SUNMI App Store — Android Application Policy
This Privacy Policy applies specifically to the Turns POS Android
Application ("App") distributed via the SUNMI App Store and installed on SUNMI Android-based
devices (POS terminals, handheld scanners, and payment hardware). It supplements our full platform Privacy
Policy at turnsapp.com/privacy-policy and satisfies SUNMI Partners Platform Agreement
Section III.1 requirements on permission disclosure and personal information processing rules.
Turnsapp Inc. ("Turnsapp," "we," "us," or "our") is committed to protecting the privacy and security of your
personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard information
when you use the Turns POS Android Application ("App") on SUNMI devices.
The App's Core Features Include:
- Point-of-sale order creation, management, and payment processing
- Customer profile management and lookup (search, create, update)
- Barcode and QR code scanning for order tags, inventory, and rack assignment
- Bluetooth and USB peripheral connectivity (receipt printers, cash drawers, barcode scanners)
- Pickup & delivery route management and driver dispatch
- Real-time reporting, daily summaries, and AI-driven insights
- Employee attendance tracking and role management
- Push notifications for order status updates
- Plant (processing facility) send/receive workflow management
- Retail stock and inventory tracking
By using the App, you agree to the collection and use of information in accordance with this Privacy
Policy.
The App requests the following Android permissions. All permissions are used solely to deliver the features
described. The App requests only the minimum permissions necessary. Runtime permissions are requested only
when the relevant feature is first accessed — users may deny or revoke any permission at any time via
Android Settings > Apps > Turns > Permissions.
| Permission |
Purpose |
When Requested |
INTERNET |
Syncing orders, customer data, and reports with Turns cloud servers in real time. |
Always (automatic) |
ACCESS_NETWORK_STATE |
Detecting network connectivity to manage offline/online mode gracefully. |
Always (automatic) |
CAMERA |
Scanning QR codes and barcodes for customer lookup, order tagging, and inventory management.
Camera data is processed locally on-device only and is never transmitted to our servers. |
On use (runtime) |
BLUETOOTH_SCAN
BLUETOOTH_CONNECT
BLUETOOTH_ADVERTISE
BLUETOOTH (Android ≤11)
BLUETOOTH_ADMIN (Android ≤11) |
Discovering and connecting to Bluetooth receipt printers, barcode scanners, and POS peripherals.
BLUETOOTH_SCAN uses the neverForLocation flag — it is never used for
location tracking. |
On use (runtime) |
ACCESS_FINE_LOCATION
ACCESS_COARSE_LOCATION |
Required by Android OS to scan for nearby Bluetooth devices. Also used for pickup & delivery
route optimization via Google Maps when that feature is enabled. Never collected in the
background. |
On use (runtime) |
READ_EXTERNAL_STORAGE
WRITE_EXTERNAL_STORAGE
(Android ≤12 only) |
Reading and saving order receipts, reports, and export files to device storage on Android 12 and
below. Not requested on Android 13+. MANAGE_EXTERNAL_STORAGE is explicitly removed
from the APK. |
On use (runtime) |
USB_PERMISSION
(android.hardware.usb.host) |
Connecting to USB-attached receipt printers, cash drawers, and barcode scanners via the SUNMI
device's USB host port. |
On use (runtime) |
VIBRATE |
Providing haptic feedback for order confirmations, payment notifications, and alerts. |
Always (automatic) |
KILL_BACKGROUND_PROCESSES |
Managing app memory and ensuring stable POS performance on the SUNMI device. |
Always (automatic) |
2.1 Permissions NOT Requested
The following sensitive permissions are explicitly not used by the App:
- READ_CONTACTS / WRITE_CONTACTS — the App maintains its own customer database
and does not access device contacts.
- RECORD_AUDIO / MICROPHONE — voice input is not used in the Android App.
- READ_CALL_LOG / SEND_SMS — the App does not place calls or send SMS messages
directly.
- READ_CALENDAR / WRITE_CALENDAR — calendar access is not required.
- MANAGE_EXTERNAL_STORAGE — explicitly removed from the APK even if added by
third-party libraries.
