Privacy Policy
Introduction
TillPal is two things. First, a free Point-of-Sale (POS) app that local shop owners use to manage inventory and sales. Second, a local marketplace at shop.tillpal.app where customers browse products from verified local stores, place orders, and get them delivered.
This Privacy Policy explains how TillPal ("we", "our", or "us") collects, uses, shares, and protects your personal information when you use our Services. It applies to merchants who use the POS, customers who shop on the marketplace, and anyone who visits our websites or apps.
For clarity, the following definitions apply throughout this policy:
- “Personal Data” means any information that identifies or can be used to identify an individual.
- “Services” refers to TillPal's POS app, the marketplace at shop.tillpal.app, our websites, and all related features.
- “Merchants” are shop owners who use the POS and may apply to be listed on the marketplace.
- “Customers” are people who shop on the marketplace, place orders, and receive deliveries.
- “You” refers to any merchant, customer, or visitor who accesses or uses our Services.
Data We Collect
Data You Provide
When you use TillPal, you may provide us with the following information:
- Account Information: Name, email address, phone number, business name, and authentication credentials.
- Business Information: Shop/branch details, location, operating hours, tax information, and business category.
- Transaction Data: Sales records, inventory information, product details, pricing, customer receipts, and payment information (processed through third-party providers).
- Support Communications: Messages, feedback, and correspondence you send to our support team.
Marketplace Customer Data
When you shop on the TillPal marketplace, we collect the following:
- Checkout Details: Name, phone number, and delivery address you provide when placing an order.
- Order History: Records of orders you place and the items you purchase.
- Payment Confirmation: Payment status and transaction identifiers from our payment processor. TillPal does not receive or store full card details.
- Device and Usage Data: Device type, browser, and usage information collected when you use the marketplace web app.
Automatically Collected Data
When you use our Services, we automatically collect certain information:
- Device Information: Device type, operating system, browser type, screen resolution, and unique device identifiers.
- Usage Data: App version, features used, session duration, interaction patterns, and error logs.
- Diagnostic Data: Crash reports, performance metrics, and technical logs that help us improve service reliability.
- Analytics Data: Aggregated usage patterns, feature adoption rates, and general service performance metrics.
Local-First Data Storage
TillPal uses a local-first architecture, meaning most of your data is stored directly on your device to enable offline functionality. This data includes:
- Product catalog and inventory information.
- Transaction records and sales history.
- Customer information and preferences.
- App settings and configurations.
When your device is online, this data syncs with our secure cloud servers to enable multi-device access and backup. You maintain control over your local data and can clear it through app settings or by uninstalling the application.
Data from Third-Party Sources
TillPal may receive limited personal or technical information from trusted service providers that help us operate our platform securely and efficiently. These include:
- Authentication Providers (e.g., Google or Apple): When you sign in using a social login, we receive basic account information such as your name, email address, profile image, and a unique provider-specific user ID. We do not have access to your password or any other data from your provider account.
- Payment Processors: If you complete marketplace payments, we receive confirmation of payment status, transaction identifiers, and the last four digits of your payment method (where applicable) for record-keeping and fraud prevention. Full card details are never stored or seen by TillPal.
- Cloud Storage Services: Cloud storage and content delivery services (such as AWS). We use these to host and serve user-uploaded media like product images, receipts, or profile pictures. The service may log access events for performance and security monitoring.
- Crash Reporting and Analytics Services: Tools like Sentry, PostHog, or similar may collect anonymized technical data such as device type, operating system, app version, error logs, and usage metrics to help us detect bugs, measure feature adoption, and improve stability.
- Communication Services: Email or notification providers may receive message status and engagement data (for example, whether an onboarding email was opened) to ensure important account information reaches you.
Sensitive Data
TillPal does not intentionally collect or request any special categories of personal data, such as information about your race, ethnicity, religious beliefs, health, or biometric identifiers, unless such data is explicitly provided by you for a specific purpose. By voluntarily providing this information, you consent to its processing as described in this Privacy Policy and only for the relevant purpose.
How We Use Your Data
We use your information for the following purposes:
- Service Operation: To operate, maintain, and improve TillPal's core services, including point-of-sale transactions, inventory management, reporting, and analytics. This includes syncing your local data securely with our cloud infrastructure.
- Marketplace Orders: To process and fulfil marketplace orders placed by customers.
- Delivery: To arrange and carry out deliveries through TillPal's own operatives so orders reach customers.
- Order Status Updates: To communicate order status updates to customers by notification, SMS, or email.
- Order Support and Disputes: To resolve disputes and handle support requests related to marketplace orders.
- Customer Support: To respond to inquiries, troubleshoot technical issues, and provide assistance through our help channels.
