Privacy Policy

Last Updated: December 2024
Effective: December 2024

Overview

The Digital Receipt Protocol (DRP) is operated by Vero, LLC ("we", "us", "our"). This privacy policy explains how we collect, use, and protect information when merchants use DRP integrated with their point-of-sale (POS) systems.

Information We Collect

From Merchants

  • Business name and location
  • POS system account ID(s) (Square, Toast, Clover, Shopify, SpotOn, and other supported platforms)
  • Transaction metadata (amounts, timestamps, merchant IDs)
  • OAuth access tokens (stored securely, per POS system)
  • POS system type and configuration details

From Customer Transactions

  • Transaction details (items, prices, totals, taxes)
  • Payment card fingerprints (hashed, for routing only)
  • Timestamps and merchant identifiers
  • Transaction type (card-present, card-not-present, online)

We Do NOT Collect

  • Full credit card numbers or CVV codes
  • Customer names, email addresses, or phone numbers
  • Customer private encryption keys
  • Personally identifiable information (PII) about end customers

How We Use Information

Receipt Processing

We receive transaction data from your POS system via webhooks or API integrations to:

  • Encrypt receipt details with customers' public keys
  • Route encrypted receipts to customers' banking institutions
  • Store encrypted receipts (which we cannot decrypt)
  • Verify successful delivery

Service Operation

  • Maintain and improve DRP functionality across multiple POS platforms
  • Monitor system performance and uptime
  • Provide customer support to merchants
  • Develop integrations with additional POS systems
  • Comply with legal obligations

POS System Integration

We integrate with multiple POS providers including:

  • Square
  • Toast
  • Clover
  • Shopify
  • SpotOn
  • Stripe Terminal
  • And other supported platforms

Each integration operates through secure API connections established via OAuth 2.0 or equivalent authorization protocols.

Data Protection

Encryption

All receipt data is encrypted end-to-end using industry-standard RSA-2048 encryption. Only the end customer holds the private key to decrypt their receipts. We cannot and do not decrypt customer receipt data.

Storage

  • Encrypted receipts: Stored in secure cloud infrastructure (AWS/GCP)
  • Merchant data: Stored with encryption at rest and in transit
  • POS credentials: Encrypted OAuth tokens, never stored in plain text
  • Access controls: Strict internal access policies and logging
  • We cannot decrypt customer receipt data under any circumstances

Retention

  • Encrypted receipts: Retained for 90 days, then archived or deleted
  • Merchant account data: Retained while account is active
  • Logs and analytics: Retained for 30 days
  • POS OAuth tokens: Retained until merchant revokes access

Data Sharing

We share data only with:

  • Banking institutions (encrypted receipts only - we route but cannot decrypt)
  • Your chosen POS provider (for integration and webhooks)
  • Cloud service providers (AWS, Google Cloud - under strict data processing agreements)
  • As required by law (with proper legal process)

We never:

  • Sell your data to third parties
  • Use data for advertising purposes
  • Share data with marketers or data brokers
  • Decrypt customer receipt data (we cannot access private keys)
  • Share data across different merchants

Your Rights

For Merchants

You have the right to:

  • Access your account data
  • Export your transaction logs
  • Delete your account and data
  • Update account information
  • Revoke POS system integration(s)
  • Switch between POS systems without data loss

Contact: privacy@digitalreceiptprotocol.org

For End Customers

Receipt data is encrypted end-to-end and owned by you. Only you hold the private key. Contact your bank or financial institution for access to your encrypted receipts. We cannot decrypt or access your receipt contents.

POS System Integrations

Authorization and Permissions

When you connect DRP to your POS system, you grant us permission to:

  • Receive transaction notifications via webhooks
  • Access transaction details through POS APIs
  • Store OAuth tokens securely
  • Retrieve line-item details for receipts

Supported Platforms

We currently integrate with:

  • Square (via Square APIs)
  • Toast (via Toast APIs)
  • Clover (via Clover APIs)
  • Shopify (via Shopify APIs)
  • SpotOn (via SpotOn APIs)
  • Stripe Terminal (via Stripe APIs)
  • Additional platforms in development

Each integration is subject to that platform's terms of service and data handling policies.

Revoking Access

You may revoke DRP's access to any POS system at any time by:

Cookies & Tracking

We use minimal cookies for:

  • Session management and authentication
  • Basic analytics (anonymous, aggregate only)
  • Service functionality and error tracking

We do not use:

  • Advertising cookies
  • Cross-site tracking cookies
  • Third-party analytics for marketing
  • Social media tracking pixels

Children's Privacy

DRP is a business service not directed at children under 13. We do not knowingly collect data from children.

International Transfers

Data may be transferred to and stored in the United States where our servers are located. We comply with applicable data protection laws including GDPR and CCPA.

For EU/EEA merchants:

  • We use Standard Contractual Clauses for data transfers
  • Data transfers comply with GDPR Article 46
  • You have rights under GDPR (access, deletion, portability, objection)

California Privacy Rights (CCPA)

California residents have the right to:

  • Know what personal information we collect and how it's used
  • Request deletion of personal information
  • Opt-out of sale of personal information (we don't sell data)
  • Non-discrimination for exercising privacy rights

Contact: privacy@digitalreceiptprotocol.org

Security Measures

We implement industry-standard security including:

  • TLS/SSL encryption for all data transmission
  • End-to-end encryption for customer receipts (RSA-2048)
  • Regular security audits and penetration testing
  • Multi-factor authentication for internal access
  • Access controls and role-based permissions
  • Secure credential storage (encrypted OAuth tokens)
  • Monitoring, logging, and intrusion detection
  • Incident response procedures

Data Breach Notification

In the event of a data breach affecting your information, we will:

  • Notify you within 72 hours of discovery
  • Provide details about the breach and affected data
  • Describe steps we're taking to address the issue
  • Offer guidance on protecting your account
  • Comply with all applicable breach notification laws

Note: Customer receipt data is encrypted end-to-end. Even in a breach, we cannot decrypt customer receipts as we don't hold private keys.

Changes to This Policy

We may update this policy. Material changes will be notified via:

  • Email to registered merchants
  • Notice in your POS app dashboard (where applicable)
  • Prominent notice on digitalreceiptprotocol.org
  • Updated "Last Updated" date on this page

Continued use after changes constitutes acceptance.

Contact Us

For privacy questions, concerns, or to exercise your rights:

Email: privacy@digitalreceiptprotocol.org
Website: https://digitalreceiptprotocol.org

Legal Entity

DRP is operated by:

Vero, LLC

This policy complies with GDPR, CCPA, and other applicable data protection regulations. Last reviewed: December 2024

← Back to home