Privacy Policy

Avenzo ("we", "our", "us") operates a QR-code-based dine-in ordering platform that connects customers with restaurant partners. This policy explains what personal information we collect, why we collect it, how we use it, and your rights under the Digital Personal Data Protection Act, 2023 (India) and other applicable laws.

1. Information We Collect

Account information

• Name (optional at sign-up)
• Email address (required for email/password and social login accounts)
• Phone number (required for placing orders; used for order notifications)
• Encrypted password (stored as a one-way bcrypt hash; we never store the plaintext)

Order and transaction information

• Items ordered, quantities, modifiers, and order total
• Table number (where provided)
• Order status history and timestamps
• Payment transaction records: provider order ID, payment ID, amount, currency, status, and refund references — we do not store card numbers, CVV codes, or full card data; payment is handled by Razorpay's hosted checkout
• Tracking token (a random token used for public order tracking without requiring login)

Device and session information

• Push notification device token (for order status alerts; platform: iOS / Android)
• Session ID (a random identifier used for guest order deduplication; not linked to your identity)
• IP address hash (used for fraud prevention and rate limiting; not stored in plain text)

Restaurant lead information (business enquiries only)

• Restaurant name, contact name, phone, email, location, and message (only when you submit a restaurant onboarding enquiry)

Support and communication

• Email or phone you provide when contacting support
• Content of your support message

2. How We Use Your Information

• Order processing: to receive, confirm, prepare, and deliver your order and send you order status notifications
• Account management: to create and manage your account, verify your identity, and let you view your order history
• Payments: to initiate a payment session with Razorpay and verify payment completion; we never process raw card data
• Push notifications: to send you real-time order status updates (e.g., order accepted, ready for pickup)
• Fraud prevention and security: to detect abusive order patterns, enforce rate limits, and protect the platform
• Restaurant onboarding: to respond to restaurant partnership enquiries
• Legal compliance: to meet our obligations under applicable Indian law including tax, accounting, and food safety regulations
• Marketing (only with your explicit consent): to send you promotional offers or new feature announcements — you can opt out at any time

3. Legal Basis for Processing

• Contract performance: processing your order data to fulfil the service you requested
• Legitimate interests: fraud detection, security, service improvement — balanced against your privacy rights
• Consent: marketing communications, optional push notifications — you can withdraw consent at any time
• Legal obligation: retaining transaction records for accounting and tax compliance

4. Who We Share Your Information With

We do not sell your personal data. We share your data only with the following service providers who process it on our behalf:

• Razorpay Financial Solutions Pvt. Ltd. — payment processing; receives payment amount, order reference, and transaction metadata
• Resend Inc. — transactional email delivery (OTP, order confirmations); receives email address and email content
• Supabase Inc. — cloud file storage for restaurant menu images
• Expo (Expo Inc.) — push notification delivery to your device; receives your push notification token
• Sentry (Functional Software, Inc.) — error monitoring and crash reporting; may receive anonymised request context; enabled only if configured
• Restaurant partner: when you place an order, the restaurant receives your phone number, order details, and table number to prepare and serve your order

We do not share your data with advertising networks, data brokers, or any third party for marketing purposes without your explicit consent.

5. Data Retention

• Order and payment records: retained for 5 years from the date of the transaction for tax, accounting, and legal compliance — even if you delete your account, order records are anonymised (unlinked from your identity) and retained for this period
• Account data (name, email, phone): retained until you delete your account, at which point your personal details are permanently anonymised
• Push notification tokens: deleted when you delete your account or when the device token becomes invalid
• IP address hashes: retained for 90 days for fraud detection, then automatically deleted
• Support messages: retained for 1 year after resolution

6. Your Rights (DPDP Act 2023)

Under India's Digital Personal Data Protection Act 2023, you have the following rights:

• Right to access: request a summary of the personal data we hold about you and the third parties it has been shared with
• Right to correction and erasure: request that we correct inaccurate data or erase your personal data when it is no longer needed — use the in-app "Delete Account" option or contact us at the address below
• Right to grievance redressal: if your request is not resolved within 30 days, you may escalate to the Data Protection Board of India
• Right to nominate: nominate another person to exercise your data rights in the event of your death or incapacity

7. Account Deletion

You can delete your account at any time from the app (Settings → Delete Account). On deletion, your name, email, phone number, and password are permanently anonymised. Your past orders are retained in anonymised form for accounting and legal compliance purposes. Push notification tokens are deleted immediately.

For assistance or to submit a deletion request without the app, visit avenzo.in/account-deletion.

8. Data Security

• All data is transmitted over HTTPS/TLS
• Passwords are stored as bcrypt hashes (never in plain text)
• Payment card data never passes through our servers — handled entirely by Razorpay's PCI-DSS Level 1 certified infrastructure
• Authentication tokens are short-lived (7 days) and are revoked immediately on logout or account deletion
• Sensitive fields in server logs are automatically redacted

9. Children's Privacy

Avenzo is not directed at children under 13 years of age. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

10. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes via the app or email. The "last updated" date at the top of this page reflects the most recent revision. Continued use of the service after changes constitutes acceptance of the updated policy.

11. Contact Us