Privacy Policy

This Privacy Policy describes how Ordeliya ApS ("Ordeliya," "we," "us," or "our") collects, uses, stores, shares, and protects personal data when you interact with our platform, websites, applications, and related services (collectively, the "Services"). We built Ordeliya to help restaurants, cafes, and food businesses manage online ordering, table reservations, digital menus, kitchen operations, delivery logistics, email marketing, analytics, and AI-driven tools from a single platform.

This Policy applies to all individuals who interact with our Services, including:

• Restaurant Operators— business owners, managers, and staff members who use the Ordeliya admin dashboard to manage their restaurant operations, menus, orders, marketing campaigns, and analytics.
• End Customers— individuals who browse restaurant storefronts hosted on Ordeliya, place orders, make table reservations, create customer accounts, or interact with any restaurant-facing feature powered by our platform.
• Website Visitors— individuals who visit our marketing website at ordeliya.com or any subdomain operated by Ordeliya.
• API Integrators— third-party developers or service providers who connect to Ordeliya through our APIs or webhook systems.

By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices described herein, you should discontinue use of the Services. We encourage you to read this document alongside our Terms of Service, Cookie Policy, and Data Processing Agreement for a complete understanding of your rights and obligations.

Where Ordeliya acts as a data processor on behalf of a restaurant operator (the data controller), the restaurant's own privacy policy governs how end customer data is handled. In such cases, this Policy describes our obligations as a processor under the General Data Protection Regulation (GDPR) and our Data Processing Agreement.

Ordeliya ApS is a company registered in Denmark under the Danish Business Authority (Erhvervsstyrelsen). We serve as the data controller for personal data collected through our marketing website, platform registration, and direct interactions with Ordeliya as a service provider.

As a Danish company operating within the European Union, we are subject to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Danish Data Protection Act (Databeskyttelsesloven), and the ePrivacy Directive as implemented in Danish law. We take these obligations seriously and have designed our platform architecture with privacy and data protection as foundational principles.

When a restaurant operator uses Ordeliya to manage their business, the restaurant is the data controller for their end customers' personal data, and Ordeliya acts as a data processor. The relationship between Ordeliya and the restaurant operator is governed by our Data Processing Agreement, which defines the scope, purpose, and technical and organizational measures we employ to protect personal data processed on behalf of our restaurant partners.

For questions about this Privacy Policy or to exercise your data protection rights, please contact our Data Protection Officer at dpo@ordeliya.com. You may also write to us at our registered office address. We aim to respond to all data protection inquiries within 30 days, consistent with GDPR requirements.

The types of personal data we collect depend on how you interact with our Services and which role you hold (restaurant operator, end customer, or visitor). Below we describe each category in detail.

A. Restaurant Operator Account Data

When a restaurant owner or staff member registers for an Ordeliya account and sets up their business, we collect:

• Full name, email address, phone number, and job title or role within the organization.
• Business name, legal entity name, business registration number (e.g., Danish CVR number), VAT number, and business address.
• Login credentials (email and password — passwords are stored as bcrypt hashes and are never retained in plain text).
• Multi-factor authentication data (TOTP secrets for authenticator apps), stored in encrypted form.
• Billing information including subscription plan selection, invoice history, and payment method identifiers (we do not store full credit card numbers; these are held by our payment processors).
• Store configuration data such as operating hours, delivery zones, menu content, pricing, tax settings, and theme preferences.
• Staff user accounts and role assignments created within the operator's organization.

B. End Customer Data

When an end customer uses a restaurant's storefront powered by Ordeliya, the following data may be collected (with the restaurant as data controller):

• Name, email address, phone number, and delivery address.
• Order history including items purchased, order totals, fulfillment type (delivery, pickup, or curbside), and special instructions.
• Table reservation details including party size, date, time, seating preferences, and any messages exchanged with the restaurant.
• Customer account data such as saved addresses (up to five), favorite items, allergen profiles, notification preferences, and loyalty points.
• Social login identifiers when authenticating through Google, Apple, or Facebook (we receive a profile identifier and email; we never receive or store social media passwords).
• Payment transaction metadata including payment provider used, transaction status, and transaction identifiers (full payment credentials are handled by PCI-compliant payment processors).
• Review and feedback content including ratings, written reviews, and post-order survey responses.

C. Automatically Collected Technical Data

When you access any part of our Services, we automatically collect certain technical information:

• IP address, browser type and version, operating system, device type, and screen resolution.
• Pages visited, time spent on each page, navigation paths, and referring URLs.
• Session identifiers and authentication tokens (refresh tokens are stored as SHA-256 hashes, never in raw form).
• Performance metrics including page load times, API response times, and error logs (used for service reliability monitoring).
• Geolocation data derived from IP address (approximate city-level location, not precise GPS coordinates).

D. AI and Analytics Data

Our AI-powered features (such as menu description generation, campaign text creation, and the AI chat assistant) process data that restaurant operators provide as input. This may include restaurant names, cuisine types, product descriptions, and operational questions. AI-generated outputs are stored within the operator's account. We do not use individual restaurant data to train general-purpose AI models without explicit consent.

