Data transparency

Data compliance & security

A plain-language view of how Puffer handles business and personal data, the providers that help operate the service, and the controls used to protect it.

Last updated: June 20, 2026

Our commitment

Puffer processes data to provide its point-of-sale, inventory, analytics, and business-management features. We do not sell, rent, or trade personal or business data, and we do not use customer business records for targeted advertising.

Your data remains yours. Our providers receive data only when needed to host, secure, support, measure, or communicate about the Puffer service.

This page explains our current practices. It does not claim that Puffer itself is certified under ISO, SOC, GDPR, Egypt's Personal Data Protection Law, or another certification or legal framework.

Data we process

Account data

Names, email addresses, phone numbers, organization membership, roles, authentication tokens, and subscription details.

Business operations

Orders, products, prices, inventory, expenses, staff records, customer records, tables, and analytics generated for your organization.

Uploaded content

Product images, organization logos, and other files that you choose to upload.

Technical data

IP address, browser and device information, request logs, security events, product interactions, and diagnostic information.

Google Cloud and Firebase

Puffer uses Firebase services running on Google Cloud for core application functionality. This means data is shared with and processed by Google when necessary to provide the following services:

  • Firebase Authentication and Google Sign-In for identity and account security
  • Cloud Firestore for organization, order, inventory, customer, and analytics data
  • Cloud Storage for uploaded images and files
  • Security, abuse prevention, availability, backups, and service diagnostics

For these services, Puffer determines why customer data is processed, while Google generally acts as a data processor or service provider under its applicable Firebase and Google Cloud terms. Data may be processed in countries where Google or its subprocessors operate, subject to Google's contractual safeguards.

Read Google's current Firebase privacy and security information.

Service providers

Puffer service providers and data processing purposes
ProviderPurposeData involved
Google / FirebaseAuthentication, Firestore database, Cloud Storage, and Google Sign-In.Account identifiers, business records, uploaded files, IP addresses, device and authentication metadata.
VercelApplication hosting, content delivery, deployment, and operational logs.Requests, IP addresses, browser and device metadata, and error logs.
PostHogProduct analytics, page views, feature usage, and privacy-masked session replay.Account or organization identifiers when signed in, device metadata, and interaction events. Form inputs are masked in replay.
ResendTransactional email such as invitations, account messages, and trial reminders.Recipient name, email address, message content, and delivery metadata.

Security controls

Encryption

Data is encrypted in transit. Google-managed Firebase services provide encryption at rest for stored service data.

Access control

Authentication, role-based permissions, and Firestore Security Rules restrict access to authorized users and organizations.

Tenant isolation

Organization identifiers and security rules keep one organization's records separate from another organization's records.

Monitoring and minimization

Operational logs support security and reliability, while analytics session replay masks form input values to reduce collection of sensitive content.

Retention and deletion

We retain account and business data while an account is active. Following account or organization closure, business data is scheduled for deletion within 90 days, unless a longer period is required for legal, accounting, fraud-prevention, or security purposes. Provider backups may take additional time to cycle out under the provider's documented retention process.

Transactional email logs, security logs, and analytics records may use different retention periods based on operational need and provider configuration. Puffer reviews these records and limits retention to what is reasonably necessary.

Your rights and choices

Depending on applicable law, you may request access, correction, deletion, restriction, objection, or a portable copy of personal data associated with you. Organization owners may also request an export or deletion of organization data, subject to identity verification and legal retention obligations.

Send requests to privacy@pufferpos.com. We may ask for information needed to verify your identity and authority over the account.

Incident response

Puffer investigates suspected unauthorized access, contains affected systems, reviews relevant logs, works with service providers, and restores secure operation. If an incident creates a legal notification obligation, we will notify affected customers or authorities as required by applicable law.

Security and privacy contact

privacy@pufferpos.com

Stop guessing.
Start seeing everything.

Start a 14-day free trial today. Set up in 5 minutes, get real-time insights from the first order, and pay only when you're convinced.

14-day free trial · No credit card required · Cancel anytime