Privacy Policy · Xtarly Cashier

Last updated: April 15, 2026 Effective date: April 15, 2026 Applies to: the Xtarly Cashier mobile app (Android com.xtarly.cashier, iOS com.xtarly.cashier).

This Policy describes the processing of personal data in Xtarly Cashier, the mobile app intended exclusively for authorized staff (cashiers, managers and supervisors) of merchants that operate a loyalty program on the Xtarly platform. If you are an end customer of a program, see the Xtarly Rewards Privacy Policy.

1. Roles

  • Program Operator (merchant), e.g. Caffenio. Acts as controller for the data of its customers processed through Xtarly Cashier.
  • Rodrigo de la Torre González (individual sole proprietor) ("Xtarly"), address Av. Vallarta 4327, Camino Real, 45040, Zapopan, Jalisco, Mexico. Acts as:
    • Processor for customer data that the cashier looks up via the app (on behalf of and for the Program Operator).
    • Controller for the data of the cashier (employee) needed to grant access and provide support.
  • Cashier / App user: a natural person employed or authorized by the Program Operator to operate the POS.

2. Personal data processed

2.1 Cashier data (Xtarly is controller)

  • Credentials: corporate email, password (hashed) or passkey.
  • Employee data: name, role (cashier, manager, admin), assigned organization and branch, schedule if applicable.
  • Local PIN: 4-digit PIN stored only on the device (shared-device mode); it is not sent to the server.
  • Biometrics (optional): fingerprint or face data is never transmitted or stored on our servers; it is validated by the device OS via expo-local-authentication.
  • Technical data: session token (JWT), push notification token, anonymous device identifier, model, OS, app version, IP and timestamps.

2.2 Program customer data (Xtarly is processor, Operator is controller)

The cashier transiently accesses customer data to operate earn and redemption transactions:

  • Name, email, phone (if captured by the Operator), avatar.
  • Points balance, stamps, tier and visible transaction history.
  • This data is shown on screen only for the time needed to complete the operation.

2.3 Data we do not collect

  • No GPS location.
  • No access to contacts, microphone, SMS or files.
  • No advertising SDKs.
  • No third-party behavioral analytics (Google Analytics, Facebook SDK).

3. Device permissions

| Permission | Purpose | Mandatory | |---|---|---| | Camera | Scan the customer's QR code to identify them and operate earn or redemption (react-native-vision-camera). | Functional — the app can be used with email lookup if denied. | | Biometrics (Face ID / Touch ID / fingerprint) | Unlock the cashier's session after inactivity (default 2 minutes in background). | No | | Notifications | Operational alerts (shift change, security alerts). | No | | Internet | Connect to our servers. | Yes |

You can revoke any permission from device settings.

4. Purposes of processing

  1. Authenticate the cashier (password, passkey, local PIN and/or biometrics).
  2. Look up and display the customer information needed to earn points or redeem rewards.
  3. Record transactions (earn, redemption, coupon redemption) with idempotency (clientMutationId) and traceability (cashierStaffId).
  4. Offline operation: queue pending mutations in encrypted local storage (MMKV) and sync them once connectivity is restored.
  5. Prevent fraud, errors and abuse (e.g., duplicate redemptions).
  6. Meet the Operator's legal obligations (receipts, audits).
  7. Send operational push notifications to the cashier.

5. Legal basis (GDPR / EU)

  • Performance of the employment or service contract between cashier and Operator (art. 6.1.b GDPR).
  • Legal obligation for tax/accounting purposes (art. 6.1.c).
  • Legitimate interest for security and fraud prevention (art. 6.1.f).
  • Explicit consent for local biometrics (processed on-device by the OS; Xtarly does not receive the biometric template).

6. Data sharing

We do not sell data. We share it with:

  • The Program Operator (the cashier's employer) — via operation and audit dashboards.
  • Processors under DPAs:
    • Vercel Inc. — backend and web hosting.
    • Expo / Google FCM / Apple APNs — push delivery.
    • Supabase (managed PostgreSQL) — storage.
    • Resend — operational emails.
  • Competent authorities when legally required.

7. Local on-device storage

  • Session token → encrypted in expo-secure-store (iOS Keychain / Android Keystore).
  • Local PIN (if shared-device mode is enabled) → hashed in expo-secure-store.
  • Offline transaction queueMMKV (encrypted). Contains pending operations with the scanned customer ID until synced. Purged on successful sync.
  • Selected branch / preferences → local non-sensitive storage.

On sign-out or "Wipe", everything above is deleted from the device.

8. International transfers

Some providers process data outside your country (mainly US and EU). Standard Contractual Clauses or equivalent safeguards apply.

9. Retention

  • Cashier data: for the duration of the relationship with the Operator + the legal retention period (up to 10 years in Mexico for tax/labor; 5 years in the EU).
  • Transaction records: per the Operator's accounting obligations.
  • Session / push tokens: destroyed on sign-out, uninstall or expiry.
  • Local offline queue: only until sync is confirmed.

10. Security

  • TLS 1.2+ for all traffic.
  • Password hashing with modern algorithms.
  • Tokens and PIN stored in the device secure enclave.
  • Auto-lock after inactivity (default 2 minutes in background) and unlock via biometrics/PIN.
  • Idempotency (clientMutationId) on every mutation to prevent duplicate charges or redemptions.
  • Least-privilege access for Xtarly staff.

11. Cashier rights

As a data subject you may:

  • Access, rectify, delete, restrict or object to processing.
  • Request portability.
  • Withdraw consent.
  • Lodge a complaint with the competent authority (INAI in Mexico, your EU supervisory authority).

Contact: atencion@xtarly.com. Response time: 20 business days.

For customer data accessed through the app, rights are exercised before the Program Operator (employer).

12. Cashier account deletion

The cashier account is managed by the Program Operator (your employer). To request deletion or deactivation:

  1. Contact your organization's admin/HR, or
  2. Email atencion@xtarly.com stating your organization and corporate email, or
  3. Use the form at https://www.xtarly.com/legal/delete-account-cashier.

13. Children

Xtarly Cashier is not directed at children. Only adults authorized by the Program Operator may use it.

14. Changes

We will post the new version at this same URL. For material changes, we will notify you in-app or by email at least 15 days in advance.

15. Contact

Rodrigo de la Torre González (individual sole proprietor) Av. Vallarta 4327, Camino Real, 45040, Zapopan, Jalisco, Mexico 📧 atencion@xtarly.com 🌐 https://www.xtarly.com

Privacy Policy · Xtarly Cashier | Xtarly Rewards