Privacy Policy

How CuePoint collects, uses, and protects your personal data.

Effective: April 30, 2026  ·  Last updated: June 4, 2026

Related pages:

1. Who We Are

CuePoint (“CuePoint,” “we,” “us,” or “our”) is operated from the Philippines, with principal place of business at:

Barangay 22 San Guillermo, San Nicolas, 2900 Ilocos Norte, Philippines

Contact:

For the personal data of account owners and staff, CuePoint acts as the data controller.

For personal data of end customers (hall visitors and customers entered by Tenants into the platform), each Tenant is the data controller andCuePoint acts as a data processor on the Tenant's behalf. Tenants' data processing obligations are described in the Data Processing Addendum.

2. Data We Collect

2.1 Account Owners (Tenants)

  • Full name
  • Email address
  • Password (stored as a one-way hash; we never store plain-text passwords)
  • Business name, address, phone number
  • TIN (Tax Identification Number) and VAT registration status (for receipt generation)
  • Subscription and billing records (amounts, plan, billing interval, payment references; full card details are handled by our payment processor and are not stored by CuePoint)
  • Account settings and preferences (timezone, currency, operating hours)

2.2 Staff Users

  • Full name
  • Email address
  • Role and access level assigned by the Tenant owner
  • Password (stored as a one-way hash)
  • Shift clock-in/clock-out records
  • Action history (audit logs tied to that user's account)

2.3 End Customers (Hall Visitors — Entered by Tenants)

Tenants may enter their customers' information into CuePoint. This data is processed by us on behalf of the Tenant. It may include:

  • Name
  • Phone number (optional)
  • Notes (optional, free-text entered by Tenant staff)
  • Table session and visit history
  • Transaction and payment records (amounts, methods — no card data)
  • Membership and loyalty point records
  • Reservation records

2.4 Technical and Usage Data

  • IP addresses (used for rate limiting and security purposes)
  • Browser type and session metadata (via standard web server logs)
  • tRPC request metadata for performance monitoring (no input payloads logged)

On our marketing website (www.cuepoint.cloud), we use analytics and session-analytics cookies only after you accept them via our cookie banner. You can decline, in which case no analytics tracking occurs. We use Google Analytics (to measure site usage) and Microsoft Clarity (which provides heatmaps and session replays of how visitors interact with the site). These tools are not used on the application (app.cuepoint.cloud), which remains free of advertising and behavioral tracking. For the full list of cookies, their purposes, and durations, see our Cookie Policy.

2.5 Children's Data

CuePoint is a business tool intended for billiard hall operators and their staff. It is not directed to children, and we do not knowingly collect personal data directly from children.

Account holders must be at least 18 years old. Where a Tenant invites staff who are minors under local law, the Tenant is responsible for obtaining any consent required to create and manage that staff member's account.

Tenants may record limited information about their own customers, who may include minors who visit the hall. Tenants are the data controllers for that information and are responsible for establishing a lawful basis and obtaining any parental or guardian consent required under applicable law before entering a minor's data into CuePoint. Tenants must not enter sensitive data about minors beyond what is reasonably necessary for hall operations.

If you believe a child's personal data has been entered into CuePoint without the required consent, contact legal@cuepoint.cloud and we will work with the relevant Tenant to address it.

3. How We Use Your Data

  • To create and maintain your account and provide the CuePoint service.
  • To process your subscription, billing arrangements, checkout recovery, and subscription status changes.
  • To provide customer support and respond to your inquiries.
  • To send transactional communications (account-related notifications).
  • To enforce our Terms of Service and Acceptable Use Policy.
  • To detect and prevent fraud, abuse, and security incidents.
  • To comply with legal obligations.
  • To improve and develop the platform (using aggregate, non-identifiable usage patterns).

4. Legal Basis for Processing

Under applicable privacy laws and general privacy principles, we process personal data on the following bases:

  • Contractual necessity — for account owners and staff, processing is necessary to provide the service you have subscribed to.
  • Legitimate interests — for security, fraud prevention, and service improvement, where your interests and rights are not overridden by ours.
  • Compliance with a legal obligation — where required by applicable law.
  • Consent — where explicitly obtained and documented (e.g., optional communications).

For end-customer data processed on behalf of Tenants, the Tenant is responsible for establishing and documenting an appropriate legal basis for collecting and entering that data into CuePoint.

