Privacy Policy

Last updated: 12 April 2026

ORVO ("we", "us", "our") operates the ORVO POS system, including the ORVO Authenticator mobile application and related web services at orvopos.com. This policy explains what data we collect, how we use it, and your rights.

1. What We Collect

When you use the ORVO Authenticator app or ORVO web services, we may collect:

• Account information -- your name, email address, and company code, provided during account setup by your employer or account owner.
• Authentication data -- records of login events (time, method used, device identifier) for security auditing. We do not store your TOTP codes.
• Device token -- a Firebase Cloud Messaging token used solely to deliver push notification approval requests to your device.
• Location data -- approximate device location used to determine whether you are at or near your assigned shop. This enables automatic check-in so that approval requests are only sent to nearby managers. Location is collected when you open the app and via background geofencing (if you grant "Always Allow" permission). We store only the most recent location and update timestamp on our server; no location history is retained.
• Biometric confirmation -- the app uses Face ID or fingerprint authentication to protect access. Biometric data is processed entirely on your device by the operating system; we never receive, store, or transmit biometric data.

2. What We Do Not Collect

• We do not collect contacts, photos, or files from your device.
• We do not use analytics, advertising, or tracking SDKs.
• We do not sell, share, or transfer personal data to third parties for advertising or marketing.

3. How We Use Your Data

• Authentication -- to verify your identity when logging into ORVO services or approving actions on the POS.
• Push notifications -- to send approval requests to your device when a manager action requires authorisation.
• Proximity check-in -- to determine whether you are at your assigned shop so that approval requests are routed only to nearby managers.
• Security logging -- to maintain an audit trail of authentication events for your account's security.

4. Data Storage and Security

Your TOTP secret key is stored locally on your device using the platform's secure storage (Android KeyStore or iOS Keychain). It is never transmitted after the initial setup.

Authentication logs and account data are stored on servers hosted by Hostinger in the EU. All data transmission uses HTTPS encryption.

5. Data Retention

Authentication logs are retained for 12 months, then automatically deleted. Account data is retained while your account is active. When an account is deactivated, personal data is removed within 30 days.

6. Your Rights

Under GDPR and applicable data protection law, you have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data.
• Withdraw consent for push notifications at any time (via device settings).

To exercise these rights, contact your account owner or email us at privacy@orvopos.com.

7. Children's Privacy

ORVO services are not intended for use by anyone under the age of 18. We do not knowingly collect data from children.

8. Third-Party Services

We use Firebase Cloud Messaging (Google) solely for delivering push notifications. No personal data beyond the device token is shared with Google for this purpose. See Firebase Privacy for details.

9. Changes to This Policy

We may update this policy from time to time. The "last updated" date at the top of this page reflects the most recent revision. Continued use of ORVO services after changes constitutes acceptance.

10. Contact

If you have questions about this privacy policy or your data, contact us at:

ORVO
Email: privacy@orvopos.com
Web: orvopos.com