Privacy Policy

BEVLYPOS APPLICATION — PRIVACY POLICY

Effective Date: February 2, 2026 Last Updated: February 2, 2026 Version: 1.2

________________________________________

Published by Bevly | www.bevlypos.com | privacy@bevlypos.com

________________________________________

TABLE OF CONTENTS

1. Introduction and Scope

2. Who We Are

3. Definitions

4. Information We Collect

5. How We Collect Information

6. How We Use Your Information

7. How We Share Your Information

8. Data Retention

9. Data Security

10. Permissions Used by BevlyPOS

11. Third-Party SDKs and Services

12. Children’s Privacy

13. Your Privacy Rights

14. California Residents — CCPA/CPRA Rights

15. Account Deletion

16. Changes to This Privacy Policy

17. Contact Us

1. Introduction and Scope

Welcome to BevlyPOS, a point-of-sale and business management application developed and operated by Bevly (“Bevly,” “we,” “us,” or “our”). BevlyPOS is designed to help food and beverage operators, restaurateurs, bar owners, and hospitality businesses manage orders, inventory, staff, and customer engagement from a single, secure mobile platform.

BevlyPOS is intended exclusively for use within the United States. The App is not offered, advertised, or made available to users outside the United States, and Bevly does not knowingly collect personal information from individuals located outside the United States. This Policy is governed solely by applicable United States federal and state privacy laws.

This Privacy Policy (“Policy”) explains how Bevly collects, uses, discloses, retains, and protects information when you:

• Download and install the BevlyPOS mobile application (the “App”) from the Google Play Store;
• Register for and use a BevlyPOS merchant account;
• Use the App to manage orders, inventory, or communicate with customers;
• Interact with our website, customer support channels, or any related services we offer (collectively, the “Services”).

This Policy applies to:

• Merchant account holders and business administrators (“Merchants”);
• Employees and staff members who access BevlyPOS on behalf of a Merchant (“Authorized Users”);
• End customers of Merchants whose data is processed through the App (“End Customers”).

This Policy does not apply to:

• Third-party websites, applications, or services linked from within BevlyPOS, which are governed by their own privacy policies;
• Bevly’s other products or services not offered through the BevlyPOS App unless expressly stated.

By downloading, installing, or using BevlyPOS, you acknowledge that you have read and understood this Privacy Policy. If you are a Merchant using BevlyPOS to process the personal data of your End Customers, you acknowledge that you are acting as a data controller with respect to that End Customer data and that Bevly acts as a data processor on your behalf. You are responsible for ensuring your own compliance with applicable privacy laws in your use of our Services.

2. Who We Are

BevlyPOS is a product of Bevly, a brand operated by Cobalt Payments Inc., a corporation organized and operating under the laws of the United States. References to “Bevly,” “we,” “us,” or “our” throughout this Policy refer to Cobalt Payments Inc.

Cobalt Payments Inc. (operating as Bevly)

Attn: Privacy & Legal Department

2264 Silas Deane Hwy Suite 105

Rocky Hill, CT 06067

Privacy Contact: privacy@bevlypos.com

General Inquiries: support@bevlypos.com

Phone: +1-860-270-0552

Website: www.bevlypos.com

Cobalt Payments Inc. is the legal entity responsible for processing personal information collected through the BevlyPOS application and related Services.

For the purposes of this Policy, the following terms have the meanings set forth below:

Term Definition:

Personal Data / Personal Information Any information that identifies, relates to, describes, or is reasonably capable of being associated with an identified or identifiable individual.

Sensitive Personal Information A subset of personal data including government-issued ID numbers, precise geolocation, biometric data, health information, and similar categories requiring heightened protection.

Merchant A business entity or individual that has created a BevlyPOS account to use our point-of-sale and business management services.

Authorized User An employee, contractor, or agent of a Merchant who accesses BevlyPOS using credentials provided by or on behalf of the Merchant.

End Customer A consumer who conducts a transaction with a Merchant through or in connection with BevlyPOS.

Processing Any operation performed on personal data, including collection, recording, storage, use, disclosure, transmission, or deletion.

Data Controller The entity that determines the purposes and means of processing personal data.

Data Processor The entity that processes personal data on behalf of a data controller.

