small-kds — Privacy Policy
Effective date: 4 July 2026
This Privacy Policy explains how we handle information in connection with the small-kds application (the "App") and the small-kds website and licensing service at smallkds.com (together, the "Service").
The Service is operated by Cann River Hospitality Pty Ltd (ABN 43 667 030 051), a company incorporated in Australia ("we", "us", "our"). The App is published on Google Play by Pizza Investment Group Pty Ltd, a related company within the same corporate group; Cann River Hospitality Pty Ltd is the entity responsible for the Service and for the handling of information described in this policy.
small-kds is a business tool that turns an Android tablet into a live kitchen display ("KDS") for merchants who use Square. It is intended for use by businesses and their staff, not by consumers in a personal capacity.
Not affiliated with Square. small-kds is an independent product. It is not affiliated with, endorsed by, or sponsored by Square or Block, Inc. "Square" is a trademark of Block, Inc.
1. Summary (the short version)
- The App reads your own Square order data solely to display it on your kitchen screen(s). We do not store your order content on our servers.
- Your authentication credentials and chosen Square location are stored securely on your device, not by us.
- Our licensing service stores only what is needed to run your subscription (your Square location, subscription status and dates, and limited account and subscription information).
- Payments are processed by a third-party payment processor. We never receive or store your full card details.
- No advertising. No third-party analytics or tracking SDKs. We do not sell your personal information.
- Information is encrypted in transit using industry-standard measures.
The rest of this policy sets out the detail.
2. Information we handle
2.1 Square connection data (stored on your device)
When you connect the App to your Square account, the App stores the following securely on the device only:
- your authentication credentials for Square; and
- the Square location you choose to display.
This information is used to authenticate to Square and to determine which location's orders to display. It remains on the device until you log out or uninstall the App, and we do not transmit or store these values on our servers.
2.2 Square order data (read to display, not retained by us)
To show your kitchen tickets, the App reads order and related data from your own Square account. This data can include order line items, ticket/order identifiers, timing, and any notes or customer-supplied details that your Square account attaches to an order.
The App uses this data only to display it on your screen(s) with aging timers, and holds it transiently on the device for that purpose. We do not send your order content to our servers and we do not retain it. To the extent this data includes personal information of your own customers, you (the merchant) control it; the App simply displays it to you (see section 6, controller/processor roles).
2.3 Subscription and licensing data
Access to the board is gated per Square location by an active subscription. Our licensing service, operated for us by our service provider(s), stores a small record for each licensed location containing:
- the Square location;
- subscription status and entitlement/period dates (including any complimentary or prepaid grant period);
- timestamps (created/updated); and
- limited account and subscription information once the location has subscribed.
This record exists to determine whether a location is entitled to use the App. It does not contain your Square order content, and the account and subscription information we hold does not include your card numbers.
2.4 Payment data (handled by our payment processor)
Subscriptions are billed through a third-party payment processor. When you subscribe or manage your subscription, you interact with the payment processor's checkout and customer portal. The payment processor collects and processes your payment details (for example card information and billing details) under its own privacy policy and terms. We never receive or store your full payment card details. We receive from the payment processor only the limited account, subscription-status, and reference information described in section 2.3.
2.5 Technical and connection data
Because the Service operates over the internet, our service providers may process limited technical data incidental to delivering the Service — for example IP addresses, request metadata, and standard server logs used for security, fraud prevention, and reliability. We do not use this data to build advertising or marketing profiles.
2.6 Communications
If you email us (for example at [email protected]), we receive your email address and the contents of your message, and use them to respond to and administer your request.
2.7 What the App does not collect
The App does not contain advertising, and does not include third-party analytics or tracking SDKs. The App does not access your device location, contacts, camera, microphone, photos, or SMS. It uses only the network/internet and screen wake-lock (to keep the board awake) permissions needed to function.
2.8 We do not sell your information
We do not sell your personal information, and we do not share it for cross-context behavioural advertising.
3. How we use information
We use the information above to:
- authenticate the App to your Square account and display your orders;
- provide, maintain, and secure the Service;
- operate your subscription — verify entitlement and process billing through our payment processor;
- respond to your support requests and communicate with you about the Service;
- detect, prevent, and address fraud, abuse, security, and technical issues; and
- comply with our legal, tax, and accounting obligations.
4. Legal bases (for EU/UK customers)
Where the EU General Data Protection Regulation (GDPR) or the UK GDPR applies, we rely on the following legal bases:
- Performance of a contract — to provide the Service and administer your subscription;
- Legitimate interests — to secure the Service, prevent fraud and abuse, and operate our business (balanced against your rights);
- Legal obligation — to keep records we are required by law to retain; and
- where we act on your instructions in respect of your own Square data, we process that data on your behalf (see section 6).
