Privacy Policy
Yolo Rollo Kitchen Display & Analytics Suite
Effective Date: May 21, 2026
Last Updated: May 21, 2026
This Privacy Policy explains how Jiapeng Chen, an individual sole-proprietor developer doing business as Yolo Rollo ("we", "us", or "our"), collects, uses, stores, and shares personal information when you or your authorized employees use the Yolo Rollo Kitchen Display & Analytics Suite (the "Software"), including its Clover App Market integration, the web-based Kitchen Display System, the back-office administration site, and the native iOS / iPadOS / macOS Kitchen Display application.
This Policy is incorporated by reference into the End User License Agreement. Capitalized terms not defined here have the meaning given in that Agreement.
1. Scope
The Software is a single-merchant operations tool. It is installed by an individual restaurant ("Merchant") from the Clover App Market and is used by the Merchant's owners, managers, and kitchen / front-of-house staff ("Authorized Users") to run that restaurant. We do not market the Software to consumers and we do not knowingly process the personal information of the Merchant's guests, except to the limited extent that Clover surfaces it to us as described in Section 2.
If you are a guest of the Merchant whose information you believe has been processed by the Software, please contact the Merchant directly; we generally act as a service provider or processor on the Merchant's behalf and will refer you to the Merchant.
2. Information We Collect
2.1 Data Received from Clover
When the Merchant installs the Software through the Clover App Market, the Merchant authorizes us, via OAuth and Clover webhooks, to receive the following categories of data about the Merchant's business operations:
- Merchant account metadata: Clover merchant ID, business name, time zone, currency, and Clover device identifiers.
- Orders & line items: order IDs, ticket totals, modifiers, ordered items, quantities, prices, taxes, discounts, line-item notes, order timestamps, and order status changes.
- Payments & refunds: payment IDs, tender type (cash / card / other), amount tendered, tip amount, refund amount, and timestamps. We do not receive full card numbers, full track data, CAV2/CVC2/CVV2/CID values, or PIN data. Card numbers, when surfaced at all, are limited to last-four digits and card-brand metadata supplied by Clover.
- Inventory & menu: items, categories, modifiers, modifier groups, price changes, and SKU metadata.
- Employees: employee names, roles, Clover employee IDs, and shift / clock-in events necessary to attribute KDS actions to a kitchen station. We do not receive Social Security numbers, bank-account details, or other payroll data.
- Customers (when surfaced by Clover): customer name, phone number, or email address attached to an order, where the Merchant has chosen to capture this information in Clover. If captured, this data is used only to display the order on the KDS and on the customer-facing display.
These webhook deliveries arrive at webhooks.yolorollo.jpzen.cn and are fanned out by our edge proxy to the KDS Backend Service (kds-api) and to the read-only analytics pipeline (analytics-api).
2.2 Data You Provide Directly
- Authentication credentials: when an Authorized User registers for the back-office or KDS web interface, we create a passkey-based account. We store the user's display name, email address (used as the account identifier), and the public-key portion of one or more WebAuthn credentials. We never see or store the private key, biometric template, or device PIN — those remain on the user's device.
- Session and device tokens: when a kitchen tablet or display logs into a KDS screen, we issue a long-lived device token bound to that screen, plus short-lived browser session cookies. These are stored in our database and in the device's local storage.
- Configuration & preferences: KDS filter settings, screen layouts, role assignments, and similar operational preferences chosen by the Merchant.
2.3 Data Generated by Use of the Software
- KDS ticket events: when a ticket is bumped, recalled, marked fired, or split across stations, we record the action, the actor (Authorized User or device), and the timestamp. This is the audit trail that lets the kitchen reason about service times.
- Realtime state records: ticket overrides, dead-letter jobs from background processing, and webhook event receipts (used for replay and deduplication).
- AI assistant conversations (optional): if the Merchant uses the in-app AI assistant feature, we store the messages exchanged with that assistant, plus an associated profile, so the assistant can answer follow-up questions about the Merchant's own data. The Merchant can delete these conversations at any time.
2.4 Technical and Diagnostic Data
We collect a limited set of technical logs to operate and secure the Software, including IP addresses, request paths, HTTP status codes, user-agent strings, error stack traces, and timing metrics. These logs are retained as described in Section 6.
We do not use third-party advertising trackers, marketing pixels, or cross-site tracking cookies in any part of the Software.
3. How We Use Information
We use the information described in Section 2 to:
- Operate the Software — display tickets on KDS screens, route orders to the correct station, drive the customer-facing display, run analytics dashboards in the back office, and synchronize state with Clover.
- Authenticate users — verify passkey signatures, maintain sessions, and prevent unauthorized access.
- Secure the system — detect abuse, rate-limit Clover API calls, log security events, replay missed webhook deliveries, and investigate incidents.
- Improve and maintain the Software — diagnose bugs, plan capacity, and validate migrations.
- Comply with law — respond to subpoenas, court orders, and other legally binding requests; preserve records when required.
We do not use Merchant Data or Authorized-User data to train any third-party machine-learning model, and we do not sell or rent personal information to anyone.
4. Legal Bases (EEA / UK Users)
To the extent the EU or UK General Data Protection Regulation applies, we rely on the following legal bases:
- Contract — to provide the Software to the Merchant under the EULA.
- Legitimate interests — to secure the Software, prevent fraud, maintain audit trails, and improve reliability, balanced against the rights of affected individuals.
- Legal obligation — to retain records or respond to lawful requests.
- Consent — for any future optional feature that explicitly asks for it.