Services The BevlyPOS application, related web portals, APIs, customer support, and any other offerings provided by Bevly under the BevlyPOS brand.

4. Information We Collect

We collect different categories of information depending on your relationship with BevlyPOS (Merchant, Authorized User, or End Customer). We collect only what is necessary to deliver our Services effectively.

4.1 Merchant and Authorized User Account Information

When a Merchant registers for BevlyPOS or when an Authorized User is added to an account, we collect:

• Identity Information: Full legal name, business name (DBA), business type, and role within the organization.
• Contact Information: Business email address, phone number, business mailing address, and billing address.
• Business and Tax Information: Employer Identification Number (EIN) or Tax Identification Number (TIN), business license information, and other documentation required for identity verification or regulatory compliance.
• Account Credentials: Username, hashed and salted password, and multi-factor authentication data.
• Profile and Preference Data: App settings, notification preferences, custom configurations, and role-based permissions set within the App.

4.2 Operational and Sales Data

In the normal course of operating the BevlyPOS system, we collect:

• Sales and Order Records: Itemized sales data, order amounts, timestamps, refund history, void records, and tip data recorded at the point of sale.
• Inventory Data: Product names, SKUs, prices, stock levels, supplier information, and category assignments entered by Merchants.
• Employee Management Data: Authorized User names, job roles, clock-in/clock-out times, sales performance metrics, and permissions configured by Merchants.
• Customer Loyalty and Profile Data: If a Merchant enables loyalty or customer management features, we may collect End Customer names, email addresses, phone numbers, purchase history, and loyalty point balances, subject to Section 4.4 below.
• Order and Menu Data: Table assignments, order modifications, order status updates, and custom menu configurations.

4.3 Device and Technical Information

When you access BevlyPOS on a mobile device or connected hardware, we automatically collect certain technical information, including:

• Device Identifiers: Android Device ID, advertising ID (if applicable), and hardware identifiers associated with the device running the App.
• Device Information: Device manufacturer, model, operating system version, app version, screen resolution, and network type (Wi-Fi/cellular).
• Log Data: IP address, access times, pages or screens viewed, App errors, crash reports, and diagnostic data.
• Network Information: Information about connected peripheral devices, including Bluetooth or Wi-Fi connected printers, cash drawers, and barcode scanners.
• Location Information: If you grant permission, we may collect approximate or precise GPS location for the purpose of identifying the venue address for receipt generation, tax jurisdiction determination, or operational features. Location is not collected in the background when the App is not in active use unless you have explicitly enabled a specific feature requiring it.

4.4 End Customer Data (Processed on Behalf of Merchants)

When a Merchant uses BevlyPOS to interact with or serve their customers, Bevly may process End Customer personal data as a data processor on the Merchant’s behalf. This may include:

• Names and contact information provided for digital receipts or loyalty programs;
• Email addresses for digital receipt delivery and order notifications;
• Phone numbers for order notifications or loyalty communications;
• Purchase history and order preferences.

Merchants are responsible for obtaining all necessary consents and providing appropriate privacy notices to their End Customers as required by applicable law. Merchants should refer to the BevlyPOS Merchant Data Processing Agreement (DPA), which governs Bevly’s obligations as a data processor in relation to End Customer data.

4.5 Support and Communications Data

When you contact our customer support team or communicate with us, we collect:

• The content of your communications (emails, chat transcripts, support tickets);
• Your name, contact information, and account details used to identify you;
• Information about the technical issue or business question you are raising.

4.6 Information from Third Parties

We may receive information about you from third parties, including:

• Identity Verification Services: Information from identity screening providers used during merchant onboarding to confirm business legitimacy;
• Analytics Providers: Aggregated or de-identified usage data to help us understand App performance and improve our Services.

5. How We Collect Information

We collect information:

• Directly from you, when you register an account, input data into the App, contact support, or otherwise provide information to us.
• Automatically, through the App as you use it, via crash reporting tools, analytics SDKs, and device APIs.
• From your hardware and peripherals, when BevlyPOS communicates with connected printers, barcode scanners, or other POS hardware.
• From third-party service providers, including identity verification providers and analytics platforms, where such data sharing is necessary to provide the Services.

We do not collect information through background processes or device sensors that are not reasonably necessary for the stated purposes of the App, and we do not use deceptive or hidden mechanisms to collect your data.

