Skip to content
Privacy Policy

Your data, and what we do with it

Last updated: 4 July 2026 (draft). This is a working draft scaffold. It must be reviewed and completed by a qualified lawyer in your target jurisdictions (UK/EU GDPR, India DPDP, UAE) before publishing. Do not ship as-is.

Who we are

Ontabee is operated by Technoduces Info Solutions Pvt. Ltd., Coimbatore, Tamil Nadu, India [confirm registered address and data-controller designation with counsel]. For questions about this policy or your data, contact sales@technoduces.com.

What data we collect

From restaurants (our customers): account and contact details, business information, and the payment/SMS/email provider credentials you configure — stored encrypted. From your diners (processed on your behalf): names, contact details, delivery addresses, and order history. Payment card data is handled by your own payment provider — we never store card numbers.

How we use it

To provide the ordering platform, process and route orders, send transactional messages through your configured providers, bill our subscription, provide support, prevent fraud and abuse, and keep the service secure. We do not sell personal data, and we do not use your customers' data to market to them on our own behalf. [Confirm the final list of processing purposes and lawful bases with counsel.]

Your rights — access, export, and deletion

You can export your data and your customers' data at any time from the dashboard (Compliance → Data requests), and you or your customers can request deletion. Deletion anonymizes personal details while retaining the financial records the law requires us and you to keep. Email sales@technoduces.com for any request you can't complete in the dashboard; we respond within 30 days. [Map each right to GDPR Art. 15–20, India DPDP, and UAE PDPL equivalents with counsel.]

Where your data lives

Production data is hosted in cloud regions selected per tenant at onboarding — EU tenants can be hosted in the EU, Indian tenants in India, and GCC tenants in the UAE/GCC region — so your data can stay in your jurisdiction where you require it. Backups remain within the same region. [State the exact regions and providers in use at launch.]

Who we share it with

Only the sub-processors needed to run the service: our cloud hosting provider and the platform-tier email service used solely for account verification, password resets, and our subscription invoices. Your customer-facing payment, SMS, email, maps, and push run through your own configured providers under your agreements with them, not ours. [Publish the named sub-processor list before launch and keep it current.]

How long we keep it

Account and menu data: for the life of your account plus 90 days. Order and payment records: 7 years, to meet tax and accounting obligations (yours and ours). Server logs: 90 days. When you leave, you can export everything during a 30-day offboarding window; we then delete or anonymize your data on this schedule. [Confirm retention periods against each jurisdiction's statutory minimums.]

Security

Encryption in transit (TLS) and at rest, provider credentials stored encrypted in a secrets vault and never logged, role-based access controls, audited administrative access (including any support impersonation), and rate limiting. We never store card numbers — payments are processed by your own payment provider. We do not currently hold SOC 2 or ISO 27001 certification and won't claim otherwise; our engineering practices are built toward those standards.

Cookies

The ordering surface uses only essential cookies/storage: your session and your cart. No advertising or cross-site tracking cookies. If analytics cookies are ever added, EU/UK visitors will be asked for consent first.

Changes to this policy

We'll post updates here with a revised date and notify you of material changes.