Skip to main content
R3·POS · Legal

Privacy Policy

Effective date: June 16, 2026

This Privacy Policy explains how R3 Lab Inc.(“R3·POS,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information in connection with the R3·POS café-commerce platform (the “Service”). We handle personal information in accordance with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws.

R3·POS provides software to independent merchants. For most end-customer information processed through a merchant’s store, the merchantis the organization that determines the purposes of processing, and R3·POS processes that information on the merchant’s behalf. For account and platform information, R3·POS acts on its own behalf.

1. Information we collect

  • Account information — name, business name, email address, phone number, and login credentials for merchants and their staff.
  • Order information — items purchased, amounts, pickup times, timestamps, and order status from the storefront and POS.
  • Loyalty information — stamps earned, rewards, and the wallet identifier associated with an end-customer.
  • Payment metadata — confirmation tokens, the last few digits and card brand, amounts, and payment status. We do not collect or store full card numbers; card data is handled by Stripe (see Section 4).
  • Technical information — device, browser, IP address, and cookie identifiers, as described in our Cookie Policy.

2. Why we collect it

We use personal information to:

  • provide, operate, secure, and improve the Service;
  • process and fulfill orders, including pickup coordination;
  • record and redeem loyalty stamps and rewards;
  • facilitate payments through Stripe and detect or prevent fraud;
  • provide support and communicate about the Service;
  • meet legal, tax, and regulatory obligations.

3. Lawful basis and consent

Under PIPEDA, we collect, use, and disclose personal information with consent, except where another lawful basis applies. Consent may be express or, where appropriate and permitted, implied from the context of a transaction (for example, completing a purchase or enrolling in a loyalty card). You may withdraw consent subject to legal or contractual restrictions and reasonable notice; doing so may limit or prevent your use of certain features.

4. How we share information

We do not sell personal information. We share it only as needed to run the Service, with:

  • Stripe — our payment processor, to authorize and settle card payments. Stripe processes payment information under its own privacy policy and the Stripe Connected Account Agreement.
  • Infrastructure and service providers — hosting, database, email, and analytics providers that process information under contract and on our instructions.
  • Merchants — order and loyalty information is shared with the merchant you transacted with, so they can fulfill your order and manage their loyalty program.
  • Legal and safety — where required by law, regulation, legal process, or to protect rights, safety, and the integrity of the Service.

5. Retention

We retain personal information only as long as necessary for the purposes described in this Policy, to provide the Service, and to meet legal, accounting, and tax obligations, after which it is deleted or de-identified. Retention periods vary by data type and by the merchant’s own requirements where the merchant is the controlling organization.

6. Security

We use technical and organizational safeguards appropriate to the sensitivity of the information, including encryption in transit, access controls, and use of a PCI-compliant payment processor so that card numbers do not reach our systems. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

7. Your rights

Subject to applicable law, you may:

  • Access the personal information we hold about you;
  • Correct information that is inaccurate or incomplete;
  • Withdraw consent to certain processing, subject to legal and contractual limits.

Where a merchant is the organization responsible for your information (for example, your order and loyalty history with a specific café), we may direct your request to that merchant or assist them in responding. To exercise a right, contact us using the details in Section 9.

8. Cookies

We use cookies and similar technologies to operate the Service, remember preferences, and measure usage. For details on the specific cookies set — including the locale preference cookie and the secure consumer-session cookies — and how to control them, see our Cookie Policy.

9. Contact us

For privacy questions, requests, or complaints, contact our privacy contact at [email protected], or by mail to R3 Lab Inc., Toronto, Ontario, Canada. If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada.

10. Changes to this Policy

We may update this Privacy Policy from time to time. We will revise the effective date above and, for material changes, provide additional notice where appropriate.