← Back

Privacy Policy

Last updated: 4 May 2026 · Effective: 4 May 2026 · Version 1.0

1. Who we are

MRA POS is operated by MRA POS ("we", "us", "our"), registered in Mauritius. Contact:

• General: privacy@example.com
• Data Protection Officer (DPO): dpo@example.com

2. What data we collect

Category	Examples	Lawful Basis
Account	Name, email, phone, role	Contract
Transaction	Sales, purchases, payments	Contract + legal obligation (MRA tax law)
Biometric (face descriptor)	Mathematical vector derived from face image, stored encrypted	GDPR Art. 9(2)(b) + explicit consent
WhatsApp message content	Customer-bot conversations	Contract
Usage	IP, browser, pages visited	Legitimate interest (security, fraud prevention)
Cookies	Session, CSRF, consent preferences	Strictly necessary + consent

3. How we use your data

• Provide point-of-sale and back-office functionality
• Comply with Mauritius Revenue Authority record-keeping (7 years)
• Detect and prevent fraud or unauthorised access
• Process payments through our payment partners
• Send transactional emails (receipts, password resets)
• Marketing only with your explicit, withdrawable consent

4. Who we share data with

Only with sub-processors listed in our Cookie Policy and Sub-processor Register, each bound by a Data Processing Agreement.

5. Your rights (GDPR Art. 15-22 / MU-DPA s.30-37)

• Access: request a copy of your data — /data-privacy/my-data
• Rectification: correct inaccurate data through your account
• Erasure ("right to be forgotten"): request deletion
• Restriction: email dpo@example.com
• Portability: machine-readable export
• Objection: opt out of processing not based on contract
• Withdraw consent: at any time
• Lodge a complaint with the Mauritius Data Protection Office: dataprotection.govmu.org

6. Retention

We retain data only as long as necessary. Tax records: 7 years (MRA s.59 VAT Act). Authentication logs: 1 year. Face descriptors: until end of employment + 30 days. Full schedule available on request.

7. Security

Industry-standard controls: TLS 1.3 in transit; AES-256 at rest (database tablespace + application-layer for special-category data); 2FA mandatory for admins; daily encrypted backups; intrusion detection; quarterly penetration testing.

8. Data transfers outside Mauritius / EU

Where sub-processors are outside Mauritius, transfers are protected by Standard Contractual Clauses or adequacy decisions where available.

9. Changes

We notify you 30 days before material changes via email and in-app banner.

10. Contact

For any question or to exercise a right: dpo@example.com