed at anyone under 18 years of age. We do not knowingly collect personal data from minors.

10. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by email and by posting a notice on our website. The date of the latest update appears at the top of this page.

11. Contact

For any questions, data requests, or complaints regarding this privacy policy:

Email: privacy@tilltalk.ie
General enquiries: hello@tilltalk.ie