5. Data Sharing and Sub-Processors

We do not sell your personal data. We share data only with the following categories of third parties, and only as necessary to provide the service:

  • Paddle — Our Merchant of Record for paid subscription billing. Paddle processes your billing information (name, email address, payment method, and subscription amounts) to complete transactions, collect applicable taxes, and issue billing receipts. Paddle operates under its own Privacy Policy. Full card details are handled and stored solely by Paddle — CuePoint does not receive or store your card number, CVV, or expiry date.
  • Cloudflare (Turnstile) — Bot and spam prevention on registration. Cloudflare processes the security-check token only; it does not receive your account data. See Cloudflare's privacy policy at cloudflare.com.
  • Hosting providers — The platform runs on cloud infrastructure provided by Vercel, Supabase, and Upstash. Your data is stored on their servers and subject to their data security commitments.
  • Database and cache infrastructure — Managed PostgreSQL and Redis instances used for data storage and session management.

We do not share personal data with advertisers, marketing platforms, or data brokers.

6. International Data Transfers

CuePoint uses managed cloud infrastructure that may be hosted in multiple provider regions. Where data is transferred internationally, we take reasonable steps to ensure it is protected in accordance with applicable privacy laws.

7. Data Retention

We retain personal data for as long as your account remains active plus a reasonable post-termination period to allow for reactivation or dispute resolution.

  • Active account data — retained for the duration of your subscription.
  • Post-cancellation — When an account is cancelled or terminated, we keep your live-system data for a 90-day period to allow reactivation and dispute resolution. Within the first 30 days of that period you may request full recovery of your account. After the 90-day period, live-system data is deleted or anonymized. Backup copies may persist until they expire under the backup schedule below.
  • Backup data — automated database backups are retained for up to 3 months under our backup schedule (7 daily copies, 4 weekly copies, 3 monthly copies). Deletion requests are applied to live data immediately but may persist in backups until those backups expire according to that retention schedule.
  • Billing records — retained for 7 years for accounting, dispute handling, and legal compliance.

8. Security Measures

We implement reasonable technical and organizational measures to protect your personal data, including:

  • HTTPS/TLS encryption for all data in transit.
  • Passwords stored as one-way bcrypt hashes.
  • Multi-tenant database isolation using row-level security policies.
  • Role-based access control so staff only access data within their permission level.
  • Automated database backups with documented retention and recovery procedures.
  • Rate limiting on authentication and sensitive endpoints.

No security system is 100% impenetrable. In the event of a data breach that is likely to harm affected individuals, we will notify affected users and regulators where required by applicable law.

Authorized personnel may access personal data where reasonably necessary to provide support you request, investigate security or abuse incidents, maintain the service, or comply with law. Such access is limited to what is necessary and is subject to confidentiality obligations and audit logging.

9. Your Privacy Rights

Depending on where you are located, you may have the following rights:

  • Right to be informed — to know that your data is being collected and how it is used.
  • Right of access — to request a copy of the personal data we hold about you.
  • Right to rectification — to request correction of inaccurate or incomplete data.
  • Right to erasure or blocking — to request deletion or restriction of processing where the data is no longer necessary, consent is withdrawn, or processing is unlawful.
  • Right to object — to object to processing of your data in certain circumstances.
  • Right to data portability — to receive a copy of your data in a structured, commonly used format.
  • Right to file a complaint — with the relevant privacy or data protection authority in your jurisdiction.

To exercise any of these rights, contact our privacy team at legal@cuepoint.cloud. We will respond within 15 business days unless a longer period is required by the complexity of the request.

10. Regulatory Registration

Some jurisdictions require data controllers or processors to register with a regulator once certain processing thresholds are met. CuePoint will assess its registration obligations as the service grows and will register where required by law. We recommend seeking legal counsel on whether registration is required for your expected data processing volume.

11. Receipts and Tax Compliance

Receipts generated by CuePoint for table sessions and POS transactions are operational records only. They are not tax authority-certified official receipts or invoices. Tenants who require official fiscal receipts must maintain a separate compliant receipting system. We recommend consulting a tax professional regarding fiscal receipt obligations before relying on CuePoint receipts as official fiscal documents.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or in-app notification and update the “Last updated” date at the top of this page. Continued use of CuePoint after the effective date of changes constitutes your acceptance of the updated policy.

13. Contact

For privacy inquiries, data access requests, or to exercise your privacy rights:

Data Protection Officer. CuePoint has designated a Data Protection Officer (DPO) responsible for overseeing compliance with applicable data protection law, including the Philippine Data Privacy Act of 2012. You may contact the DPO at dpo@cuepoint.cloud.