- Personalization: To tailor your dashboard experience, display relevant metrics, and suggest features or actions based on how you use TillPal.
- Analytics & Improvement: To understand how TillPal is used, identify usage trends, and improve performance, stability, and usability across devices and regions.
- Security & Fraud Prevention: To detect, prevent, and investigate suspicious activity, unauthorized access, or other security incidents, ensuring the safety of your account and data.
- Legal Compliance: To comply with applicable laws, regulations, and legal obligations, including responding to lawful requests from public authorities.
- Communications: To send important service updates, account notices, and security alerts. With your consent, we may also send educational content or limited promotional messages.
Offline & Sync Behavior
- All data is stored locally on your device and remains fully functional.
- Transactions and changes are queued for synchronization.
- When your device reconnects, changes are securely synced with our servers.
- Conflict resolution ensures data consistency across devices.
Legal Bases for Processing
TillPal is a Nigerian company primarily serving users in Nigeria. We process personal data in accordance with the Nigeria Data Protection Regulation (NDPR). If you are in Nigeria, you have rights under the NDPR, including the right to request access to, correction of, or deletion of your personal data. Contact us to exercise these rights.
If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data based on the following legal grounds:
- Contract: We process your personal data when it is necessary to deliver the Services you have requested or to take steps at your request before entering into a contract.
- Legitimate Interests: We process data for our legitimate business purposes, such as improving TillPal's functionality, maintaining security, preventing fraud, and analyzing usage patterns, provided these interests are not overridden by your rights and freedoms.
- Consent: Where you have given clear consent, for example to receive marketing messages or participate in optional features, we process your data based on that consent. You can withdraw it at any time.
- Legal Obligations: We may process personal data where required to comply with legal duties, such as tax reporting or responding to lawful requests from public authorities.
Data Sharing & Processors
We do not sell your personal data to third parties.
We do not sell personal data. We share information only with trusted service providers that help us operate TillPal, under data processing agreements and appropriate safeguards. We disclose the minimum data necessary for each purpose.
- Cloud Infrastructure: Hosting and database providers (e.g., AWS, Google Cloud, Supabase) that securely store and process data.
- File Storage & CDN: Media storage and serving (e.g., Cloudinary or Supabase Storage) for product images, receipts, and other uploads.
- Analytics & Monitoring: Diagnostics, crash reporting, and usage analytics (e.g., Sentry, PostHog) to improve performance and stability.
- Communication Services: Email and notification providers (e.g., SendGrid/Resend, FCM/APNs) to deliver account notices and critical alerts.
- Payment Processors: Third-party gateways (e.g., Stripe, Paystack) to process payments. We receive payment status and identifiers; we do not store full card details.
We may also disclose information:
- In connection with a merger, acquisition, financing, or sale of all or part of our business.
- To comply with applicable laws, lawful requests, court orders, or regulatory requirements.
- To protect the rights, property, or safety of TillPal, our users, or the public, and to detect or prevent fraud or security incidents.
- To public authorities where we are legally required or permitted to do so.
- With your explicit consent for a specific purpose.
International Data Transfers
TillPal operates globally, and your data may be transferred to, stored, or processed in countries outside your region, including countries that may have different data protection laws than your jurisdiction.
When transferring personal data internationally, we implement appropriate safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission or UK authorities
- Adequacy decisions recognizing equivalent data protection standards
- Binding Corporate Rules or other approved transfer mechanisms
By using our Services, you acknowledge and consent to these international transfers.
Data Retention
We retain your personal data only as long as necessary for the purposes outlined in this policy or as required by law:
- Active Accounts: Data is retained while your account is active and for a reasonable period after account closure to address queries or disputes.
- Transaction Records: Financial and transaction data may be retained for up to 7 years to comply with tax and accounting regulations.
- Legal Requirements: Some data may be retained longer if required by law or to establish, exercise, or defend legal claims.
When you delete your account, we will delete or anonymize your personal data within 90 days, except where retention is required by law. Backups may be retained for up to 30 additional days before permanent deletion.
Security Measures
We apply industry-standard technical and organizational measures to safeguard your data and maintain system integrity:
- Encryption: All data is encrypted in transit using TLS (SSL) and at rest using AES-256 or equivalent encryption standards.
- Access Controls: Strict role-based permissions ensure that only authorized personnel can access personal data or production systems.
- Least Privilege: Our systems and processes are designed to grant the minimum necessary access required for each function or role.
- Audit Trails: Administrative access and data changes are logged to maintain traceability and support security monitoring and incident response.
- Regular Testing: Security reviews, penetration tests, and vulnerability scans are conducted regularly to identify and remediate potential risks.
