Privacy Policy

1. Introduction

This Privacy Policy explains how TheFoodix (“we”, “our”, or “us”) collects, uses, shares, and protects personal information when you use our Service. It applies to our website, dashboards, public guest menu pages, and APIs.

We are committed to handling your information transparently and in line with applicable data-protection laws, including the Digital Personal Data Protection Act (DPDP) of India and, where applicable, the EU / UK General Data Protection Regulation (GDPR). If you do not agree with this Privacy Policy, please do not use the Service.

2. Information We Collect

Information you provide

• Account information: restaurant name, your full name, email address, optional phone number, a password that we store only as a bcrypt hash (cost factor 12), and an optional profile image.
• Restaurant content: menu categories and items, descriptions, prices, images, themes, tables, and staff records you add to the dashboard.
• Payment information: handled by our payment processors (Stripe and Razorpay). We receive a reference identifier and limited metadata — we do not store full payment card numbers or banking credentials.
• Communications: messages you send us (support requests, feedback, legal queries).

Guest information (at QR-scanned menus)

• Optional guest name and phone number provided during checkout
• Special instructions you add to an order
• Feedback rating (1–5) and optional comment after a completed order
• IP address and basic technical metadata captured with each order

Information collected automatically

• Device & usage data: IP address, browser type, operating system, pages visited, referrer, and timestamps.
• Cookies and similar technologies: strictly necessary cookies used for authentication and session state (see Section 11).
• Logs: request logs, error logs, and security events (for example, login attempts and refresh-token rotations) retained for security, fraud prevention, and debugging.

Information from third parties

When you sign in using Google or GitHub, we receive your email address, name, profile picture, and a provider identifier. We use this only to create or sign in to your account.

3. How We Use Your Information

We use personal information to:

• Provide, operate, and maintain the Service
• Create and manage your account, authenticate you, and rotate refresh tokens securely
• Process subscription payments through Stripe or Razorpay
• Deliver transactional emails (verification, password reset, invoices, order notifications)
• Power real-time order updates via WebSocket
• Generate analytics scoped strictly to each restaurant's own operations — data is never shared across tenants
• Detect, prevent, and address fraud, abuse, and security incidents
• Comply with legal and tax obligations (including GST invoicing in India)
• Communicate service updates and, with your consent where required, occasional product news

4. Legal Bases for Processing (EEA / UK)

Where GDPR applies, we process personal data under the following bases:

• Contract — to provide the Service you or your organization signed up for.
• Legitimate interests — for security, service improvement, and limited analytics, always balanced against your rights.
• Legal obligation — for tax, accounting, and regulatory compliance.
• Consent — for optional marketing communications, which you can withdraw at any time.

5. How We Share Information

We do not sell your personal information. We share it only in the following circumstances:

• Restaurant owners and their authorized staff — see data generated within their tenant, including orders placed at their tables and any optional name or phone number a guest provides.
• Service providers (sub-processors) — we rely on trusted infrastructure partners to run the Service:
  • Supabase — managed PostgreSQL database
  • Upstash — managed Redis (caching, sessions, idempotency)
  • Stripe and Razorpay — payments, invoicing, billing portal
  • Resend — transactional email delivery
  • Google and GitHub — OAuth sign-in, only if you choose to use it
• Legal disclosures — when required by law, a court order, or to protect our rights, our users, or the public.
• Business transfers — in the event of a merger, acquisition, or sale of assets, subject to continued protection of your information.

6. Third-Party Services

Our sub-processors maintain their own privacy policies. For your reference:

• Stripe — stripe.com/privacy
• Razorpay — razorpay.com/privacy
• Resend — resend.com/legal
• Supabase — supabase.com/privacy
• Upstash — upstash.com/privacy
• Google — policies.google.com/privacy
• GitHub — docs.github.com/site-policy

7. Data Security

We apply appropriate technical and organizational measures to protect your information, including:

• Passwords hashed with bcrypt (cost factor 12) — we never store plaintext passwords
• Short-lived JWT access tokens, with refresh tokens stored as SHA-256 hashes, rotated on use, with automatic reuse detection
• HTTPS/TLS encryption for data in transit
• Strict tenant isolation — every backend query is scoped to the requesting tenant
• Webhook signature verification, rate limiting, input validation, and HTTP security headers
• Role-based access control and activity logging for sensitive operations (such as admin impersonation)

No system is completely secure. If we become aware of a security incident that affects your information, we will notify you without undue delay and in accordance with applicable law.

8. Data Retention

We retain personal information only as long as necessary:

• Account data: for the lifetime of your account, and up to 90 days after deletion for backup and security review.
• Order and invoice data: up to 7 years, as required by Indian GST and accounting laws.
• Security and activity logs: up to 12 months.
• Guest order data: retained for the same period as the corresponding order records.

You may request earlier deletion subject to legal retention requirements — see Section 10.

9. International Data Transfers

Our infrastructure partners may store or process data in data centres outside your country of residence. Where transfers originate from the EEA, UK, or other regulated jurisdictions, we rely on approved safeguards such as Standard Contractual Clauses.

10. Your Privacy Rights

Depending on where you live, you may have the right to:

• Access the personal information we hold about you
• Correct inaccurate or incomplete information
• Request deletion of your personal information
• Object to, or restrict, certain processing
• Receive a copy of your data in a portable, machine-readable format
• Withdraw consent at any time where processing is based on consent
• Lodge a complaint with your local data-protection authority

To exercise these rights, email privacy@thefoodix.in. We will verify your identity and respond within 30 days, or longer where permitted by law.

11. Cookies & Tracking

We use only strictly necessary and functional cookies:

• accessToken — short-lived authentication cookie readable by our frontend (1-day expiry).
• refreshToken — secure, HTTP-only cookie used to refresh your session (7-day expiry).
• thefoodix-auth — a localStorage entry that caches your basic profile (name, email, role); it contains no tokens.

We do not use third-party advertising cookies or cross-site tracking. Essential cookies cannot be disabled without breaking sign-in.

12. Children's Privacy

The Service is not directed at individuals under 18, and we do not knowingly collect personal information from minors. If you believe a minor has provided us with information, please email privacy@thefoodix.in and we will delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service at least 14 days before the changes take effect. The “Last updated” date at the top of this page always reflects the most recent version.

14. Contact Us

For questions about this Privacy Policy or our data practices: