Privacy Policy

1. Introduction

Band Merch POS ("we", "our", or "us") is a point of sale application designed for musicians and bands to track merchandise sales during tours. This Privacy Policy explains how we collect, use, and protect your information when you use our application.

2. Information We Collect

2.1 Authentication Information

When you sign in with Google OAuth, we collect:

• Your email address
• Your name
• Your Google profile picture
• OAuth access and refresh tokens

2.2 Sales and Product Data

We store the following data related to your merchandise sales:

• Product names, sizes, and prices
• Sales transactions (date, time, amount, payment method)
• Inventory quantities
• Custom payment method settings
• Application preferences (theme, settings)

2.3 Technical Information

• Browser type and version
• Device type (for optimizing the interface)
• Session information for maintaining your login state

3. How We Use Your Information

We use your information to:

• Authenticate your account: Verify your identity and provide secure access to the application
• Sync sales data: Store your sales transactions in your own Google Sheets spreadsheet
• Enable offline functionality: Store data locally on your device for offline access
• Provide analytics: Display sales insights and revenue tracking
• Manage inventory: Track product availability and sales

4. Data Storage

4.1 Local Storage (Your Device)

We use IndexedDB (a browser database) to store sales data locally on your device. This enables offline functionality. You can clear this data at any time by clearing your browser data or reinstalling the app.

4.2 Google Sheets

Your sales data is synced to your own Google Sheets spreadsheet in your Google Drive. We do not store your sales data on our servers. The data remains in your Google account, under your control.

4.3 Session Storage

Authentication tokens are stored securely in your browser session and are encrypted using Supabase Auth security standards.

5. Google API Services - Scopes & Usage

Our application uses Google APIs with the following scopes:

5.1 Google Sheets API (spreadsheets scope)

Why we need it: To read and write sales transaction data to your Google Sheets spreadsheet.

What we do with it:

• Create a sales tracking spreadsheet in your Google Drive
• Write sales transactions as they occur
• Read product inventory from your spreadsheet
• Update sales analytics and summaries

What we DON'T do: We do not access any spreadsheets other than the one created by our app for sales tracking. We do not read, modify, or delete your other spreadsheets.

5.2 Google Drive API (drive.file scope)

Why we need it: To create and access the sales tracking spreadsheet in your Google Drive.

What we do with it:

• Create the initial sales tracking spreadsheet
• Access only files created by our application
• Enable offline synchronization

What we DON'T do: The drive.file scope is limited to files created by our app. We cannot see, access, or modify any other files in your Google Drive.

6. Data Sharing

We do not sell, rent, or share your personal information with third parties.

Your data is shared only in the following limited circumstances:

• Google Services: Your sales data is synced to your own Google Sheets. This is the core functionality of the app.
• Hosting Provider (Vercel): Our application is hosted on Vercel, which may have access to technical logs and metadata for infrastructure purposes.
• Legal Requirements: We may disclose information if required by law or to protect our rights.

7. Your Rights

You have the following rights regarding your data:

• Access: Your sales data is stored in your own Google Sheets, which you can access at any time.
• Deletion: You can delete your Google Sheet to remove all sales data. You can also revoke our app's access in your Google Account settings.
• Export: You can export your data directly from your Google Sheets at any time.
• Revoke Access: You can revoke Band Merch POS's access to your Google account at any time via Google Account Permissions.

8. Data Security

We implement security measures including:

• Encrypted OAuth tokens using Supabase Auth
• HTTPS encryption for all data transmission
• Secure browser storage using IndexedDB
• Regular security updates and dependency management
• Limited API scopes (minimal necessary permissions)

9. Data Retention

Local Data: Sales data stored locally on your device remains until you clear your browser data or uninstall the app.

Google Sheets Data: Your sales data in Google Sheets remains in your Google account indefinitely unless you delete it.

Authentication Tokens: OAuth tokens are stored for the duration of your session and refreshed as needed. They expire automatically based on Google's token expiration policies.

10. Children's Privacy

Band Merch POS is not intended for use by children under 13 years of age. We do not knowingly collect personal information from children under 13.

11. International Users

This application is hosted in the United States. If you are accessing the application from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page indicates when this policy was last revised. We encourage you to review this policy periodically.

13. Contact Us

If you have questions about this Privacy Policy or how we handle your data, please contact us: