Privacy Policy
This policy describes how The Octane collects, uses, shares and protects personal data. Effective 2026-06-17.
Data we collect
Account data (email, name), organization data (restaurant name, team members), inventory and movement records (products, stock changes, purchase orders), staff records (employees, shifts, worked hours, tips and uploaded employee documents), and session/device data for security.
We do not collect payment card data directly — payments are processed by Stripe.
How we use it
To operate the service: authenticate users, scope each organization's data to its members, send transactional emails (magic links, invitations, alerts), and detect security issues.
We do not sell personal data or use it for advertising. Product analytics are aggregate and anonymous — no individual profiles, no tracking cookies, no third-party trackers. Error telemetry is stripped of personal data before it leaves the system.
Sub-processors
See our DPA for the current sub-processor register. Key processors: Supabase (database, auth, storage), Vercel (hosting), Resend (transactional email), Sentry (error tracking), Stripe (payments).
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Managed Postgres database, Auth and Storage for all user data. | Switzerland (Zurich region, eu-central-2) |
| Vercel Inc. | Application hosting, edge delivery, build artefacts. | Global edge with European primary region |
| Resend (Plus Five Five, Inc.) | Transactional and authentication email delivery (verification codes, password resets, invitations, alerts), via SMTP relay. | United States / EU |
| Stripe Payments Europe, Ltd. | Subscription billing and payment processing. Card data is entered directly with Stripe and never reaches The Octane's servers. | Ireland / United States |
| GitHub Inc. | Source code hosting, CI, cron scheduling for background jobs. | United States |
| Functional Software, Inc. (Sentry) | Error and performance telemetry. Only active when SENTRY_DSN is set; all events pass through The Octane's PII scrubber before leaving the process. | United States |
| Amazon CloudFront | Static asset delivery for the marketing hero video. | Global edge |
Retention
Account data: retained while account is active + 14 days after deletion request.
Inventory and staff records (products, movements, purchase orders, employees, shifts, tips and documents): retained for the life of the organization account.
Payment receipts: retained for 10 years (Swiss legal obligation).
Your rights
Access, rectify, export or delete your data at any time from Settings > Export. For requests not covered by self-service, email privacy@theoctane.ch.
Swiss residents: rights under the revised nFADP apply.
EU residents: GDPR rights apply. We respond within 30 days.
Contact
Data protection officer: privacy@theoctane.ch.
General privacy questions: contact@theoctane.ch.