5. Sharing of Information
We share personal information only as described below. We do not sell personal information and we do not share personal information for cross-context behavioral advertising.
5.1 With Sub-processors
We rely on the following infrastructure sub-processors to run the Software:
| Sub-processor | Role | Data Categories | Location |
|---|---|---|---|
| Clover Network, LLC | Source of business data (POS, webhooks) | All Merchant Data | United States |
| Oracle Corporation (Oracle Cloud Infrastructure) | Compute, container hosting, database, object storage | All categories in Section 2 | United States (US-West region) |
| Cloudflare, Inc. | Authoritative DNS for yolorollo.jpzen.cn, ACME DNS-01 certificate issuance | Domain metadata only; no application payloads | Global |
| GitHub, Inc. | Source-code hosting and CI build runners | Software source code; no production user data | United States |
We do not transfer Merchant Data, KDS ticket data, or authentication data outside this list of sub-processors. We update this list when we change vendors.
5.2 With the Merchant
The Merchant has full administrative access to all data the Software collects about its own operations. The Software is purpose-built to expose this data to the Merchant through the back-office interfaces.
5.3 For Legal Reasons
We may disclose personal information when we believe in good faith that disclosure is necessary to (a) comply with applicable law or a lawful request from a government authority, (b) enforce the EULA, (c) detect, prevent, or respond to fraud or security incidents, or (d) protect the rights, property, or safety of the Merchant, Authorized Users, or others.
5.4 Business Transfer
If we sell, merge, or transfer the Software or its assets, we may transfer personal information to the acquirer, subject to that acquirer continuing to honor this Policy or providing notice of any material change.
6. Retention
| Data Category | Retention Window |
|---|---|
| Active KDS tickets and overrides | While the ticket is active, plus 365 days for audit |
| Clover order, payment, and item history (analytics mart) | Up to 24 months from order timestamp |
| Webhook event log (replay protection) | 30 days |
| Authentication accounts and WebAuthn public keys | Until the account is deleted by the Merchant |
| KDS device tokens | Until the device is unenrolled |
| AI assistant conversations | Until the Merchant deletes them; otherwise indefinitely |
| Technical / security logs | 90 days |
| Backups | Up to 35 days |
When the Merchant uninstalls the Software from the Clover App Market, OAuth access to Clover is revoked immediately and the Software stops receiving new Merchant Data. Stored data is purged on request (see Section 8) and otherwise within 180 days of uninstallation.
7. Security
We protect personal information with administrative, technical, and physical safeguards appropriate to the sensitivity of the data, including:
- Transport encryption — TLS 1.2+ on every endpoint, including the Clover webhook ingress, the back-office, the KDS web app, and the iOS app.
- Webhook authenticity — each Clover webhook delivery is verified against the
X-Clover-Authverification code before processing. - At-rest encryption — Oracle Cloud block storage volumes are encrypted by default.
- Access control — production database credentials are scoped per-app; only the developer has interactive shell access to production hosts; passkey authentication is required for the back-office.
- Network isolation — internal services are not reachable from the public internet except via the Traefik edge.
- Least-data principle — the Software does not request Clover scopes beyond what is needed to operate KDS and analytics, and does not request payment-card PAN, track, or PIN data.
No system is perfectly secure. If we become aware of a security incident affecting personal information, we will notify the Merchant without undue delay and, where required by law, the affected individuals and regulators.
8. Your Rights
Depending on where you live, you may have the following rights with respect to personal information about you:
- Access — request a copy of the personal information we hold about you.
- Correction — request that we correct inaccurate or incomplete information.
- Deletion — request that we delete personal information, subject to legal retention obligations.
- Portability — request a machine-readable export of certain personal information.
- Objection / restriction — object to or restrict certain processing.
- Withdrawal of consent — withdraw any consent you previously gave.
- Non-discrimination — exercise these rights without being penalized in your use of the Software.
To exercise these rights, contact us at jc1554@uah.edu. We will respond within the timeframe required by applicable law (typically 30–45 days). If you are an Authorized User employed by the Merchant, we may direct your request to the Merchant, who is the controller of your employment-related data.
California residents (CCPA / CPRA): in the 12 months preceding the Effective Date above, we did not sell or share personal information for cross-context behavioral advertising, and we did not use or disclose sensitive personal information for purposes other than those listed in this Policy.
Authorized agents may submit requests on your behalf with proof of authorization.
9. Children
The Software is a business tool for restaurant operations. We do not direct the Software to children, and we do not knowingly collect personal information from anyone under the age of 13 (or under 16 in the EEA / UK). If we learn that we have collected personal information from a child without verifiable parental consent, we will delete it.
10. International Transfers
The Software is operated from data centers in the United States. If you access the Software from outside the United States, your information will be transferred to and processed in the United States and in the locations of our sub-processors listed in Section 5.1. For transfers from the EEA or UK, we rely on the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) or another lawful transfer mechanism, as applicable.
11. Changes to This Policy
We may update this Policy from time to time. The "Last Updated" date above will reflect any material change. If a change materially expands the categories of personal information we collect or the purposes for which we use it, we will provide notice through the Software or by email to the Merchant before the change takes effect.
12. Contact
- Controller: Jiapeng Chen, d/b/a Yolo Rollo
- Email (privacy / data-subject requests): jc1554@uah.edu
- Postal: Wolfchase, Tennessee, United States
For Clover-platform privacy concerns that are not specific to the Software, please also contact Clover directly through https://www.clover.com/privacy-policy.
© 2026 Jiapeng Chen. "Clover" is a trademark of Clover Network, LLC, used here for identification purposes only.