6. How We Use Your Information

We use the information we collect for the following purposes:

6.1 Providing and Operating BevlyPOS

• Managing inventory, menus, and orders on behalf of Merchants;
• Enabling staff management, clock-in/clock-out, and role-based access controls;
• Generating sales reports, analytics dashboards, and operational summaries for Merchants;
• Connecting with approved hardware peripherals (receipt printers, barcode scanners, cash drawers);
• Generating digital and printed receipts and order summaries.

6.2 Account Management and Authentication

• Creating and managing Merchant and Authorized User accounts;
• Authenticating user identity and enforcing role-based permissions;
• Delivering multi-factor authentication prompts;
• Recovering accounts at the request of verified users.

6.3 Compliance, Security, and Fraud Prevention

• Verifying Merchant identity during onboarding to comply with applicable legal obligations;
• Detecting and preventing unauthorized access, misuse, and security breaches;
• Responding to legally required disclosures, subpoenas, court orders, or law enforcement requests;
• Complying with applicable federal, state, and local laws and regulations.

6.4 Customer Support

• Diagnosing and resolving technical issues;
• Responding to support tickets, inquiries, and complaints;
• Improving our support documentation and training materials.

6.5 App Improvement and Analytics

• Analyzing usage patterns to improve App design, performance, and features;
• Conducting internal research and product development;
• Diagnosing and fixing App crashes and bugs;
• Measuring feature adoption and user engagement.

All analytics activities are conducted using aggregated or de-identified data wherever practicable. We do not use individual behavioral analytics to serve targeted advertising within the BevlyPOS App.

6.6 Communications and Notifications

• Sending transactional and operational notifications (e.g., order confirmations, low-inventory alerts, and security notifications);
• Providing product updates, new feature announcements, and important policy changes;
• Sending optional marketing communications where you have consented to receive them (you may opt out at any time; see Section 15).

6.7 Legal and Regulatory Obligations

• Maintaining sales and operational records as required by law;
• Cooperating with regulatory authorities and law enforcement as legally required;
• Enforcing our Terms of Service and other agreements.

7. How We Share Your Information

7.1 Service Providers

7.2 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or substantially all of Bevly’s assets, your information may be transferred to the acquiring entity. We will notify you via email or prominent in-App notice before your personal information becomes subject to a different privacy policy.

7.3 Legal Disclosures

We may disclose your information if we believe in good faith that disclosure is necessary to:

• • Comply with a legal obligation, court order, or governmental request;
• • Enforce our Terms of Service or other agreements;
• • Protect the rights, property, or safety of Bevly, our Merchants, Authorized Users, End Customers, or the public;
• • Investigate, prevent, or take action against suspected fraud, illegal activity, or violations of our policies.

7.4 With Your Consent

We will share your information with additional third parties where you have provided explicit consent for us to do so.

7.5 Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified information — from which individual identities cannot reasonably be reconstructed — with business partners, researchers, or the public for industry analytics, reporting, or benchmarking purposes.

Where we rely on Legitimate Interests, we have assessed that our interests are proportionate and do not override your fundamental rights and freedoms. You may request details of this balancing assessment by contacting us at privacy@bevlypos.com.

Where we rely on Consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal. Withdrawal of consent will not affect your ability to use the core features of BevlyPOS.

8. Data Retention

We retain personal information only for as long as is necessary to fulfill the purposes for which it was collected, comply with applicable legal obligations, resolve disputes, and enforce our agreements.

Bevly does not sell your personal information to third parties. We do not share your information for third-party advertising purposes. We share information only as described below.

8.1 Service Providers and Subprocessors

We engage trusted third-party companies to assist us in operating BevlyPOS and delivering the Services. These providers are permitted to access your personal data only to the extent necessary to perform their functions and are contractually bound to maintain appropriate security and confidentiality standards. Categories of service providers include:

Cloud hosting and infrastructure providers (e.g., data storage and compute services);

• Identity verification providers;
• Crash reporting and analytics services;
• Customer support platforms;
• Email and communications delivery providers;
• Security and fraud detection services.

A current list of our key subprocessors is available upon request at privacy@bevlypos.com.