When you register and use the App, we collect:
- Business name, address, and contact information
- Owner/manager login credentials (stored securely — never in plain text)
- Store configuration and preference settings
As part of providing our Services, we process customer data on your behalf, including:
- Customer names, phone numbers, and delivery addresses
- Order history, service preferences, and pickup/delivery instructions
- Payment method type — card type and last 4 digits only; full card numbers are never stored on-device
- Loyalty program points and promotional data
When running on SUNMI devices, the App interacts with SUNMI hardware APIs to:
- Detect and connect to SUNMI's built-in printer, barcode scanner, and payment terminal peripherals
- Read device serial number and model for hardware identification and support
- Monitor connection status of USB and Bluetooth peripherals
This hardware interaction data is used solely for App operation and is not shared with third parties
beyond what is described in Section 4.
Location data is accessed for two purposes only:
- Bluetooth scanning: Android requires location permission to scan for nearby
Bluetooth devices. We use the
neverForLocation flag on BLUETOOTH_SCAN to
prevent it from being used for location tracking.
- Route optimization: When the pickup & delivery feature is enabled, approximate
location is used to calculate delivery routes via Google Maps. The operator may disable this
feature.
We do NOT continuously track location in the background. Location is only accessed when
an active user session is open and the relevant feature is in use.
We share information with trusted third-party service providers who assist us in operating our Services. All
data transmission uses TLS 1.2+ encryption.
Payment Processing
Stripe (Stripe, Inc.)
Purpose: Credit card and payment processing (US & International)
Razorpay (Razorpay Software Limited)
Purpose: Payment processing for India
What Razorpay Collects:
- Personal identifiers (name, email, phone, address, demographics)
- Transaction data and payment details
- Device & technical data (IP, browser, device info)
- Regulatory & KYC compliance data
Compliance:
- Privacy Policy: razorpay.com/privacy
- Regulatory Framework: Digital Personal Data Protection Act, 2023 (India)
- Data Fiduciary Status: Acts as Data Fiduciary under Indian law
- User Rights: Right to redress grievances, nominate representative
PayMaya / Maya (PayMaya Philippines, Inc.)
Purpose: Payment processing for Philippines
Security Measures:
- AES-256 encryption for data at rest and in transit
- Role-based access controls and data minimization
- First bank in Philippines with ISO 27001 & ISO 27701 certifications
Compliance:
- Privacy Policy: maya.ph/privacy
- DPO Contact: dpo@paymaya.com
- Regulatory Framework: Data Privacy Act of 2012 (Philippines)
- User Rights: Right to object, access, modify, erasure
PayRange (PayRange, Inc.)
Purpose: Cashless payment solutions for unattended retail
Important Security Note:
- Card data is NEVER viewed, passed through, or stored on PayRange servers
- Only last 4 digits of card + token are stored
- Multiple security safeguards against unauthorized access
Cloud Infrastructure
Amazon Web Services (AWS)
Purpose: Application hosting and data storage
- Privacy Policy: aws.amazon.com/privacy
- Certifications: ISO 27001, ISO 27017, ISO 27018, ISO 27701, SOC 2
- Compliance: GDPR with DPA
Google Cloud Platform
Purpose: Cloud services and infrastructure
Communication Services
Twilio (Twilio Inc.)
Purpose: SMS notifications to customers
- Privacy Policy: twilio.com/legal/privacy
- Last Updated: August 14, 2025
- Framework: Binding Corporate Rules (BCRs) — approved by EU DPAs
- Certifications: ISO 27001
Firebase Cloud Messaging (Google)
Purpose: Push notifications for order and operational alerts. No personal message
content is transmitted through FCM.
Artificial Intelligence and Machine Learning
OpenAI (OpenAI, Inc.)
Purpose: AI-powered features including automated suggestions and reporting insights
Important Privacy Protections:
- By default, OpenAI does NOT use API data for training models
- API inputs/outputs do NOT become training data (unless explicitly opted in)
- Data retained for abuse monitoring for maximum 30 days, then deleted
- Zero data retention available for highly sensitive applications
- Privacy Policy: openai.com/policies/row-privacy-policy
- Last Updated: June 27, 2025
- Data Retention: 30 days (abuse monitoring), then deleted
- Compliance: SOC 2, SOC 3, GDPR, CCPA, HIPAA (with BAA)
Note: You can opt out of AI-powered features at any time through your account settings.
