Privacy policy.

Summary

We collect the minimum data needed to show you analytics about your own business. Your data lives in Singapore, is isolated per-tenant, is encrypted in transit and at rest, and is never sold, shared, or used to train shared models. You can delete it any time.

1. Who we are

SKANDAN PTE. LTD. (UEN 202621966R), a Singapore- incorporated company operating the "VentaLens" product. Contact: [email protected] .

2. What we collect — and what we don't

From Loyverse (read-only):

• Receipts and line items (sales totals, taxes, service charge, timestamps, item names, quantities, costs).
• Items and item variants (name, SKU, cost, price, whether stock is tracked), and categories.
• Stores, and employees (id + display name only).
• Shifts (open/close times, store, starting/expected/actual cash) and stock levels (current in-stock count per item), read for sync completeness.
• An opaque customer reference id may appear on a receipt. We do not ingest customer names or any customer contact details, visit counts, or spend history. Never email, phone, address, or PIN.

From you directly:

• Your email address — used to sign you in via Google or a one-time magic link. We never set or store a password (sign-in is passwordless).
• Your preferences (locale, timezone, business-day cutoff).
• Your Loyverse Personal Access Token (encrypted at rest with a separate key).
• Optional: payment-card billing handled by Stripe — we never see your full card number; Stripe sends us a token reference only.
• If you use the contact form on this website, the name, email, and message you submit (delivered to us via FormSubmit.co — see sub-processors below).

What we don't collect:

• Customer or employee contact PII (email, phone, address, PIN).
• Customer names, visit counts, or spend history.
• Payment-card numbers or CVVs.
• Browsing behaviour outside the product (no tracking pixels across the web).
• Audio, video, biometric, or geo-location data.

3. Why we collect it (lawful basis)

• Contract performance: to deliver the analytics you signed up for.
• Legitimate interest: to detect fraud, debug errors, send necessary product emails.
• Consent: for any future feature that needs explicit opt-in (e.g. marketing emails).

4. Where your data lives

• Database: Supabase (PostgreSQL) in Singapore (ap-southeast-1). Row-Level Security isolates every tenant at the database layer.
• Application servers: Fly.io in Singapore (sin region).
• Encryption: TLS 1.3 in transit, AES-256 at rest.
• Backups: Supabase-managed daily, encrypted, retained 7 days.

5. Sub-processors

We use these third parties to operate VentaLens. See the DPA for the full list with purpose and data categories.

• Supabase — database, auth, storage
• Fly.io — application hosting
• Stripe — payments (card data isolated in Stripe's vault)
• Brevo — transactional email
• Sentry — error monitoring (scrubbed of PII)
• FormSubmit.co — marketing-site contact form delivery
• Loyverse SIA — your POS, source of the receipts data

6. How long we keep it

• Active accounts: for the life of your subscription.
• Deleted accounts: when you delete your account there is a 30-day recovery grace period, after which all your data is hard-purged from our systems.
• Backups: rolling 7-day retention; deleted data falls out of backups within 7 days.
• Audit logs: retained 1 year (for security review), then purged automatically.

7. Your rights

Under Singapore PDPA and EU GDPR you have the right to:

• Access — see what we have. Email us; we send within 30 days.
• Rectify — fix anything wrong. Edit in Settings or email us.
• Delete — purge everything. Use "Delete account" on your Profile page, or email us.
• Export — take it elsewhere. Use "Export my data" on your Profile page.
• Object — withdraw consent for any feature that needed it.
• Lodge a complaint — with the Singapore PDPC or your local DPA.

8. Breach notification

If a personal-data breach affects you, we'll notify you within 72 hours of becoming aware. The notice will include what happened, what data was affected, what we're doing about it, and what you can do.

9. Cookies

The marketing site (ventalens.com) uses no third-party tracking cookies. The app (app.ventalens.com) uses one first-party cookie to keep you signed in. No advertising or cross-site tracking.

10. Changes

We'll email registered users if this policy materially changes, and we'll surface the new version in-product for explicit acknowledgment before you continue.

11. Contact for privacy questions

Email [email protected] with "Privacy" in the subject. We reply within one business day.