8.2 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or substantially all of Bevly’s assets, your information may be transferred to the acquiring entity. We will notify you via email or prominent in-App notice before your personal data becomes subject to a different privacy policy.

8.3 Legal Disclosures

We may disclose your information if we believe in good faith that disclosure is necessary to:

• Comply with a legal obligation, court order, or governmental request;
• Enforce our Terms of Service or other agreements;
• Protect the rights, property, or safety of Bevly, our Merchants, Authorized Users, End Customers, or the public;
• Investigate, prevent, or take action against suspected fraud, illegal activity, or violations of our policies.

8.4 With Your Consent

We will share your information with additional third parties where you have provided explicit consent for us to do so.

8.5 Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified information — from which individual identities cannot reasonably be reconstructed — with business partners, researchers, or the public for industry analytics, reporting, or benchmarking purposes.

9. Data Security

Bevly employs commercially reasonable and industry-standard technical, administrative, and physical safeguards to protect your personal information against unauthorized access, loss, disclosure, alteration, or destruction. Our security measures include:

• Encryption in transit: All data transmitted between BevlyPOS and our servers is encrypted using TLS 1.2 or higher.
• Encryption at rest: Sensitive data stored in our databases is encrypted using AES-256 or equivalent standards.
• Access controls: Access to production systems and personal information is restricted to authorized personnel on a need-to-know basis, enforced through role-based access controls and multi-factor authentication.
• Vulnerability management: We conduct regular security assessments, penetration testing, and vulnerability scans of our infrastructure and application.
• Incident response: We maintain a documented data breach response plan and will notify affected users and regulators in accordance with applicable US breach notification laws.
• Employee training: All Bevly employees who handle personal information are trained on data privacy and security practices.

No system is completely secure. While we work diligently to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and for ensuring that your devices are protected with appropriate access controls. Notify us immediately at security@bevlypos.com if you suspect unauthorized access to your account.

10. Permissions Used by BevlyPOS

BevlyPOS requests only the device permissions that are necessary to deliver its core features. Below is a transparent disclosure of each permission the App requests and why:

We do not request access to your contacts, call logs, SMS messages, photos, microphone, or any other device resources not listed above. If we update the permissions used by BevlyPOS, we will update this Policy and, where required by applicable platform policies, prompt you for new permission consent.

11. Third-Party SDKs and Services

BevlyPOS integrates third-party software development kits (SDKs) and APIs to deliver certain features. As the developer of BevlyPOS, Bevly is responsible for ensuring that third-party code within our App complies with applicable privacy standards and Google Play Developer Program Policies. The following third-party services may process certain personal information as described:

Bevly reviews the privacy and data handling practices of all third-party SDKs before integration and requires all providers to adhere to data protection standards consistent with applicable US law. We do not include advertising SDKs in BevlyPOS and do not permit third-party SDKs to use your personal information for their own independent marketing purposes.

12. Children’s Privacy

BevlyPOS is a professional business management tool intended exclusively for use by adults (18 years of age or older) operating or working within commercial food and beverage establishments in the United States. The App is not directed at, designed for, or marketed to children under the age of 13 as defined under the Children’s Online Privacy Protection Act (COPPA).

We do not knowingly collect personal information from children under 13. If you are a parent or guardian and you believe that a minor has provided personal information to us through BevlyPOS, please contact us immediately at privacy@bevlypos.com. We will promptly investigate and, if confirmed, delete such information without undue delay in accordance with COPPA requirements.

13. Your Privacy Rights

Regardless of your state of residence, Bevly respects the following baseline rights with respect to your personal information:

• Right to Access: You may request a copy of the personal information we hold about you.
• Right to Correction: You may request that we correct inaccurate or incomplete information we hold about you.
• Right to Deletion: You may request that we delete your personal information, subject to applicable legal retention obligations (see Section 8).
• Right to Opt Out of Marketing: You may unsubscribe from marketing communications at any time by clicking the “Unsubscribe” link in any marketing email or by contacting us at privacy@bevlypos.com.

To exercise any of these rights, please submit a request to privacy@bevlypos.com. We will respond within the timeframe required by applicable law (generally 30–45 days). We may need to verify your identity before processing your request to protect your account security. We will not discriminate against you for exercising your privacy rights.

California residents have additional rights described in Section 14 below.