Disabling AI features will not affect core POS functionality.
Delivery and Logistics Services
DoorDash (DoorDash, Inc.)
Purpose: Delivery coordination and logistics via Drive API
What DoorDash Processes:
- Customer names, addresses, and phone numbers (for delivery coordination only)
- Pickup and drop-off locations
- Delivery instructions and preferences
- Order timing and status
Error Monitoring and Diagnostics
Sentry (Sentry, Inc.)
Purpose: Application error tracking and performance monitoring
Sentry collects technical error information when issues occur in the App, including error messages, stack
traces, device information, IP addresses, and user interaction breadcrumbs. This helps us identify and
fix technical problems quickly.
- Privacy Policy: sentry.io/privacy
- Data Retention: 90 days
- Data Location: United States (EU hosting available)
- Compliance: GDPR with DPA
We may disclose information when required by law or to:
- Comply with legal processes or government requests
- Protect our rights, property, or safety
- Prevent fraud or security threats
- Enforce our Terms of Service
In the event of a merger, acquisition, or sale of assets, customer information may be transferred as part of
the business transaction.
We collect and process personal information strictly in accordance with the following principles, consistent
with applicable laws including the Personal Information Protection Law (PIPL) of China, the GDPR, the CCPA,
and other applicable local data protection laws:
- Lawfulness, Legitimacy, and Necessity: We collect only the minimum data required for
App functionality.
- Purpose Limitation: Data is collected for specified, explicit purposes and not
processed in a manner incompatible with those purposes.
- Transparency: We inform users of what data is collected and why before or at the time
of collection.
- User Consent: Runtime permissions are requested at the moment they are needed, with a
clear explanation. Users may decline any permission.
- Data Minimization: We actively remove permissions from the APK that third-party
libraries may attempt to add (e.g.,
MANAGE_EXTERNAL_STORAGE is explicitly removed).
In the event of a security breach affecting your data, we will:
- Notify affected users within 72 hours of discovery
- Provide details about the nature and scope of the breach
- Outline remediation steps being taken
- Offer assistance and support as appropriate
If applicable, you have the right to:
- Request access to personal information we hold
- Request correction of inaccurate information
- Request deletion of personal information
- Object to processing of personal information
- Request data portability
- Withdraw consent for processing
- Opt out of AI-powered features at any time through account settings
To exercise your rights, contact us at: privacy@turnsapp.com
As a business customer, you control your end-customer data and can:
- Export customer data at any time
- Delete customer records from our system
- Manage customer communication preferences
- Control data sharing and processing settings
We retain your business account information for as long as:
- Your account remains active
- Required to provide Services
- Necessary for legal, tax, or regulatory compliance
- Typically 7 years after account closure for financial records
The App and its data practices are designed to comply with applicable data protection laws, including:
Personal Information Protection Law (PIPL) — People's Republic of China
We process personal information lawfully, for specified purposes, with minimum necessary scope, and
provide mechanisms for users to access, correct, and delete their data. We do not transfer personal data
of Chinese users internationally without an appropriate legal basis.
General Data Protection Regulation (GDPR) — European Union
Standard Contractual Clauses and Data Processing Agreements are in place with all international data
processors.
California Consumer Privacy Act (CCPA) — United States
Users have the right to know, delete, and opt-out of sale of personal information. We do not sell
personal information.
Digital Personal Data Protection Act (DPDPA) 2023 — India
Applicable to Indian market operations via our Razorpay integration.
Data Privacy Act of 2012 — Philippines
Applicable to Philippine market operations via our PayMaya integration.
The App is designed for business operators and their staff and is not intended for individuals under 18. We
do not knowingly collect personal information from minors. If you believe we have collected information from
a minor, please contact us immediately at privacy@turnsapp.com.
We may update this Privacy Policy periodically. We will notify you of material changes by:
- In-app notification on next login
- Email notification to your registered account
- Updated "Last Updated" date at the top of this policy
Continued use of the App after changes take effect constitutes acceptance of the updated Privacy Policy.
