Legal · Privacy

Privacy Policy

Your data pays for nothing here — Tapsora makes money from software subscriptions, not from selling or renting data. This policy explains, in plain language, what Tapsora Technologies collects, why, where it lives, and the rights you have under India’s Digital Personal Data Protection Act, 2023 (DPDP).

Effective 16 July 2026 · Tapsora Technologies

01

Who is responsible for your data

The data fiduciary is Tapsora Technologies (sole proprietorship, Udyam Reg. No. UDYAM-UP-50-0287166), B-3, Capital Market, Kursi Road, Dasauli, Bakshi Ka Talab, Lucknow, Uttar Pradesh 226026. For anything in this policy, write to aftabahmed116@gmail.com or call +91 72773 47303.

One nuance worth knowing: for a diner’s order history at a particular restaurant, the restaurant decides how to use that data for its own business, and Tapsora processes it on the restaurant’s behalf. For platform accounts and everything else, Tapsora is the fiduciary.
02

What we collect

  • Restaurant accounts: owner and staff names, email, phone, business name and address, and licence numbers the restaurant chooses to display (FSSAI, GSTIN).
  • Diner accounts: phone number (verified by OTP), name, delivery addresses, and order history per restaurant.
  • Orders & billing: items, amounts, payment method and gateway payment references (never card or UPI credentials), invoices, and subscription history.
  • Rider location: while a rider is on an active delivery, their live location — only to show the diner where their order is.
  • Usage & device basics: aggregate, cookieless visit counts (page, rough city, device type, hour). No cross-site tracking profile is built.
03

What we deliberately don't do

  • We don’t store card numbers, UPI PINs or banking credentials — payments are processed by RBI-authorised gateways (e.g. PhonePe, Razorpay) on their own secure pages.
  • We don’t sell or rent personal data to anyone, ever.
  • We don’t run third-party advertising trackers on the platform.
  • We don’t collect precise device location from diners; delivery addresses are what you type.
04

How we use data

  • Running the service: accounts, menus, orders, billing, delivery tracking, receipts and KOTs.
  • Transactional notifications — order updates by SMS, WhatsApp, push or in-app. Marketing messages only with consent, always with opt-out.
  • Support, fraud prevention, abuse detection and rate-limiting.
  • Aggregate analytics (counts and totals — never individual profiles) to improve the product and show restaurants how their storefront performs.
  • Meeting legal obligations — tax records, responding to lawful requests.
05

Who data is shared with

  • The restaurant you order from sees your name, phone, address and order — it needs them to cook and deliver. Restaurants only ever see their own customers.
  • Processors we run on: Google Firebase / Google Cloud (hosting, database, authentication), payment gateways (PhonePe, Razorpay), SMS/WhatsApp providers for transactional messages, and courier partners for physical sticker-pack shipments.
  • Authorities, when the law genuinely requires it.

Each processor receives only what it needs for its job, under its own security and data-protection commitments. Some (like Google Cloud) may process data on servers outside India; we choose providers with strong, industry-standard protections.

06

Storage & security

  • Data lives in Google Firebase (Firestore) with strict server-side access rules — client apps can only reach what they’re authorised for.
  • Everything travels over HTTPS/TLS. Secrets such as OTP codes and activation codes are stored only as salted cryptographic hashes, never in plain text.
  • Staff access follows least-privilege roles; sensitive actions are audit-logged.
  • No system is unbreakable. If a breach affecting you occurs, we’ll notify you and the authorities as the DPDP Act requires.
07

How long we keep data

  • Account data: for the life of the account, then deleted or anonymised within 90 days of closure (after the 30-day export window).
  • Order and payment records: retained as required for tax, accounting and dispute obligations (typically 8 years under Indian law), then deleted.
  • Rider live-location: only for the duration of the delivery plus a short operational window.
  • Aggregate analytics contain no personal identifiers and may be kept indefinitely.
08

Your rights (DPDP Act 2023)

You can, at any time, ask us to:

  • Access — a summary of the personal data we hold about you and how it’s used.
  • Correct — fix inaccurate or incomplete data (much of it you can edit directly in the app).
  • Erase — delete your personal data, subject to records we must legally retain.
  • Withdraw consent — e.g. opt out of marketing messages, without affecting the service itself.
  • Nominate — name someone to exercise these rights for you if you’re unable to.

Email aftabahmed116@gmail.com from your registered email or phone. We verify, then act — normally within 30 days. If you’re unsatisfied, escalate via our grievance process, and beyond that to the Data Protection Board of India.

09

Cookies & local storage

  • We use browser local storage for practical state: your theme choice, cart contents, and sign-in session. These stay on your device.
  • Visitor analytics are cookieless — a daily anonymous counter, not a tracking cookie. There is no cross-site advertising identifier anywhere on the platform.
10

Children

Tapsora accounts are for people 18 and over. We don’t knowingly collect children’s data; if you believe a child’s data has reached us, write to aftabahmed116@gmail.com and we’ll delete it.

11

Grievance officer & changes

Aftab Ahmed, Proprietor & Grievance Officer B-3, Capital Market, Kursi Road, Dasauli, Bakshi Ka Talab, Lucknow, Uttar Pradesh 226026 · aftabahmed116@gmail.com · +91 72773 47303. We acknowledge grievances within 48 hours and resolve them within 30 days.

If we materially change this policy, we’ll notify you by email or in-app notice before the change takes effect. The “effective” date above always reflects the current version.

Questions about this policy?

Write to us and a human replies — usually the founder. We acknowledge within 48 hours.

Related policies