Privacy Policy

Restaurants are the data fiduciary for guest data.When a guest orders at a restaurant using eRestro, the restaurant decides what data to collect and why. The restaurant is the data fiduciary (controller) for that guest data. NexG acts as a data processor on the restaurant’s behalf, providing the software that stores and processes it.

NexG is the data fiduciary for restaurant-account data.For data about the restaurant’s own users (owners, managers, staff) and our direct relationship with the restaurant, NexG is the data fiduciary.

Depending on how the Service is used, we may process:

• Guest data: a guest's phone number (where the restaurant collects it), optional name and email, order history, table and session details, payment status, tips, and any notes or feedback the guest provides.
• Restaurant-account data: names, email addresses, phone numbers, and login credentials of restaurant users; the restaurant's profile, menu, pricing, and settings (including its GSTIN where provided).
• Usage and device data: log data, IP address, device and browser information, and basic analytics needed to operate, secure, and improve the Service.
• Payment metadata: the method, status, and reference for transactions. Guest payments are collected by or for the restaurant; we generally do not store full card or bank credentials.

We use personal data to:

• provide the Service — take orders, route them to the kitchen, manage tables, and produce bills and receipts;
• send transactional messages tied to an order or booking (for example an order confirmation or a receipt over WhatsApp), where the restaurant has chosen to do so;
• secure the Service, prevent fraud and abuse, and debug problems;
• operate, maintain, and improve the Service;
• comply with legal, tax, and accounting obligations.

We do not sell personal data. We process guest data on the documented instructions of the restaurant, except where the law requires otherwise.

We share data only as needed to run the Service: with infrastructure, hosting, messaging, and payment providers acting as our sub-processors under appropriate agreements; with a restaurant’s own authorised users; and where required by law or to protect rights and safety. We do not share guest data with other restaurants.

We keep personal data for as long as needed to provide the Service and to meet legal, tax, and accounting requirements, after which it is deleted or anonymised. Restaurants may configure or request deletion of guest data they control, subject to those legal requirements.

Subject to the DPDP Act and other applicable law, individuals (data principals) may have the right to access a summary of their personal data, to seek correction or erasure, to withdraw consent, to nominate another person to exercise rights on their behalf, and to grievance redressal.

Because the restaurant is the fiduciary for guest data, requests about guest data are generally directed to the restaurant where the order was placed; we will support the restaurant in responding. For data about a restaurant account, contact us using the details below.

We use reasonable technical and organisational measures to protect personal data, including access controls and encryption in transit. No system is perfectly secure, but we work to safeguard data and to respond to incidents appropriately, including any breach notifications required by law.

We use cookies and similar technologies that are necessary to run the Service — for example to keep you signed in, to remember a guest’s table session, and to keep the Service secure. We may use limited analytics to understand and improve usage. You can control cookies through your browser; disabling necessary cookies may break parts of the Service.

The Service is intended for restaurants and their adult staff and guests. It is not directed at children, and we do not knowingly collect data from children except as the DPDP Act permits and a restaurant directs.

We may update this Privacy Policy from time to time. When we make material changes we will update the “Last updated” date and, where appropriate, provide additional notice.

For privacy questions or to raise a grievance, contact us at connect@erestro.in. We are governed by the laws of India; the courts at Bhopal, Madhya Pradesh have jurisdiction over disputes relating to this policy.