Q
Qubetex

Privacy Policy

Last updated: June 2026

Qubetex POS is a point-of-sale application sold to retail shops. This page describes what data we collect, where it is stored, and how it is used. Plain English, no surprises.

1. What we collect

  • Shop owner account: name, email, shop name, password (stored hashed with bcrypt — we never see the cleartext).
  • License + activation: the license key issued to your shop, the hardware fingerprints of devices it has been activated on, and the IP + user-agent of each activation.
  • Shop business data: products, categories, units, customers/suppliers, sales, payments, cheques, journal entries, stock movements, and settings — exactly the things you enter into the POS.
  • API tokens: bearer tokens issued to the desktop app, stored as a sha-256 hash (we never see the raw token after issuance). Used to authenticate the desktop's sync requests.
  • Logs: server-side request logs containing IPs, URLs, HTTP status codes, and timestamps. Used for debugging and abuse detection. Retained for 30 days then rotated.

2. What we do NOT collect

  • Customer-facing trackers (no Google Analytics, no Facebook Pixel, no ad networks).
  • Card numbers or payment instrument data. Cash, card, and bank payments are recorded as method + amount only.
  • Geolocation, camera, microphone, or contacts.
  • Anything from the desktop app's local SQLite database except what you explicitly sync to the cloud.

3. Where your data lives

  • Cloud (qubetexpos.com): MySQL on our Hostinger server. Backed up daily. Encrypted at rest by the hosting provider.
  • Desktop: SQLite file on each device, under ~/Library/Application Support/Qubetex/shops/<hash>/qubetex.db (Mac) or %LOCALAPPDATA%\Qubetex\shops\<hash>\qubetex.db (Windows). Lives on the customer's own hardware — we cannot read it unless the customer explicitly syncs or sends it to us.
  • Sessions + cookies: encrypted server-side database session table. Cookies are HTTPS-only with the SameSite=Strict attribute.

4. Multi-tenant isolation

Every database row carries an origin_user_id that pins it to one shop. A global query scope (TenantScope) adds WHERE origin_user_id = auth()->id() to every SELECT made by a shop user. Shops cannot see other shops' data — MySQL never returns it. Only the super-admin role bypasses this scope, and admins are barred from the customer-facing login form and the desktop app.

5. Third parties

  • Hostinger — hosts the web app + database. Their privacy policy.
  • FBR (Federal Board of Revenue, Pakistan) — for shops that opt into FBR-compliant invoicing, sale records are pushed to FBR's API as required by tax law. Push is opt-in per shop in Settings.
  • OpenFoodFacts — barcode lookups for new products call world.openfoodfacts.org. Only the barcode number is sent. No customer or shop data leaves your device for lookups.

6. Security measures

  • Passwords hashed with bcrypt.
  • API tokens stored as sha-256 hashes; expire after 90 days; rotated per device.
  • HTTPS enforced site-wide (APP_FORCE_HTTPS=true).
  • Strict SameSite cookies + encrypted session payloads.
  • Standard security headers on every response (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, HSTS in production).
  • Rate limits on login (10/min), license activation (5/min), license check (30/min), forgot-password (5/min), and sensitive API endpoints to slow credential stuffing and abuse.
  • Public self-registration is disabled. Shop accounts are created only by the vendor (super-admin) after onboarding.

7. Your rights

You can request a full export of your shop's data at any time via Super-Admin → Shops → ⬇ Backup (we will email it to you), or request deletion of your account and all associated rows. Either request: email support@qubetex.com.

8. Changes to this policy

Material changes will be posted here with an updated "Last updated" date. We will email shop owners when the change affects what we collect or who we share with.

9. Contact

Questions, requests, or concerns: support@qubetex.com.

← Back to Qubetex POS