Legal

Privacy Policy

How we collect, use, and protect your data. Last updated: 5 March 2026.

Contents

  1. 1. What We Collect
  2. 2. How We Use Your Data
  3. 3. Data Storage & Security
  4. 4. Third-Party Services
  5. 5. Cookies
  6. 6. Your Rights
  7. 7. Data Retention
  8. 8. International Data Transfers
  9. 9. Children's Privacy
  10. 10. Changes to This Policy
  11. 11. Contact Us

Bill Feeds ("we", "us", or "our") operates the website billfeeds.com and the Bill Feeds cloud-based restaurant POS platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

We operate in India, the United Arab Emirates, and the United Kingdom. This policy is designed to comply with the General Data Protection Regulation (GDPR), the Information Technology Act 2000 and the Digital Personal Data Protection Act 2023 (India), and the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data.

By using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of the Service.

1. What We Collect

Account Information

  • Full name, email address, phone number, and password (hashed) when you register
  • Organisation name, branch name, and business address
  • Role and permission level (superadmin, branch admin, cashier, waiter, kitchen staff)

Business Data

  • Menu items, categories, pricing, and images
  • Table layouts, floor configurations, and KDS station settings
  • Orders, transactions, payment records, and receipts
  • Inventory levels, supplier details, and purchase records
  • Staff attendance and shift information

Technical Data

  • IP address, browser type and version, operating system
  • Pages visited, time spent on pages, and navigation patterns
  • Device type (desktop, tablet, mobile) and screen resolution
  • Error logs and performance metrics for service reliability

2. How We Use Your Data

We use the information we collect for the following purposes:

  • Service delivery: To operate, maintain, and provide the POS system, KDS, order management, and analytics features
  • Account management: To create and manage your account, authenticate logins, and enforce role-based access controls
  • Billing and invoicing: To generate invoices, process subscription payments, and send billing reminders
  • Communication: To send transactional emails (invoices, payment confirmations, subscription alerts, support ticket updates) and registration confirmations
  • Improvement: To analyse usage patterns and improve the Service, fix bugs, and develop new features
  • Security: To detect and prevent fraud, abuse, and unauthorised access (including anti-bot measures during registration)
  • Legal compliance: To comply with applicable laws, regulations, and legal processes in India, UAE, and the UK

Legal basis (GDPR): We process your data based on contractual necessity (to provide the Service you signed up for), legitimate interest (to improve and secure the Service), consent (for optional marketing communications), and legal obligation (tax and compliance records).

3. Data Storage & Security

We implement industry-standard security measures to protect your data:

  • Encryption in transit: All data is transmitted over TLS (HTTPS). No unencrypted connections are accepted.
  • Encryption at rest: Payment gateway credentials and sensitive configuration data are encrypted using AES-256 before storage.
  • Password security: Passwords are hashed using bcrypt with a cost factor of 10. We never store plaintext passwords.
  • Authentication: All API endpoints require JWT-based authentication. Tokens expire after a set period and must be refreshed.
  • Input sanitisation: All user inputs are sanitised to prevent XSS, SQL injection, and other injection attacks.
  • Content Security Policy: We enforce CSP headers to prevent unauthorised script execution.
  • Access control: Role-based access ensures staff can only access data relevant to their role and branch.
  • Audit logging: All significant actions are logged with timestamps and user identity. Audit logs are retained for 365 days.

We do not store raw credit or debit card numbers. All payment card processing is handled by our PCI-compliant payment gateway partners (see Third-Party Services below).

