Privacy POLICY

1. Who We Are

Corvalis LLC is an Alabama limited liability company that operates Corvus POS, a multi-tenant software-as-a-service (SaaS) point-of-sale platform built for food trucks, restaurants, and food service businesses in the United States. This Privacy Policy explains how we collect, use, share, and protect your information when you use our platform, visit our marketing website, or interact with us.

This policy applies to merchants and their authorized staff who use Corvus POS. It does not govern how you, as a merchant, handle your own customers' data — you are responsible for your own privacy practices toward your diners and guests.

2. Information We Collect

2.1 Account & Business Information

When you sign up, we collect your business name, business type, city, owner/operator name, email address, and the URL slug you choose. If you sign in with Google, we receive your Google account name, email, and profile photo via Firebase Authentication.

2.2 Menu & Operational Data

This includes everything you create in the platform: menu items, categories, prices, descriptions, images, modification groups, custom PDFs, QR code configurations, tickets/orders, and daily sales reports.

2.3 Payment & Billing Information

Subscription payments are processed by Stripe. When you enter your card details, that data goes directly to Stripe's servers — we never see or store your full card number or CVV. We do store your Stripe Customer ID, subscription status, card brand, last four digits, and expiration date.

If you connect a Square Terminal for in-person payments, we store your Square OAuth access token (encrypted at rest). Card data from Terminal transactions is handled entirely by Square's hardware and servers — it never passes through Corvus POS.

2.4 Technical Data

Our hosting provider (Railway.app) automatically logs your IP address, browser type, operating system, and timestamps as part of standard server operations. We do not use analytics cookies, advertising trackers, or browser fingerprinting.

2.5 Google Fonts

Our website loads fonts from Google's servers. When this happens, Google receives your IP address and browser user-agent. This is a standard web technology; see Google's Privacy Policy for details.

3. How We Use Your Information

• Providing, operating, and maintaining the Corvus POS platform
• Creating and managing your account and authentication
• Processing subscription payments through Stripe
• Facilitating Square Terminal connections and logging transactions
• Generating your daily sales reports and operational data
• Sending transactional emails (account confirmation, password resets, billing receipts, trial expiration notices)
• Responding to your support requests
• Detecting and preventing fraud, abuse, and security incidents
• Complying with legal obligations (including the Alabama Data Breach Notification Act, tax recordkeeping, and court orders)
• Enforcing our Terms of Service

We do not sell your data, use it for advertising, or train AI models with it.

4. How We Share Your Information

4.1 Service Providers

We share data only with the third-party services required to operate the platform:

4.2 Legal Disclosures

We may disclose your information when required by valid legal process (subpoena, court order, or warrant). We will notify you of compelled disclosures to the extent permitted by law. Under the Alabama Data Breach Notification Act, if a breach affecting sensitive personal information is discovered, we will notify affected individuals within 45 days.

4.3 Business Transfers

If Corvalis LLC is involved in a merger, acquisition, or asset sale, your data may be transferred to the successor entity. You will be notified by email and/or prominent notice on the platform.

4.4 What We Never Do

• We do not sell your personal information to anyone
• We do not share data with advertisers or ad networks
• We do not use your business data to train AI models
• We do not disclose your information to other Corvus POS merchants

5. Data Retention

• Account & operational data: Retained while your subscription is active, plus 90 days after cancellation to allow data export.
• Post-cancellation: After the 90-day window, data is deleted from production systems. It may persist in encrypted backups for up to an additional 90 days before backup rotation.
• Billing records: Retained for 7 years for tax and accounting compliance, even after account deletion.
• Server logs: Retained for 30 days on Railway infrastructure.
• Support correspondence: Retained for 2 years.
• Free trial data: If you don't subscribe, your data is retained for 30 days after trial expiration, then deleted.

6. Data Security

• All data in transit is encrypted with TLS 1.2 or higher (HTTPS enforced).
• Data at rest is encrypted on Railway/Google Cloud infrastructure.
• Firebase security rules restrict access to authenticated account holders.
• Stripe.js handles payment forms directly, so card data never passes through our servers.
• Square OAuth tokens are stored encrypted and never exposed in client-side code.
• Passwords are hashed using Firebase Auth's secure hashing system — we never have access to plaintext passwords.
• Access to production systems is restricted to authorized Corvalis LLC personnel.

No system is 100% secure. While we implement industry-standard protections, we cannot guarantee absolute security against all threats.

7. Your Rights & Choices

7.1 Access & Export

You can access all your data through the Corvus POS admin dashboard at any time. You can export your menu data, ticket history, and reports from within the platform. For a structured export of all personal information we hold about you, email [email protected].

7.2 Correction

You can update your business name, contact information, and account email in the admin settings. For anything you can't edit yourself, contact support.

7.3 Deletion

You can delete your account through the admin settings or by contacting support. Active account data is deleted within 30 days. Billing records are retained per Section 5. Deleting your account cancels your subscription but does not trigger a refund (see our Refund Policy).

7.4 California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect and how we use it (see Sections 2–4).
• Delete your personal information — submit requests to [email protected]. We will respond within 45 days.
• Correct inaccurate personal information.
• Opt out of sale: We do not sell personal information, so no opt-out is required.
• Non-discrimination: Exercising your privacy rights will not affect your service or pricing.

7.5 Do Not Track

Corvus POS does not use tracking cookies and does not respond to Do Not Track browser signals, as there is no standardized protocol.

8. Children's Privacy

Corvus POS is a business tool for adults operating food service businesses. We do not knowingly collect personal information from anyone under 18. If you believe a minor has submitted information to us, contact [email protected] for immediate deletion.

9. Third-Party Links

The platform may contain links to third-party websites (e.g., Square documentation, Stripe billing portal). We are not responsible for the privacy practices of those third parties. Connecting a Square Terminal means your data is also governed by Square's Privacy Policy.

10. Changes to This Policy

We may update this policy from time to time. The updated version will be posted at this URL with a new "Last Updated" date. For material changes (new data categories, new third-party sharing, new uses), we will send email notice at least 30 days before the changes take effect. Continued use of the service after the effective date constitutes acceptance.

11. Contact Us

For privacy questions, data requests, or concerns:

• Email: [email protected]
• Entity: Corvalis LLC, Alabama, United States