Privacy Policy
How FinOpenPOS handles your data
Last updated: March 10, 2026
This Privacy Policy describes how FinOpenPOS ("we", "us", "our") collects, uses, and protects your personal data when you use the FinOpenPOS demo application hosted at fin-open-pos.johnenrique.tech (the "Service"). This policy complies with the Brazilian General Data Protection Law (LGPD — Lei 13.709/2018) and the European General Data Protection Regulation (GDPR — Regulation EU 2016/679).
1. Data Controller
FinOpenPOS Community Open-source project maintained at github.com/JoaoHenriqueBarbosa/FinOpenPOS
For data protection inquiries, please open an issue on our GitHub repository or contact us through the channels listed there.
2. Data We Collect
2.1 Account Data
- Email address — used for authentication
- Password — stored as a salted hash, never in plain text
2.2 Business Data
Data you voluntarily enter while using the POS system:
- Products (name, price, category, tax codes)
- Customers (name, CPF/CNPJ, address, contact information)
- Orders and transactions
- Fiscal documents (NF-e/NFC-e data)
- Payment methods and records
2.3 Technical Data
- Session cookies — essential cookies required for authentication and session management
- Server logs — standard web server access logs (IP address, user agent, timestamps)
2.4 Data We Do NOT Collect
- No analytics or tracking cookies
- No third-party advertising cookies
- No behavioral profiling
- No cross-site tracking
- No location data beyond what you voluntarily provide in business records
3. Purpose and Legal Basis
| Purpose | Legal Basis (LGPD Art. 7) | GDPR Basis |
|---|---|---|
| Account creation and authentication | Consent (Art. 7, I) | Consent (Art. 6(1)(a)) |
| Providing the POS demo service | Performance of contract (Art. 7, V) | Performance of contract (Art. 6(1)(b)) |
| Session management via cookies | Legitimate interest (Art. 7, IX) | Legitimate interest (Art. 6(1)(f)) |
| Server security and abuse prevention | Legitimate interest (Art. 7, IX) | Legitimate interest (Art. 6(1)(f)) |
4. Data Storage and Security
- Storage: All application data is stored in PGLite, an embedded PostgreSQL database running via WebAssembly on the server.
- Encryption: Passwords are cryptographically hashed. All traffic is encrypted via HTTPS/TLS.
- Access: Only the application processes access your data. No manual access occurs unless required for critical maintenance or security incidents.
- Infrastructure: The Service runs on secure cloud infrastructure with standard industry protections.
5. Data Retention
- Account and business data is retained for as long as your account exists.
- Demo notice: This is a demonstration environment. Data may be reset periodically without prior notice as part of maintenance or updates.
- Server logs are retained for up to 90 days and then automatically deleted.
- Upon account deletion, all associated personal data is removed within 30 days.
6. Your Rights
Under the LGPD (Art. 18) and GDPR, you have the following rights:
- Right of access — Request a copy of your personal data
- Right to correction — Request correction of inaccurate or incomplete data
- Right to deletion — Request deletion of your personal data
- Right to portability — Receive your data in a structured, machine-readable format
- Right to information — Know which entities your data has been shared with
- Right to revoke consent — Withdraw your consent at any time
- Right to object — Object to data processing based on legitimate interest
- Right to review automated decisions — Request human review of decisions made solely by automated means
To exercise any of these rights, please open an issue on our GitHub repository or contact us through the channels listed there. We will respond within 15 days as required by the LGPD.
7. Cookies
The Service uses essential cookies only:
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Maintains your authenticated session | Browser session / 30 days |
We do not use analytics cookies, advertising cookies, or any third-party tracking cookies. No consent is required for essential cookies under both LGPD and GDPR, but we inform you of their use for transparency.
8. Third-Party Sharing
We do not sell, rent, or share your personal data with third parties for commercial purposes.
Data may be shared only in the following circumstances:
- Legal obligation: When required by law, court order, or regulatory authority
- SEFAZ communication: If you use the fiscal module, invoice data is transmitted to the Brazilian tax authority (SEFAZ) as required by law — this is a legal obligation, not a commercial sharing
9. International Transfers
The Service is hosted in Brazil. If you access it from outside Brazil, your data will be transferred to and processed in Brazil. Brazil has been recognized by the European Commission as providing an adequate level of data protection.
10. Children's Privacy
The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us so we can delete it.
11. Open Source Transparency
FinOpenPOS is open-source software licensed under the MIT License. The complete source code, including all data handling logic, is publicly available for inspection at our GitHub repository.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. For significant changes, we will make reasonable efforts to notify users through the Service interface.
13. Contact
For any questions or concerns about this Privacy Policy or our data practices, please reach out through our GitHub repository.