Privacy Policy

This Privacy Policy describes how DineFlow Technologies Pvt. Ltd. ("DineFlow", "we", "our", or "us") collects, uses, stores, and shares information when you interact with our platform — including the DineFlow website (dineflow.in), the merchant administration dashboard, and the guest-facing QR menu interfaces served at restaurant tables. This policy applies to: • Restaurant and cafe owners and operators who submit enquiries or use our merchant dashboard ("Merchants") • Members of restaurant staff who access the merchant backoffice • Visitors to our marketing website (dineflow.in and associated pages) • Dining guests who access restaurant menus via QR codes (guest-only data practices described in Section 4) If you are a dining guest using a restaurant's QR menu, we want to be clear upfront: we do not collect any personal information from you. Guest menu usage is anonymous by design.

When you submit an enquiry form or set up a DineFlow merchant account, we collect the following information: Restaurant Information: • Restaurant or Cafe name • Physical address of the venue • Website URL (if available) • Number of dining tables • Specific requirements or preferences you describe Point of Contact (POC) Information: • Full name of the primary contact person • Designation / role at the restaurant • WhatsApp mobile number (used for onboarding communication and support) • Email address (if provided) Account Usage Data: • Menu items, categories, pricing, and photos you upload to the system • Table configurations and QR code assignments you create • Order records generated by guest submissions at your tables • Dashboard activity logs (login timestamps, settings changes) retained for 90 days We do not collect payment card numbers. If you purchase a paid subscription, billing is processed through a PCI-DSS compliant third-party payment processor (Razorpay), and card data never passes through our servers.

We use the information collected from merchants for the following specific purposes only: Service Delivery: • Setting up and configuring your restaurant's DineFlow profile • Generating unique QR codes for each table you register • Providing your restaurant with access to the merchant administration dashboard • Processing subscription payments through our payment processor Support & Communication: • Responding to support enquiries via WhatsApp or email • Sending onboarding instructions and setup guides • Notifying you of service incidents, planned maintenance, or system updates • Sending product update announcements (you can unsubscribe at any time) Product Improvement: • Aggregated, anonymized analytics on feature usage patterns (e.g., how often merchants use the QR export feature) to prioritize future development. Individual restaurant data is never shared. Legal Compliance: • Maintaining records as required by applicable Indian tax and company law regulations • Responding to lawful legal requests from government authorities where required We will never sell your data to third parties, use it for advertising purposes, or share it with other restaurants or businesses without your explicit consent.

If you are a dining guest who accessed a restaurant's QR menu through DineFlow, this section applies to you. What we do NOT collect from guests: • Name, email address, phone number, or any personally identifiable information • Device identifiers or fingerprinting data • Location data or GPS coordinates • Purchase history linked to an individual identity • Cross-session behavioral profiles What an order submission contains: When a guest submits an order, the data sent to our system includes: • The table ID (e.g., "Table 4") — this is not linked to any individual • The list of selected menu items and quantities • A timestamp of when the order was submitted No data linking an order to a specific person, device, or visit is stored. If the same guest visits the same restaurant tomorrow and orders again, our system has no way to connect those two events. Local browser caching: The guest menu page caches menu category and item data in the browser's local storage for faster subsequent loads. This cached data consists only of menu content (item names, prices, photos) and is cleared when the browser session ends or the cache expires. It contains no personal data.

DineFlow's marketing website (dineflow.in) uses minimal cookies: Essential Cookies (required): • Session authentication cookie for logged-in merchant dashboard sessions • CSRF protection token (security-critical, session-scoped) • Load balancer sticky session cookie (expires when browser closes) Analytics Cookies (optional, can be declined): • We use a privacy-preserving analytics tool (Plausible Analytics) that does not use cookies, does not fingerprint browsers, and does not track users across sites. All page view data is aggregated and cannot be connected to individual users. You can review Plausible's privacy documentation at plausible.io/data-policy. No advertising or marketing cookies: • We do not use Facebook Pixel, Google Ads remarketing tags, or any third-party advertising cookies. We do not build behavioral profiles for advertising purposes. Guest QR Menu Pages: • The guest menu interface uses no cookies. Local storage is used only for menu content caching (item names, prices). No tracking of any kind is implemented on guest menu pages.

Data Storage: All merchant account data is stored on Google Cloud Platform (GCP) in the Mumbai, India region (asia-south1). Data is encrypted at rest using AES-256 encryption. Backups are stored in a separate GCP Cloud Storage bucket with restricted access. Retention Periods: • Active merchant accounts: data retained for the duration of the subscription • Cancelled accounts: data retained for 6 months after cancellation, then permanently deleted • Order records: retained for 12 months, then anonymized (table IDs removed) • Support communication logs: retained for 18 months • Dashboard activity audit logs: retained for 90 days Data Deletion Requests: You may request deletion of your account and all associated data at any time by emailing privacy@dineflow.in with the subject "DATA DELETION REQUEST". We will confirm deletion within 5 business days and complete the permanent deletion within 30 days. Note: Where applicable law requires us to retain certain data (e.g., billing records for 7 years under Indian accounting law), we will retain only the legally required minimum and notify you of the retention obligation.

As a DineFlow merchant account holder, you have the following rights regarding your data: Right to Access: Request a copy of all personal data we hold about you and your restaurant account. We provide this in a machine-readable format (JSON) within 30 days of the request. Right to Rectification: Correct inaccurate or incomplete information in your account at any time via the dashboard settings, or by contacting support. Right to Erasure: Request permanent deletion of your account and all associated data. See Section 6 for deletion timelines and legal retention exceptions. Right to Data Portability: Export your menu data (categories, items, pricing), table configurations, and order history in CSV format from your dashboard at any time. Right to Restrict Processing: Request that we limit processing of your data to storage only while you dispute accuracy or our legal basis for processing. Right to Object: Object to our use of your data for any purpose not strictly necessary for service delivery. We will cease that processing unless we have a compelling legitimate ground. To exercise any of these rights, contact: privacy@dineflow.in

We share data with third parties only in the following limited circumstances: Infrastructure Providers (Sub-processors): • Google Cloud Platform — hosting, database, and storage infrastructure. GCP's data processing terms are aligned with GDPR and relevant regional regulations. • Supabase — database management layer. Supabase operates on GCP and maintains SOC 2 Type II certification. • Razorpay — payment processing for paid subscriptions. Razorpay is PCI-DSS Level 1 certified. Communication Tools: • WhatsApp Business API — for sending order notifications and support responses. Only your WhatsApp number and the specific message content is shared for delivery purposes. Legal Disclosures: • If required by a valid court order, warrant, or lawful government request, we may be required to disclose specific account information. We will notify you of such requests before disclosure wherever legally permitted to do so. Aggregate Analytics: • Non-identifiable, aggregated statistics (e.g., "Bangalore has the highest QR scan-to-order conversion rate in India") may be shared publicly in blog posts, press releases, or product reports. No individual restaurant data is included in these aggregations. We do not sell personal data. We do not share personal data with advertisers.

DineFlow's merchant platform is designed for use by adults operating food service businesses. We do not knowingly collect personal information from individuals under the age of 18. If you are a parent or guardian and believe your child has submitted personal information to us through our enquiry form, contact us immediately at privacy@dineflow.in and we will promptly delete the information. Guest dining menus do not collect any information from any person, including minors.

We may update this Privacy Policy periodically to reflect changes in our data practices, legal requirements, or product features. When we make material changes, we will: • Update the "Last Updated" date at the top of this page • Send an email notification to all active merchant accounts at least 14 days before the changes take effect (for changes that reduce your rights or expand our data use) • Display a notice on the merchant dashboard for 30 days following a significant update Continued use of DineFlow after the effective date of an updated policy constitutes acceptance of the revised terms. If you do not agree with changes, you may close your account before the changes take effect. For minor updates (grammar corrections, clarifications that do not change the substance of the policy), we may update without notification but will always reflect the current date.

For any privacy-related questions, data requests, or concerns about our data practices, contact our privacy team: Privacy Team: privacy@dineflow.in Data Protection Officer: dpo@dineflow.in Postal Address: DineFlow Technologies Pvt. Ltd., BKC Finance Hub, Mumbai, Maharashtra, India — 400051 We aim to respond to all privacy enquiries within 5 business days. For urgent matters involving potential data breaches or sensitive rights requests, please mark your email subject line "URGENT — Privacy Matter" for expedited handling.