14. California Residents — CCPA/CPRA Rights

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following additional rights. References to “personal information” in this section have the meaning given under California law.

14.1 Categories of Personal Information Collected

In the preceding 12 months, Bevly has collected the following categories of personal information:

14.2 Purposes for Collection

We collect the above categories of personal information for the operational, legal, and service-related purposes described in Section 6 of this Policy.

14.3 Disclosure and Sale of Personal Information

Bevly does not sell your personal information within the meaning of the CCPA/CPRA. Bevly does not share your personal information with third parties for cross-context behavioral advertising.

14.4 Sensitive Personal Information

We collect government identification numbers solely for the purpose of verifying Merchant identity during onboarding, as required by applicable legal and regulatory obligations. We do not use sensitive personal information for any purpose not permitted under the CCPA/CPRA or beyond what is reasonably necessary to provide BevlyPOS.

14.5 Your California Rights

• Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the purposes for which it was collected, and the categories of third parties with whom it was shared.
• Right to Delete: You may request that we delete your personal information, subject to certain exceptions (e.g., legal obligations, security needs).
• Right to Correct: You may request that we correct inaccurate personal information we maintain about you.
• Right to Opt Out of Sale/Sharing: Although we do not sell or share personal information for advertising, you may exercise this right by contacting us at privacy@bevlypos.com.
• Right to Limit Use of Sensitive Personal Information: You may request that we limit the use of your sensitive personal information to the purposes described in Section 14.4 above.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

14.6 How to Submit a California Privacy Request

To submit a request to know, delete, or correct, please contact us:

• Email: privacy@bevlypos.com (with subject line: “California Privacy Request”)
• Web form: bevlypos.com/bevlypos-privacy-policy

We will verify your identity before processing your request. We will respond within 45 calendar days of receipt, with a potential extension of up to an additional 45 days where reasonably necessary with prior notice.

14.7 Authorized Agents

California residents may designate an authorized agent to submit requests on their behalf. We will require written proof of authorization and may require direct verification from the consumer.

15. Account Deletion

Bevly is committed to giving users meaningful control over their data. In compliance with Google Play Developer Policy requirements:

15.1 In-App Account Deletion

Merchants and Authorized Users can initiate account deletion directly within the BevlyPOS App by navigating to:

Settings → Account → Delete Account

15.2 Account Deletion via Website

Merchants and Authorized Users may also request account deletion by:

• Visiting: www.bevlypos.com/account/delete
• Emailing: privacy@bevlypos.com with the subject line “Account Deletion Request”

15.3 Effect of Account Deletion

Upon confirmed account deletion:

• Your personal account profile, preferences, and non-required historical data will be permanently deleted within 30 days of the confirmed request.
• Sales and operational records will be retained for the period required by applicable law (generally 7 years) for tax, legal, and compliance purposes before being permanently deleted.
• End Customer data under a Merchant account will be deleted in accordance with the applicable retention schedule in Section 8.

A confirmation of deletion will be sent to the email address associated with your account.

16. Changes to This Privacy Policy

Bevly may update this Privacy Policy from time to time to reflect changes in our data practices, App features, legal requirements, or for other operational reasons. When we make material changes, we will:

• Update the “Last Updated” date at the top of this Policy;
• Provide prominent notice within the App (e.g., an in-App notification or banner); and
• Where required by applicable law, obtain your renewed consent.

We encourage you to review this Policy periodically. Your continued use of BevlyPOS after the effective date of any updated Policy constitutes your acknowledgment of the changes. If you disagree with any material changes, your recourse is to discontinue use of the App and request account deletion in accordance with Section 15.

The most current version of this Policy will always be available at: www.bevlypos.com/legal/privacy-policy

17. Contact Us

We value your trust and are committed to being responsive to your privacy questions and concerns. If you have any questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact us through any of the following channels:

Privacy Requests & Inquiries

Email: privacy@bevlypos.com | Subject: BevlyPOS Privacy Inquiry

Data Security Concerns

Email: security@bevlypos.com

General Customer Support

Email: support@bevlypos.com

In-App: Settings → Help → Contact Support

Website: www.bevlypos.com/support

Mail

Cobalt (operating as Bevly)

Attn: Legal

2264 Silas Deane Hwy Suite 105

Rocky Hill, CT 06067 United States