5. Who we share information with
We share information only with the following categories of recipients, and only as needed to run the Service:
- Square / Block, Inc. — the App communicates with Square using your credentials to read your order data. Your use of Square is governed by your own agreement with Square.
- Our payment processor — handles subscription billing and payment data.
- Our service providers — host our licensing service and website and provide supporting infrastructure.
- Professional advisers, and authorities where legally required — for example if we are compelled by law, or need to establish, exercise, or defend legal claims.
We do not otherwise disclose your information to third parties for their own purposes.
6. Controller and processor roles
- Your Square order data: You (the merchant) are the controller of your Square account and its order data, including any personal information of your own customers. When the App reads and displays that data, it does so on your behalf and on your instruction, and does not retain it on our servers. If your customers have questions about how their information appears in your orders, those questions are for you as the merchant to address.
- Subscription and account data: For the subscription/licensing record and your communications with us, we are the controller.
7. International data transfers
We are based in Australia. Our service providers are global organisations and may process data in countries other than your own, including the United States. Where personal information is transferred across borders, we and our providers rely on appropriate safeguards where required (for example the applicable Standard Contractual Clauses and the providers' own transfer mechanisms). By using the Service you understand that your information may be processed in these locations.
8. Data retention
- On-device data (authentication credentials and location): retained on your device until you log out or uninstall the App, at which point it is cleared from the device.
- Square order data: never stored on our servers. It is read from your own Square account and held only transiently on your device to render the board; it is not written to, or retained in, our systems at any time.
- Subscription/licensing record: our licensing service keeps a record for a location only while that location has an active or complimentary subscription. When a subscription ends, the corresponding record is deleted from our licensing service. After that deletion, the only billing-related information that remains is (a) limited references held by our third-party payment processor under its own policies, and (b) entries in our own financial and accounting records that we are required by Australian tax law to keep — typically for up to around five years. Those records are kept for tax and accounting compliance, not to operate the App.
- Payment records held by our payment processor are retained under its own policies.
9. Security
- We use industry-standard measures to protect information in transit, including encryption.
- Your authentication credentials are stored securely on your device rather than on our servers, which reduces their exposure.
- We do not hold your full payment card details; those are handled by our payment processor.
No method of transmission or storage is completely secure. Because your credentials are stored on the device, you should protect the device itself — for example with a screen lock and standard device security — and use Log out on any device you no longer control. If you believe your credentials or a device have been compromised, log out and, where relevant, rotate/revoke access from your Square account.
10. Children's privacy
The Service is a business tool and is not directed to children. It is not intended for use by anyone under 18, and in particular is not directed to children under 13 (as defined by the U.S. Children's Online Privacy Protection Act) or under 16 (the digital-consent age under the GDPR). We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will delete it.
11. Your privacy rights and how to exercise them
Depending on where you live, you may have rights to access, correct, delete, object to or restrict the processing of your personal information, to data portability, and to withdraw consent. To exercise these rights:
- On-device data: use Log out in the App (this clears the stored credentials, location, and cached entitlement) and/or uninstall the App.
- Subscription/billing data: manage or cancel your subscription anytime through the subscription management portal on the web at smallkds.com/account, or email us. (The App's Account screen displays your subscription status; it does not process billing.)
- Requests to us: contact [email protected] or [email protected]. We will verify and respond to your request as required by applicable law. Some information may be retained where we are legally required or permitted to keep it (see section 8).
- Your customers' data in your orders: because that data belongs to your Square account, please direct such requests to you as the merchant; we will assist you as processor where appropriate.
If you are in the EU/UK and are not satisfied with our response, you may lodge a complaint with your local data protection authority. If you are in Australia, you may contact the Office of the Australian Information Commissioner (OAIC).
12. Australian Privacy Act note
We handle personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). This includes collecting only what we need, keeping it secure, being transparent about our handling, and giving you access and correction rights. Regardless of whether the small-business exemption under the Privacy Act would otherwise apply to us, we voluntarily commit to handling personal information in line with the APPs as described in this policy.
13. EU/UK GDPR note
If you are in the European Economic Area or the United Kingdom, the GDPR / UK GDPR applies to our processing of your personal information as described above. Our legal bases are set out in section 4, your rights in section 11, and our international-transfer approach in section 7. For most of your Square order data we act as a processor on your behalf (section 6). You can reach us directly using the contact details in section 15. To the extent we are required under Article 27 GDPR to designate a representative in the EU or UK, we will provide that representative's details on request via [email protected].
14. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will update the effective date above and, where appropriate, provide additional notice (for example on smallkds.com or in the App). Your continued use of the Service after an update takes effect means you accept the revised policy.
15. Contact us
Cann River Hospitality Pty Ltd (ABN 43 667 030 051) General: [email protected] Support and privacy requests: [email protected] Website: smallkds.com Registered office: 5/12 Rohs Road, East Bendigo VIC 3550, Australia