shield

Privacy Policy

BhojRestro Technologies Pvt. Ltd. is committed to protecting your privacy. This policy explains how we collect, use, disclose, and safeguard your information in compliance with GDPR and CCPA.

GDPR CompliantCCPA CompliantLast Updated: March 21, 2025

Table of Contents

  1. Who We Are
  2. Information We Collect
  3. Legal Basis for Processing (GDPR)
  4. How We Use Your Information
  5. Data Sharing & Third Parties
  6. Data Retention
  7. International Data Transfers
  8. Cookies & Tracking
  9. Your Rights Under GDPR
  10. Your Rights Under CCPA
  11. Children's Privacy
  12. Security
  13. Changes to This Policy
  14. Contact & DPO

1. Who We Are

Data Controller: BhojRestro Technologies Pvt. Ltd. (“BhojRestro”, “we”, “us”), registered in India, Bengaluru, Karnataka.

We operate a QR-based restaurant ordering and management platform at bhojrestro.in (the “Service”).

Privacy enquiries: privacy@bhojrestro.in

2. Information We Collect

2.1 Information You Provide

  • Account Registration: name, email, phone, restaurant name, address
  • Payment Information: processed via Razorpay; we do not store full card details
  • Communications: messages via email, contact forms, or support channels
  • Menu & Order Data: items, preferences, customisations, order history
  • Staff & Table Data: staff names, roles, table configurations

2.2 Automatically Collected

  • Log Data: IP address, browser type, pages visited, timestamps
  • Device Information: device type, OS, unique device identifiers
  • Usage Data: features used, clicks, session duration, error reports
  • Location Data: approximate location from IP (not GPS)
  • Cookies: session, analytics, preferences (see Section 8)

2.3 From Third Parties

  • Payment confirmation and fraud signals from Razorpay
  • Push notification tokens from Firebase Cloud Messaging (FCM)
  • Anonymised analytics from Google Analytics / Vercel Analytics
We do not sell, rent, or trade your personal information to third parties for their own marketing purposes.

3. Legal Basis for Processing (GDPR)

For users in the EEA or UK, our legal bases under Article 6 GDPR are:

Contract (Art. 6(1)(b))

  • check_circleAccount creation and management
  • check_circleProcessing orders and payments
  • check_circleDelivering core Service features

Legitimate Interest (Art. 6(1)(f))

  • check_circleFraud prevention and security monitoring
  • check_circleImproving product features and UX
  • check_circleInternal analytics and reporting

Legal Obligation (Art. 6(1)(c))

  • check_circleResponding to valid legal requests
  • check_circleMaintaining financial & tax records
  • check_circleCompliance with applicable regulations

Consent (Art. 6(1)(a))

  • check_circleMarketing emails (opt-in only)
  • check_circleNon-essential cookies and analytics
  • check_circlePush notifications (opt-in via FCM)

4. How We Use Your Information

  • Provide, operate, and maintain the Service
  • Process transactions and send related notifications
  • Send administrative messages (account, security, support)
  • Monitor and analyse usage trends to improve the Service
  • Detect, investigate, and prevent fraudulent or illegal activity
  • Send promotional communications (only with prior consent; unsubscribe anytime)
  • Comply with applicable laws, regulations, and legal processes
  • Enforce our Terms of Service and other agreements
We never use your data for fully automated decision-making that produces legal or similarly significant effects without explicit consent.

5. Data Sharing & Third Parties

RecipientPurposeSafeguard
RazorpayPayment processingPCI-DSS; DPA in place
Firebase / GooglePush notifications, analyticsSCCs / adequacy decision
Vercel / AWSHosting & infrastructureDPA; ISO 27001 certified
PostgreSQL (self-hosted)Database storageEncrypted at rest & in transit
Law enforcementLegal obligationOnly when legally required
Business successorsM&A or asset saleData protection terms required

6. Data Retention

  • Account data: duration of account plus 90 days post-deletion request
  • Order & transaction records: 7 years (financial / tax compliance)
  • Server & access logs: 90 days rolling
  • Marketing consent records: until withdrawn, plus 1 year
  • Support communications: 3 years

Request deletion at any time: privacy@bhojrestro.in

7. International Data Transfers

BhojRestro is based in India. Transfers to or from the EEA/UK are protected by:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Data Processing Agreements (DPAs) with all sub-processors

8. Cookies & Tracking Technologies

Strictly Necessary

Session management, authentication, CSRF. Cannot be disabled.

Basis: Contract / Legitimate Interest

Functional

Language preferences, UI settings, QR session state.

Basis: Legitimate Interest

Analytics

Google Analytics, Vercel — anonymised usage data.

Basis: Consent

Marketing

Retargeting pixels (if enabled). Not shared without consent.

Basis: Consent

9. Your Rights Under GDPR

verified_user

Right of Access (Art. 15)

Obtain a copy of personal data we hold about you.

verified_user

Right to Rectification (Art. 16)

Correct inaccurate or incomplete personal data.

verified_user

Right to Erasure (Art. 17)

Request deletion of your data.

verified_user

Right to Restrict Processing (Art. 18)

Limit how we use your data in certain circumstances.

verified_user

Right to Data Portability (Art. 20)

Receive your data in a structured, machine-readable format.

verified_user

Right to Object (Art. 21)

Object to processing based on legitimate interests or direct marketing.

verified_user

Withdraw Consent

Withdraw consent at any time without affecting prior processing.

verified_user

Lodge a Complaint

File a complaint with your supervisory authority (e.g., ICO, CNIL).

To exercise any right, email privacy@bhojrestro.in. We respond within 30 days and may require identity verification.

10. Your Rights Under CCPA / CPRA

Right to Know

Request disclosure of categories and specific pieces of personal information collected in the past 12 months, including sources and purposes.

Right to Delete

Request deletion of personal information, subject to exceptions (legal obligations, security, completing transactions).

Right to Correct

Request correction of inaccurate personal information.

Right to Opt-Out of Sale/Sharing

We do not sell or share personal information for cross-context behavioural advertising.

Limit Sensitive Data Use

Limit use of sensitive personal information to purposes necessary to provide the Service.

Right to Non-Discrimination

We will not discriminate against you for exercising CCPA rights.

Submit a verifiable consumer request to privacy@bhojrestro.in with subject “CCPA Request”. We do not disclose personal information for third-party direct marketing (Cal. Civ. Code § 1798.83).

11. Children's Privacy

The Service is not directed to children under 16. We do not knowingly collect personal information from children. Contact privacy@bhojrestro.in if you believe we have inadvertently collected such data and we will delete it promptly.

12. Security

lockTLS / HTTPS encryption for all data in transit
lockAES-256 encryption for sensitive data at rest
lockJWT authentication with short-lived refresh tokens
lockRole-based access control (RBAC) on all systems
lockRazorpay PCI-DSS compliant payment processing
lockRegular security audits and penetration testing
lock72-hour breach notification procedure (GDPR Art. 33)
lockResponsible disclosure program for security researchers

To report a vulnerability: security@bhojrestro.in

13. Changes to This Policy

We may update this Policy periodically. For material changes we will post a new “Last Updated” date, email registered users, and display a prominent dashboard notice. Continued use after the effective date constitutes acceptance.

14. Contact & Data Protection Officer

General Privacy Enquiries

mailprivacy@bhojrestro.in

BhojRestro Technologies Pvt. Ltd.
Bengaluru, Karnataka, India

EU / EEA Representative (GDPR Art. 27)

EEA residents may direct GDPR requests to:

mailgdpr@bhojrestro.in