Privacy Policy

1 Overview & Scope

Topline ("we," "our," or "us") is a franchise intelligence platform operated by Legacy F&B, LLC. This Privacy Policy explains how we collect, use, disclose, and protect information when you use the Topline platform, including our web application, reports, and related services (collectively, the "Service").

This policy applies to franchise operators and their authorized users who access Topline under a subscription agreement. By using the Service, you agree to the practices described here.

2 Data We Collect

We collect the following categories of data in connection with your use of the Service:

2.1 SBONet Financial & Operational Data

With your authorization, we access SBONet data on your behalf, including:

• Net and gross sales figures by location and time period
• Labor hours, labor cost percentages, and overtime data
• Speed of Service (SOS) metrics by daypart
• Void and waste data
• Transaction counts and average ticket data
• Any other operational data available through your authorized SBONet access

2.2 Account & User Data

• Name, email address, and title of authorized users
• Business name, store count, and geographic region
• Login credentials (passwords are hashed; we never store plaintext passwords)
• Billing information (processed by our payment processor — we do not store full card numbers)

2.3 Usage Data

• Pages visited and features used within the platform
• Report views, downloads, and email opens
• Browser type, operating system, and device type
• IP address and general geographic location (city/region level)
• Session timestamps and activity logs

2.4 Communications

• Emails you send to us (support, onboarding, feedback)
• Support tickets and chat logs

3 How We Use Your Data

We use the data we collect strictly to provide and improve the Service:

• Generate intelligence reports — Weekly Operator Briefings, GM Action Cards, trend analyses, and anomaly flags derived from your SBONet data
• Deliver reports — Sending reports to authorized email addresses on your account on the scheduled cadence
• Platform analytics — Understanding how operators use the Service to improve features and identify bugs
• Account management — Billing, subscription management, and user access controls
• Customer support — Diagnosing issues, responding to your questions, onboarding
• Security & fraud prevention — Detecting unauthorized access and protecting your data
• Legal compliance — Meeting our legal obligations under applicable law

4 Data Isolation & Separation

Each client's data is stored in a logically isolated environment. This means:

• No cross-client access — No other Topline subscriber can access your SBONet data, reports, or operational metrics under any circumstances
• Dedicated data namespaces — Your data is tagged and segregated at the database level by your unique client identifier
• No commingling of financial data — Your store-level financials are never merged with, compared against, or visible alongside another client's data within the platform
• Employee access controls — Only Topline personnel with a specific need (e.g., your dedicated onboarding contact or a support engineer actively resolving your issue) can access your data, and only temporarily and with audit logging
• Subprocessor segregation — Where we use third-party cloud infrastructure, your data remains isolated within that environment

5 Data Sharing & Third Parties

We do not sell your data. Period. We do not sell, rent, license, or trade your personal information or operational data to any third party for their own marketing or commercial purposes.

We may share data only in the following limited circumstances:

• Service providers (subprocessors): We use a limited set of trusted vendors to operate the Service (e.g., cloud hosting, email delivery, payment processing). These vendors are contractually bound to use your data only to provide services to us, not for their own purposes.
• Your direction: If you instruct us to share data with a third party (e.g., your accountant or a consultant), we will do so only per your explicit written instruction.
• Legal requirements: If required by law, court order, or regulatory authority, we may disclose the minimum data necessary to comply. We will notify you in advance where legally permitted to do so.
• Business transfers: If Topline or Legacy F&B is acquired or merges with another entity, your data may transfer to the successor entity, subject to the same privacy protections. We will notify you of any such change.

6 Data Retention & Deletion

Active accounts: We retain your SBONet data, reports, and account data for the duration of your active subscription plus 90 days after termination (to allow data export).

After termination: Following the 90-day export window, we will delete or anonymize your operational and financial data from our production systems within 30 days. Backups containing your data are purged on a rolling 90-day cycle thereafter.

Billing records: We retain billing records for 7 years to comply with applicable accounting and tax laws. These records contain billing amounts and dates but not your operational data.

Email communications: Support and onboarding communications are retained for 2 years.

Requesting Deletion

You may request deletion of your data at any time by contacting us at privacy@topline.app. We will confirm receipt within 5 business days and complete deletion within 30 days (subject to legal retention requirements).

7 Security

We implement industry-standard security measures to protect your data:

• All data transmitted between your browser and our servers is encrypted via TLS 1.2 or higher
• SBONet credentials are stored using AES-256 encryption at rest
• Access to production data is restricted to authorized personnel only, with multi-factor authentication required
• Regular security reviews and vulnerability assessments
• Incident response procedures with notification timelines

In the event of a data breach affecting your information, we will notify you and applicable regulators within the timeframes required by applicable law (no later than 72 hours where GDPR applies).

8 Your Rights (GDPR & Privacy Laws)

Depending on where you are located, you may have the following rights regarding your personal data:

• Right to access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to erasure ("right to be forgotten"): Request deletion of your personal data
• Right to restrict processing: Request that we limit how we use your data
• Right to data portability: Receive your data in a structured, machine-readable format
• Right to object: Object to processing of your data for certain purposes
• Right to withdraw consent: Where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at privacy@topline.app. We will respond within 30 days. We may need to verify your identity before processing your request.

If you believe we have not adequately addressed your concern, you have the right to lodge a complaint with your local data protection authority.

9 Children's Privacy

Topline is a B2B service intended for business operators and their authorized employees. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that a minor has provided personal information, we will delete it promptly.

10 Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Effective Date" at the top of this page
• Send an email notification to the primary contact on your account at least 14 days before the change takes effect
• Display a notice within the Topline platform

Your continued use of the Service after the effective date constitutes acceptance of the updated policy. If you do not agree to the changes, you may cancel your subscription before the effective date.

11 Contact Us

For privacy-related questions, data requests, or concerns, please contact our privacy team: