Data compliance & security
A plain-language view of how Puffer handles business and personal data, the providers that help operate the service, and the controls used to protect it.
Last updated: June 20, 2026
Our commitment
Puffer processes data to provide its point-of-sale, inventory, analytics, and business-management features. We do not sell, rent, or trade personal or business data, and we do not use customer business records for targeted advertising.
This page explains our current practices. It does not claim that Puffer itself is certified under ISO, SOC, GDPR, Egypt's Personal Data Protection Law, or another certification or legal framework.
Data we process
Account data
Names, email addresses, phone numbers, organization membership, roles, authentication tokens, and subscription details.
Business operations
Orders, products, prices, inventory, expenses, staff records, customer records, tables, and analytics generated for your organization.
Uploaded content
Product images, organization logos, and other files that you choose to upload.
Technical data
IP address, browser and device information, request logs, security events, product interactions, and diagnostic information.
Google Cloud and Firebase
Puffer uses Firebase services running on Google Cloud for core application functionality. This means data is shared with and processed by Google when necessary to provide the following services:
- Firebase Authentication and Google Sign-In for identity and account security
- Cloud Firestore for organization, order, inventory, customer, and analytics data
- Cloud Storage for uploaded images and files
- Security, abuse prevention, availability, backups, and service diagnostics
For these services, Puffer determines why customer data is processed, while Google generally acts as a data processor or service provider under its applicable Firebase and Google Cloud terms. Data may be processed in countries where Google or its subprocessors operate, subject to Google's contractual safeguards.
Read Google's current Firebase privacy and security information.
Service providers
| Provider | Purpose | Data involved |
|---|---|---|
| Google / Firebase | Authentication, Firestore database, Cloud Storage, and Google Sign-In. | Account identifiers, business records, uploaded files, IP addresses, device and authentication metadata. |
| Vercel | Application hosting, content delivery, deployment, and operational logs. | Requests, IP addresses, browser and device metadata, and error logs. |
| PostHog | Product analytics, page views, feature usage, and privacy-masked session replay. | Account or organization identifiers when signed in, device metadata, and interaction events. Form inputs are masked in replay. |
| Resend | Transactional email such as invitations, account messages, and trial reminders. | Recipient name, email address, message content, and delivery metadata. |
Security controls
Encryption
Data is encrypted in transit. Google-managed Firebase services provide encryption at rest for stored service data.
Access control
Authentication, role-based permissions, and Firestore Security Rules restrict access to authorized users and organizations.
Tenant isolation
Organization identifiers and security rules keep one organization's records separate from another organization's records.
Monitoring and minimization
Operational logs support security and reliability, while analytics session replay masks form input values to reduce collection of sensitive content.
Retention and deletion
We retain account and business data while an account is active. Following account or organization closure, business data is scheduled for deletion within 90 days, unless a longer period is required for legal, accounting, fraud-prevention, or security purposes. Provider backups may take additional time to cycle out under the provider's documented retention process.
Transactional email logs, security logs, and analytics records may use different retention periods based on operational need and provider configuration. Puffer reviews these records and limits retention to what is reasonably necessary.
Your rights and choices
Depending on applicable law, you may request access, correction, deletion, restriction, objection, or a portable copy of personal data associated with you. Organization owners may also request an export or deletion of organization data, subject to identity verification and legal retention obligations.
Send requests to privacy@pufferpos.com. We may ask for information needed to verify your identity and authority over the account.
Incident response
Puffer investigates suspected unauthorized access, contains affected systems, reviews relevant logs, works with service providers, and restores secure operation. If an incident creates a legal notification obligation, we will notify affected customers or authorities as required by applicable law.
Security and privacy contact
privacy@pufferpos.com