4. Third-Party Services

We share data with the following third-party service providers, solely for the purposes described:

Brevo (Sendinblue) -- Email Delivery

We use Brevo's HTTP API to send transactional emails including invoices, payment confirmations, subscription notifications, support ticket updates, and registration confirmations. Your email address and name are shared with Brevo for this purpose. Brevo Privacy Policy

Railway -- Application Hosting

Our application backend and PostgreSQL database are hosted on Railway's infrastructure. All application data, including user accounts, orders, and business data, is stored on Railway servers. Railway Privacy Policy

Cloudflare R2 -- File Storage

Media files such as menu item images, restaurant logos, and uploaded documents are stored on Cloudflare R2 with global edge delivery. Cloudflare Privacy Policy

Razorpay -- Payment Processing (India)

For customers in India, subscription payments are processed through Razorpay. Payment card details are collected and processed directly by Razorpay and are never stored on our servers. Razorpay Privacy Policy

Stripe -- Payment Processing (UK, Global)

For customers in the UK and other regions, subscription payments are processed through Stripe. Payment card details are collected and processed directly by Stripe and are never stored on our servers. Stripe Privacy Policy

Google Fonts & Fontshare -- Web Fonts

Our website loads fonts from Google Fonts and Fontshare. These services may log your IP address when fonts are requested. Google Privacy Policy

We do not sell, rent, or trade your personal data to any third party for marketing purposes.

5. Cookies

We use a minimal set of cookies and browser storage mechanisms:

Type Purpose Duration
Session token (localStorage) Authenticate your login session via JWT Until logout or token expiry
IndexedDB Cache menu data and queue offline orders for sync Persistent until cleared
Service Worker cache Cache static assets and API responses for offline operation Persistent until cleared

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not participate in behavioural advertising networks.

6. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

Under GDPR (UK / EEA)

  • Right of access: Request a copy of the personal data we hold about you
  • Right to rectification: Request correction of inaccurate or incomplete data
  • Right to erasure: Request deletion of your personal data ("right to be forgotten")
  • Right to data portability: Receive your data in a structured, machine-readable format
  • Right to restrict processing: Request limitation of how we use your data
  • Right to object: Object to processing based on legitimate interest
  • Right to withdraw consent: Withdraw consent at any time where processing is based on consent

Under India IT Act & DPDPA 2023

  • Right to access: Obtain a summary of your personal data and processing activities
  • Right to correction and erasure: Request correction of inaccurate data or erasure of data no longer necessary
  • Right to grievance redressal: Lodge a complaint with our designated grievance officer
  • Right to nominate: Nominate another individual to exercise your rights in the event of death or incapacity

Under UAE Federal Decree-Law No. 45/2021

  • Right to access: Request access to your personal data
  • Right to correction: Request rectification of inaccurate data
  • Right to stop processing: Request cessation of data processing in certain circumstances
  • Right to data transfer: Request transfer of your data to another controller

To exercise any of these rights, please contact us at support@billfeeds.com. We will respond within 30 days (or within the period required by applicable law). We may ask you to verify your identity before processing your request.

7. Data Retention

  • Account data: Retained for as long as your account is active. Upon account deletion, personal data is removed within 30 days.
  • Order and transaction records: Retained for the duration of your subscription plus 7 years thereafter to comply with tax and accounting regulations in India, UAE, and UK.
  • Audit logs: Retained for 365 days, then automatically archived. Archived logs are retained for an additional 2 years before permanent deletion.
  • Billing records: Retained for 7 years from the date of the transaction as required by applicable tax laws.
  • Support tickets: Retained for 3 years from resolution for quality assurance and legal purposes.

8. International Data Transfers

As Bill Feeds operates across India, the UAE, and the UK, your data may be transferred to and processed in countries outside your country of residence. When we transfer data internationally, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the UK/EEA
  • Adequacy assessments for all third-party processors
  • Contractual obligations requiring equivalent data protection standards

9. Children's Privacy

Bill Feeds is a business-to-business service intended for restaurant operators and their staff. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor has provided us with personal data, please contact us at support@billfeeds.com and we will promptly delete such information.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify registered users by email and update the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data rights, or need to report a data protection concern, please contact us:

WhatsApp

Chat with us

Website

billfeeds.com

For complaints that remain unresolved, UK residents may contact the Information Commissioner's Office (ICO). Indian residents may contact the Data Protection Board of India. UAE residents may contact the UAE Data Office.