Privacy Policy
Effective date: February 21, 2026
BarOS ApS ("BarOS", "we", "us", or "our"), a company registered in Denmark, operates the BarOS platform. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our Service.
We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR) and applicable Danish data protection law.
1. Data Controller
BarOS acts in two capacities:
- Data controller for account data, usage analytics, and other data we collect for our own purposes (described in this policy).
- Data processor for Customer Data (venue data, sales data, invoice data) that our customers enter into the platform. In this capacity, our customer (the venue operator) is the data controller, and our processing is governed by our Data Processing Agreement.
Data Controller contact:
BarOS ApS
Denmark
Email: privacy@baros.dk
2. What Data We Collect
2.1 Account Information
When you create an account, we collect:
- Email address
- Password (stored hashed, never in plaintext)
- Name (if provided)
- Venue name and basic venue information
2.2 Customer Data (Processed on Your Behalf)
Data you enter or upload through the Service:
- Venue data: tap configurations, venue settings, staff PINs
- Product data: beer/beverage catalogs, supplier information, pricing
- Invoice data: uploaded invoice images/PDFs, extracted line items, costs
- Sales data: POS transaction records, revenue figures
- Keg data: keg lifecycle records, tap assignments, pour data
This data belongs to you. We process it solely to provide the Service. See our Data Processing Agreement for details.
2.3 Usage Analytics
We automatically collect:
- Pages visited and features used within the Service
- Browser type, operating system, and device information
- IP address (truncated/anonymized where possible)
- Timestamps of access and actions
- Error logs and performance metrics
2.4 Payment Information
Payment card details are collected and processed directly by our payment processor, Stripe. We do not store your full card number, CVV, or other sensitive payment details on our servers. We receive from Stripe: the last four digits of your card, card brand, expiration date, and billing address for invoicing purposes.
2.5 Communications
If you contact us via email or support channels, we collect the content of your messages and any information you voluntarily provide.
3. How We Use Your Data
We use your data for the following purposes:
| Purpose | Data Used |
|---|---|
| Providing the Service | Account info, Customer Data |
| AI invoice processing | Uploaded invoice images/PDFs |
| Billing & subscription management | Account info, payment data (via Stripe) |
| Service improvement & debugging | Usage analytics, error logs |
| Customer support | Account info, communications |
| Security & fraud prevention | IP addresses, access logs |
| Legal compliance | As required by applicable law |
We do not sell your personal data. We do not use your Customer Data for advertising. We do not profile you for marketing purposes.
4. Legal Basis for Processing
Under GDPR, we rely on the following legal bases:
- Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service you signed up for — account management, data storage, invoice processing, billing.
- Legitimate interests (Art. 6(1)(f)): Usage analytics for service improvement, security monitoring, and fraud prevention. We balance our interests against your rights and only process what is proportionate and necessary.
- Legal obligation (Art. 6(1)(c)): Where we are required to retain data for tax, accounting, or regulatory compliance.
- Consent (Art. 6(1)(a)): For any optional cookies or analytics beyond essential functionality. You may withdraw consent at any time.
5. Data Sharing & Sub-Processors
We share data only with service providers (sub-processors) who are necessary to operate the Service. Each sub-processor is bound by data processing agreements that ensure GDPR-compliant handling of your data.
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Vercel | Application hosting & CDN | All application data in transit | EU (Frankfurt) |
| Neon | PostgreSQL database hosting | All stored Customer Data & account data | EU (AWS eu-central-1) |
| Stripe | Payment processing | Billing info, payment card details | EU/US (SCCs in place) |
| Anthropic | AI invoice data extraction (Claude API) | Invoice images/PDFs for OCR processing | US (SCCs & DPA in place) |
We do not share your data with any other third parties except when required by law (e.g., in response to a valid court order or regulatory request).
6. International Data Transfers
Your data is primarily stored and processed within the European Union. Where data is transferred to sub-processors outside the EU (Stripe and Anthropic process some data in the US), we ensure appropriate safeguards are in place:
- EU Standard Contractual Clauses (SCCs) with each US-based sub-processor.
- Data Processing Agreements that require GDPR-equivalent protections.
- Regular assessment of sub-processor compliance and data protection practices.
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Account information | Duration of account + 30 days after deletion |
| Customer Data (venue, products, kegs, sales) | Duration of account + 30 days after deletion |
| Uploaded invoices | Duration of account + 30 days after deletion |
| Payment & billing records | 7 years (Danish bookkeeping requirements) |
| Usage analytics & logs | 90 days (rolling) |
| Support communications | 2 years after last contact |
| AI-processed invoice data | Not retained by Anthropic after processing (zero-retention API) |
When data reaches the end of its retention period, it is permanently deleted or anonymized. You may request earlier deletion at any time (subject to legal retention obligations).
8. Your Rights Under GDPR
As a data subject in the EU, you have the following rights regarding your personal data:
- Right of access (Art. 15): Request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): Request correction of inaccurate or incomplete data. You can also update most information directly in your account settings.
- Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"). We will comply unless we have a legal obligation to retain the data.
- Right to restrict processing (Art. 18): Request that we limit how we use your data in certain circumstances.
- Right to data portability (Art. 20): Receive your personal data in a structured, machine-readable format (CSV). You can export your data through the Service at any time.
- Right to object (Art. 21): Object to processing based on legitimate interests. We will stop processing unless we demonstrate compelling legitimate grounds.
- Right to withdraw consent (Art. 7): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at privacy@baros.dk. We will respond within 30 days. We may ask you to verify your identity before fulfilling your request.
9. Cookies
We use a minimal set of cookies that are essential to the functioning of the Service. For full details, see our Cookie Policy.
In summary:
- Essential cookies: Session authentication, CSRF protection, user preferences. These are strictly necessary and do not require consent.
- No tracking cookies: We do not use third-party advertising or cross-site tracking cookies.
- Analytics: If we add analytics cookies in the future, we will obtain your consent first.
10. Children's Privacy
BarOS is a business-to-business service intended for use by adults operating licensed bar and taproom establishments. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child, we will delete it promptly.
11. Security
We implement appropriate technical and organizational measures to protect your data, including:
- Encryption in transit (TLS 1.2+) and at rest.
- Hashed passwords using industry-standard algorithms (bcrypt).
- Access controls and principle of least privilege for internal access.
- Regular security reviews and dependency updates.
- Database hosting in EU data centers with SOC 2 certified infrastructure (Neon/AWS).
- Automatic backups and point-in-time recovery capabilities.
No system is 100% secure. If you discover a security vulnerability, please report it responsibly to security@baros.dk.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes at least 30 days in advance via email or a notice in the Service. The "Effective date" at the top indicates when the current version took effect.
13. Contact & Complaints
For privacy-related questions or to exercise your rights:
- Email: privacy@baros.dk
- Company: BarOS ApS, Denmark
If you are unsatisfied with our response, you have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet):
- Website: datatilsynet.dk
- Email: dt@datatilsynet.dk