HIVE is built on data minimization, operator-controlled access, and full audit transparency. We never sell vendor revenue data and enforce strict compliance with global privacy regulations.
Vendors authorize read-only OAuth access to their POS systems. HIVE never writes to vendor POS data, modifies transactions, or stores card or payment credentials.
AES-256 encryption at rest and TLS 1.3 in transit. All transaction data and GMV records are encrypted end-to-end between POS provider accounts and HIVE servers.
Full compliance with the General Data Protection Regulation including data portability, right to access, right to erasure, and breach notification requirements.
Canadian privacy law compliance with proper consent management and data handling. Supabase data residency options available for Canadian operators.
Verified transaction records retained for the duration of your lease agreement plus 7 years for audit compliance. Operators can request data exports or deletion upon contract end.
24-hour breach notification protocol with automated detection, impact assessment, and regulatory reporting to affected operators and vendors.
Canadian operators can elect Supabase Canadian data residency. All data remains within the selected region. Enterprise operators can specify residency requirements.
Immutable audit trail for all settlement calculations, GMV verifications, and data access events. Exportable for lease compliance and regulatory review.
Full transparency on data collection, storage, retention, and sharing practices.
| Category | Collected | Stored As | Retention | Shared |
|---|---|---|---|---|
| Vendor GMV Data | Transaction-level gross sales via read-only OAuth | Encrypted verified transaction records | Lease term + 7 years | With authorized operator accounts only |
| POS Credentials | OAuth tokens (read-only) | Encrypted token vault | Until vendor revokes access | Never |
| Settlement Records | Calculated GR and royalty amounts | Encrypted ledger entries | Lease term + 7 years | Operator and vendor parties to lease only |
| Operator Data | Lease terms, vendor roster, venue config | Encrypted business storage | Account lifetime + 30 days | With authorized operator team members |
| Stripe Payment Data | Disbursement metadata (no card data) | Stripe-held; HIVE stores reference IDs only | Per Stripe data policy | Stripe Connect parties only |
Operators and vendors can request a full export of verified GMV records, settlement history, and audit logs in machine-readable format at any time.
Vendors can revoke HIVE's OAuth access to their POS system at any time through HIVE BIZ. Data collection stops immediately upon revocation.
Upon contract end, operators and vendors may request deletion of all data not required for statutory retention. Deletion completed within 30 days.
Privacy inquiries and data requests can be directed to privacy@hivecertified.com. We respond to all verified requests within 5 business days.
HIVE is built on a SOC 2 Type II ready architecture, conducts annual third-party penetration testing, and implements OWASP Top 10 security practices across all systems.