EN · English
FR · Français
DE · Deutsch
apps.lu POS — Privacy Policy
Privacy policy for the apps.lu POS point-of-sale application for Android.
Privacy policy for the apps.lu POS application (Android package lu.apps.pos).
Last updated: 18 June 2026
1. About this policy
apps.lu POS is a point-of-sale (till) application used by retail businesses to process sales at the counter. It is operated by retail staff (cashiers) and is not a consumer application.
This policy explains what personal data the application handles, why, and the rights of the people whose data is involved — namely (a) the cashiers and staff who use the till, and (b) the customers of the retail business whose details may be recorded as part of a sale.
The application is developed and provided by apps.lu (“we”, “the software provider”). The application is configured and operated by the retail business that uses it (“the merchant”). For the purposes of the EU General Data Protection Regulation (GDPR), the merchant is the data controller and apps.lu acts as a data processor on the merchant’s behalf. If you are a cashier or a customer and wish to exercise your rights, please contact the merchant operating the till; you may also contact us at the address in section 11.
2. Data controller and contact
The data controller is the merchant operating the point of sale. For questions about this application or about data processing carried out by the software, you can also contact the software provider’s data protection contact:
apps.lu — Data Protection Email: privacy@apps.lu
3. Data we collect and process
The application processes the following categories of data and transmits them to its backend over an encrypted HTTPS connection:
3.1 Cashier and staff data
• Cashier name, role, and assigned shop.
• A 4-digit access PIN. The PIN is never stored or transmitted in plain text: it is hashed (bcrypt) and held in encrypted form on the device only.
• A session token issued by the backend to keep the cashier signed in.
3.2 Device / terminal data
• A stable device or terminal identifier (terminal GUID / Android ID) used to identify the till and bind it to the merchant’s account.
3.3 Customer data (only when a customer is attached to a sale)
• Name, email address, phone number, and postal address.
• Loyalty card number, loyalty points and tier, and purchase history.
3.4 Transaction and financial data
• Sale line items, totals, taxes, and discounts.
• Payment method, amount tendered, and change given.
• For card payments: an acquirer/transaction reference, card brand, authorization code, and optionally the last four digits of the card. Full card numbers are handled directly by the payment terminal and are never seen or stored by the application.
3.5 Cash management data
• Cash counts, deposits, withdrawals, and tips recorded at the till.
3.6 Crash and diagnostic data
• Technical crash and diagnostic reports, collected via the error-monitoring service BugSnag, keyed to the terminal identifier so that faults can be diagnosed and fixed. These reports are technical in nature and are not used to profile individuals.
4. Purposes and legal basis
We process the data above for the following purposes, on the legal bases indicated under the GDPR:
• Operating the till and completing sales (recording transactions, taking payment, issuing receipts) — performance of a contract and the legitimate interests of the merchant in running its business (Art. 6(1)(b) and (f) GDPR).
• Authenticating cashiers and securing access (PIN, session token, device identifier) — legitimate interests in securing the system and preventing unauthorised use (Art. 6(1)(f) GDPR).
• Loyalty programme and customer records (points, tier, purchase history) — performance of a contract with the customer, and/or the customer’s consent where required (Art. 6(1)(b) and (a) GDPR).
• Accounting, tax, and legal record-keeping (transaction and cash records) — compliance with a legal obligation (Art. 6(1)(c) GDPR).
• Diagnosing faults and improving reliability (crash and diagnostic reports) — legitimate interests in keeping the software stable and secure (Art. 6(1)(f) GDPR).
5. How the data is protected
• Secrets on the device (such as the hashed PIN and the session token) are stored encrypted at rest using AES-256 (Android EncryptedSharedPreferences).
• All communication between the application and its backend takes place over encrypted HTTPS connections.
• Access to the till requires cashier authentication.
• Full payment card numbers never reach the application; card data is handled by the dedicated payment terminal.
6. Data sharing
The application does not display advertising and does not sell personal data. Data is shared only with the parties needed to operate the service:
• Payment providers and card acquirers, to authorise and settle card payments.
• Hosting and IT service providers, who host the backend and supporting infrastructure on the merchant’s behalf.
• The error-monitoring provider (BugSnag), which receives technical crash and diagnostic data.
These providers act as processors or independent controllers under appropriate agreements and process data only as needed to provide their service. Data may be processed within the European Economic Area; where any transfer outside the EEA occurs, it is covered by appropriate safeguards as required by the GDPR.
7. Data retention
Personal data is retained only for as long as necessary for the purposes described above, or for as long as required by applicable law (for example, accounting and tax rules require transaction records to be kept for a defined period). Crash and diagnostic data is retained only for as long as needed to investigate and resolve faults. The merchant, as controller, determines the applicable retention periods for its records.
8. Your rights
Subject to the conditions set out in the GDPR, individuals whose data is processed have the right to:
• access their personal data;
• request rectification of inaccurate data;
• request erasure of their data;
• request restriction of processing;
• object to processing;
• data portability;
• withdraw consent at any time, where processing is based on consent (without affecting processing carried out before withdrawal).
To exercise these rights, please contact the merchant operating the till, or the software provider at privacy@apps.lu. You also have the right to lodge a complaint with a data protection supervisory authority — in Luxembourg, the Commission nationale pour la protection des données (CNPD), https://cnpd.public.lu.
9. Children
apps.lu POS is a professional tool for retail staff. It is not directed at children and is not intended to be used by children.
10. Changes to this policy
We may update this privacy policy from time to time, for example to reflect changes in the application or in legal requirements. The current version is always the one published at this address, and the date at the top of the page indicates when it was last revised.
11. Contact
For any questions about this policy or about how the application handles personal data, contact:
apps.lu — Data Protection Email: privacy@apps.lu