# Privacy Policy

_Last updated: May 17, 2026_

## What we collect
- **Account data**: email, business name, contact info, logo.
- **Operational data**: shows, booths, inventory, sales, refunds.
- **Location data**: device GPS while signed in, used only for geofence enforcement and booth setup. Coordinates are stored only for your own booths.
- **Payment data**: handled by Stripe. We store payment intent IDs and amounts, never full card numbers.
- **Usage logs**: sign-in events, IP, user-agent, audit events.

## How we use it
- To operate the Service and your vendor account.
- To prevent fraud, enforce geofencing, and meet legal/tax obligations.
- To send transactional email (receipts, password reset, security alerts).

## Sharing
- **Stripe** for payment processing.
- **Supabase** as our backend infrastructure provider.
- We do not sell your data.

## Your rights
You can request export or deletion of your account data from Settings (or by emailing us). Deleting your account removes business data within 30 days, except records we must retain for tax or fraud-prevention purposes.

## Security
We use TLS in transit, encrypted storage at rest, row-level access controls, and offer leaked-password protection and (optionally) two-factor authentication.

## Contact
Questions? Reach us at privacy@rapidretailz.example.