Local Device Security
Because TillPal uses a local-first model that stores certain data on your device, some security measures depend on your device’s configuration:
- On-device data is protected by your device’s operating system security features, such as sandboxing and hardware encryption.
- We recommend enabling screen locks, biometric authentication, and keeping your operating system up to date to protect local data.
- If your device is lost or stolen, change your TillPal account password immediately and contact support to review your session activity.
- Local data can be cleared by uninstalling the app or using the in-app 'Clear Local Data' option if available. Remote wipe functionality is not automatically performed.
Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of any inaccurate or incomplete data.
- Deletion: Request deletion of your personal data, subject to legal or contractual retention obligations.
- Data Portability: Receive your personal data in a structured, machine-readable format and transfer it to another service provider.
- Restriction: Request that we limit the processing of your personal data in specific circumstances.
- Objection: Object to processing carried out under legitimate interests or for direct marketing purposes.
- Withdraw Consent: Withdraw your consent for processing activities that rely on it, without affecting the lawfulness of prior processing.
To exercise these rights, please contact us at team@tillpal.app. We will respond to verified requests within 30 days (or as required by local law).
We may need to verify your identity before processing certain requests. If you are an EEA/UK resident, you have the right to lodge a complaint with your local data protection authority. California residents have additional rights under the CCPA/CPRA.
Children's Privacy
TillPal is not directed to children under the age of 16 (or the minimum age required by law in your jurisdiction). We do not knowingly collect personal data from children.
If you are a parent or guardian and believe your child has provided us with personal information, please contact us at team@tillpal.app. We will delete such information promptly.
If you are under 16, please do not use our Services or provide any personal information without parental consent.
Mobile App Permissions
Our mobile applications may request the following device permissions:
- Camera: To scan product barcodes and take photos of inventory items.
- Photos/Media: To select and upload product images, and business documents from your device.
- Network/Internet: To sync data, process transactions, and enable cloud features.
- Notifications: To send alerts about sales, inventory, invites and important updates (you can disable these in settings).
- Location (Optional): To display nearby branches and location-based analytics (only if you grant permission).
- Bluetooth: To connect to Bluetooth devices for POS peripherals (only if you grant permission).
You can manage permissions through your device settings at any time. Denying certain permissions may limit app functionality.
Local-First & Offline Architecture
TillPal's local-first architecture is designed to give you control over your data while enabling seamless offline operation:
Device Caching & Storage
- Your business data is stored locally on your device using secure database storage mechanisms (e.g., SQLite).
- This data includes products, sales, inventory, and configuration settings required for daily POS operations.
- Local storage enables full TillPal functionality even when your device is offline.
- Cached data is encrypted at the device level on supported operating systems to protect it from unauthorized access.
Synchronization & Conflict Resolution
- When an internet connection becomes available, offline changes automatically sync with TillPal’s secure cloud servers.
- If the same record is modified on multiple devices, conflicts are resolved using a timestamp-based or last-write-wins approach.
- You can view synchronization status and retry failed syncs manually if needed.
- Multi-device synchronization ensures consistent and up-to-date data across all your registered devices.
What Stays Local vs. Synced
- Local only: Temporary UI state, unsynced drafts, device-specific preferences, and transient cache files remain on the device.
- Synced to cloud: Business records such as transactions, inventory data, reports, and user profiles are synchronized with our cloud servers once online.
- Cloud only: Aggregated analytics, system backups, and cross-account data that are not device-specific are maintained only on our servers.
Clearing Local Data
Local data can be cleared manually or automatically in the following ways:
- Logging out of your account does not remove locally stored data. Business data in the local database remains cached and will re-sync when you log back in.
- Uninstalling the TillPal app removes all local data, including cached business records stored in the on-device database.
- If provided, you can use the in-app 'Clear Local Data' option to manually erase locally stored data and start fresh.
Note: Clearing local data does not delete cloud-synced data. To delete all data, please delete your account or contact support.
Data Controller & Contact Information
TillPal is the data controller responsible for handling your personal information. If you have any questions, concerns, or requests regarding this Privacy Policy or how your data is managed, please reach out to us using the contact details below:
Email:
We aim to respond to all inquiries within 7 business days.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
When we make material changes, we will notify you by:
- Sending an email to your registered email address
- Displaying an in-app notification or banner
- Posting a notice on our website
The “Last updated” date at the top of this page indicates when the policy was last revised. We encourage you to review this policy periodically.
Your continued use of TillPal after changes become effective constitutes acceptance of the updated policy. If you do not agree with the changes, please discontinue use of our Services.
This Privacy Policy was last updated on 9 June 2026. For questions or concerns, please contact team@tillpal.app.
