Privacy Policy

Wemu Inc. · Effective: May 26, 2026 · Last updated: May 26, 2026

This Privacy Policy explains how Wemu Inc. ("Wemu," "we," "us," or "our") collects, uses, shares, and protects information when you use our mobile applications Wemu POS and Wemu Team (together, the "Apps") and the related web platform at app.wemu.io (the "Service"). By using the Apps or the Service, you agree to the practices described in this Policy.

Two audiences. The Service is sold to businesses. If you are a business operator signing up, you are our "Customer." If you are an employee, contractor, or end customer of a Wemu Customer (for example, a staff member clocking in, or a buyer placing an order), the Customer is the "controller" of your personal information and we process it on their behalf. This Policy describes our practices in both roles.

1. Information We Collect

1.1 Information you provide

Account information: your name, email address, phone number, password (stored as a salted hash — never in plain text), business name, business address, industry, currency, and timezone.
Team information: the name, email, phone, role, profile photo, and PIN of employees you add to your business.
Customer records: if you use the Apps to track end customers (for orders, bookings, invoices, or memberships), we store the customer details that you enter — typically name, contact details, address, purchase history, and any notes you add.
Content you upload: product photos, business logos, profile pictures, clock-in / clock-out photos, receipts, invoices, and any other media you choose to upload.
Payment-method information: when you subscribe to a paid plan, billing is processed by Stripe. We receive only a tokenized reference, the last four digits of the card, the brand, and the expiry month/year — we do not receive or store your full card number, CVC, or bank credentials.
Communications: messages you send to support, replies to in-app prompts, and survey responses.

1.2 Information collected automatically

Device & technical information: device model, operating system version, app version, language, timezone, IP address, and an anonymous installation identifier.
Usage information: the screens you visit, actions you take, error events, and approximate timestamps. Used to operate the Service, diagnose bugs, and improve features.
Location information: only when you grant the relevant permission (see Section 3). The Apps use location for two purposes: (a) staff clock-in/out attendance verification, and (b) in-person payment processing where required by the card network.
Network telemetry: connection status, latency to our servers, and basic socket events used to keep real-time features (orders, chat, shifts) in sync.

1.3 Information from third parties

Sign-in providers: when you choose to sign in with Google or Apple, we receive your name, email, and a stable provider ID from that service.
Payment processor: Stripe shares payment status, settlement information, dispute notifications, and the limited card metadata described above.
SMS gateway: when a customer replies to an SMS sent through the Service, our gateway provider relays their message and phone number to us so the conversation can be threaded into your inbox.

2. How We Use Information

Provide, operate, and maintain the Apps and the Service.
Authenticate you, secure your account, and prevent fraud or abuse.
Process subscription payments and send billing receipts.
Process in-person and online payments on your behalf via Stripe (Wemu POS only).
Send transactional messages — receipts, password resets, invitation links, booking confirmations, shift notifications, and similar.
Send service announcements, security alerts, and (where you have opted in) product updates.
Power features you have enabled — for example, staff clock-in with photo verification, route planning for deliveries, or SMS replies to customers.
Diagnose and fix bugs, monitor performance, and improve the Service.
Comply with legal obligations and enforce our Terms of Service.

We do not sell your personal information, we do not use it for advertising, and we do not train artificial-intelligence models on your customer data.

3. Permissions Requested by the Apps

The Apps request only the permissions needed for the features you use. You may decline or revoke any permission in your device settings; some features will be unavailable without them.

3.1 Wemu POS

Permission	Why it is used
Camera	Scan barcodes/QR codes for product lookup and order pickup; take product or receipt photos.
Location (precise, while in use)	Required by Stripe Terminal for in-person card-present transactions on supported hardware; never tracked in the background.
Bluetooth (scan + connect)	Pair with receipt printers and card readers. Marked `neverForLocation` — we do not use Bluetooth to derive location.
NFC	Tap to Pay and contactless reader interaction.
Microphone (iOS)	Required by some Stripe Terminal reader models for audio handshake. We do not record or transmit audio.
Internet	Communicate with Wemu servers and payment processors.

3.2 Wemu Team

Permission	Why it is used
Camera	Take optional clock-in / clock-out verification photos when your employer enables the feature.
Photo Library	Attach images to your profile or to timesheet entries.
Location (precise, while in use)	Verify shift attendance at your assigned work location. Captured only at the moment you clock in or clock out — not in the background.
Push notifications	Deliver shift reminders, schedule changes, task assignments, and chat messages.

4. How We Share Information

We share information only in the limited ways listed below.

4.1 Within your business

If you are a staff member of a Wemu Customer, the business owner and other authorized roles can see information you generate in the Service (timesheets, sales you processed, shifts you worked, messages you sent through the platform). Role and permission controls are configured by the business.

4.2 Service providers (sub-processors)

We use the following third-party providers to operate the Service. Each is contractually limited to processing personal information only for the purpose described.

Provider	Purpose	Data shared
Google Firebase (Authentication, Cloud Messaging)	Sign-in flow; push notifications to Wemu Team.	Email, name, provider ID, FCM token, app/device metadata.
Stripe	Subscription billing, in-person payments (Wemu POS), payouts.	Name, email, billing address, payment-method token, transaction amounts.
DigitalOcean	Cloud hosting for the Wemu backend and database.	All Service data, stored in the United States.
SendGrid (Twilio)	Transactional email delivery.	Recipient email, message body.
Kudosity (and similar SMS gateways)	Outbound SMS to customers; inbound SMS replies.	Sender / recipient phone number, message body.
Cloud image storage (e.g. Cloudinary / DigitalOcean Spaces)	Storing and delivering images you upload.	Image files and their metadata.
Apple Push Notification Service / Google Play Services	Delivering push notifications to your device.	Device push token and message payload.

4.3 Legal and safety

We may disclose information if required by valid legal process, to protect our rights, to enforce our Terms, or to prevent fraud, security incidents, or serious harm. Where lawful, we will notify the affected Customer before disclosing.

4.4 Business transfers

If Wemu is involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of that transaction. The successor entity will be bound by the commitments in this Policy or will give you notice and an opportunity to object before changing them.

5. Data Retention

Account and business data is retained while your account is active and for up to 90 days after deletion, after which it is permanently removed from production systems. Backups age out within 35 days.
Financial records (invoices, tax records, payout history) are retained for the period required by applicable tax and accounting law — typically 7 years in the United States.
Logs and security telemetry are retained for up to 90 days.
Push tokens are deleted when the app is uninstalled or sign-in is revoked.

6. Your Privacy Rights

6.1 All users

You may, at any time:

Access the personal information we hold about you.
Request correction of information that is inaccurate or out of date.
Request deletion of your account and associated personal information.
Export a copy of the data you have provided in a portable format.
Revoke device permissions (camera, location, etc.) in your operating-system settings.
Opt out of non-essential email or push communications from within the app or via the unsubscribe link in each message.

To exercise these rights, email [email protected]. We respond to verifiable requests within 30 days.

6.2 California residents (CCPA / CPRA)

If you are a California resident, you have the right to know what categories of personal information we collect, the purposes for collecting them, the categories of third parties with whom we share them, and the right to request deletion or correction. You also have the right not to be discriminated against for exercising these rights. We do not "sell" or "share" personal information for cross-context behavioral advertising as those terms are defined under California law.

6.3 European Economic Area, United Kingdom, and Switzerland

If you are in the EEA, UK, or Switzerland, our legal bases for processing are: performance of a contract (to provide the Service you signed up for), legitimate interests (operating and improving the Service, fraud prevention), legal obligation (tax and accounting records), and consent (where we ask for it). You have the rights of access, rectification, erasure, restriction, portability, and objection, and the right to lodge a complaint with your local supervisory authority.

7. Children's Privacy

The Service is intended for businesses and people aged 18 or older. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA). If you believe a child has provided us with personal information, contact us at [email protected] and we will delete it.

8. International Data Transfers

Wemu Inc. is based in the United States and most Service data is processed in the United States. If you access the Service from another country, your information will be transferred to, processed in, and stored in the United States or other jurisdictions where our service providers operate. We use standard contractual clauses or other lawful transfer mechanisms where required.

9. Security

All traffic between the Apps and our servers is encrypted in transit (TLS 1.2+).
Passwords are stored as salted bcrypt hashes, never in plain text.
Payment-card data is handled exclusively by Stripe (PCI DSS Level 1 certified).
Access to production systems is restricted to authorized engineers, audited, and protected by multi-factor authentication.

No system can be guaranteed 100% secure. If we become aware of a security incident affecting your personal information, we will notify you and the relevant authorities as required by law.

10. Changes to this Policy

We may update this Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be notified through the Apps, by email, or by a prominent notice on our website. Continued use of the Service after the effective date of an update constitutes acceptance of the revised Policy.

11. Contact Us

For privacy questions, requests, or complaints:

Email: [email protected]
Company: Wemu Inc.