Our analytics features aggregate order data, revenue metrics, customer behavior patterns, and operational performance indicators. This aggregated data helps restaurant operators make informed business decisions. Where analytics involve personal data (e.g., individual customer order history), they are scoped to the specific restaurant's tenant and are never shared across tenants.

We obtain personal data through several channels, each with distinct characteristics and transparency requirements.

A. Information You Provide Directly

Most of the personal data we hold is provided directly by you. This includes information you enter when creating an account, configuring your restaurant, building your menu, placing orders, making reservations, submitting reviews, or contacting our support team. You are under no obligation to provide any particular piece of information, but refusing to do so may limit your ability to use specific features of the Services.

B. Information Collected Automatically

When you use our Services, our servers and client-side code automatically collect technical data as described in Section 3(C). We use cookies, local storage, and similar technologies to maintain session state, remember language preferences, and measure platform usage. Our storefront applications use session-based tracking to understand customer navigation patterns, product views, and cart interactions. This behavioral data helps restaurant operators understand their customers and improve their offerings.

C. Information from Third Parties

We may receive personal data from third-party sources in the following circumstances:

• Social Login Providers: When you sign in using Google, Apple, or Facebook, we receive your profile identifier, name, and email address from the respective identity provider. We do not receive your social media password or access to your social media content.
• Payment Processors: Our payment partners (including Stripe, Adyen, Nets, Reepay, VivaWallet, MobilePay, Vipps, and PayPal) provide us with transaction status updates, refund confirmations, and fraud risk assessments. We do not receive or store full credit card numbers from these providers.
• Domain and DNS Providers: When a restaurant configures a custom domain, we interact with DNS providers (such as Cloudflare) to verify domain ownership and provision SSL certificates. This involves processing domain names and DNS records, not personal data per se, unless the domain registration contains personal information.
• Google Business Profile: If a restaurant operator connects their Google Business Profile, we may receive review data, ratings, and business listing information to display within the Ordeliya dashboard.

D. Information from Restaurant Operators About Their Customers

Restaurant operators may import customer data into Ordeliya for purposes such as email marketing, loyalty programs, and order management. When this occurs, the restaurant operator is the data controller, and Ordeliya processes this data strictly according to the operator's instructions and our Data Processing Agreement. Restaurant operators are responsible for ensuring they have a lawful basis to provide this data to Ordeliya.

We use the personal data we collect for the purposes described below. Each purpose is linked to a legal basis under GDPR, which is detailed further in Section 6.

A. Providing and Operating the Services

• Creating and maintaining your account, authenticating your identity, and managing access permissions across your stores.
• Processing online orders, managing order lifecycles (from receipt through preparation, dispatch, and completion), and facilitating refunds.
• Managing table reservations, including availability calculations, waitlist management, deposit handling, and guest communications.
• Operating the kitchen display system (KDS) to relay order information to kitchen staff in real time.
• Routing deliveries through configured delivery zones and fulfillment slots.
• Hosting and serving restaurant storefronts with multi-language, multi-currency, and multi-market support.
• Processing payments through integrated payment providers and managing subscription billing.

B. AI-Powered Features

Our AI features use information you provide (such as restaurant name, cuisine type, and product details) to generate menu descriptions, marketing copy, and operational recommendations. The AI chat assistant processes your questions and your store's data to provide contextual answers about orders, analytics, and operational tasks. AI interactions are processed through third-party language model providers, and the prompts we send are limited to the minimum data necessary to generate useful outputs. We do not use your data to train AI models for other customers or for general commercial purposes.

C. Email Marketing and Communications

Restaurant operators may use our email marketing tools to send campaigns to their customers. In this context, Ordeliya processes recipient email addresses, segmentation criteria, open and click tracking data, and delivery status. We also maintain suppression lists to honor unsubscribe requests. All marketing emails include an unsubscribe mechanism. Ordeliya itself may send you service-related communications (such as account verification, security alerts, and billing notices) and, with your consent, product updates and platform news.

D. Analytics and Business Intelligence

We aggregate and analyze usage data to provide restaurant operators with insights into revenue trends, order patterns, popular items, customer demographics, and operational efficiency. We also analyze platform-wide usage patterns (in anonymized or aggregated form) to improve our Services, identify reliability issues, and guide product development.

E. Security, Fraud Prevention, and Legal Compliance

We use personal data to detect and prevent fraudulent activity, unauthorized access, and abuse of the Services. This includes monitoring login patterns, rate-limiting API requests, maintaining audit logs, and implementing IP-based security measures. We may also process personal data to comply with applicable laws, respond to legal requests, enforce our Terms of Service, and protect the rights, property, or safety of Ordeliya, our restaurant partners, and their customers.

F. Service Improvement and Product Development

We use aggregated and anonymized data to understand how the platform is used, identify performance bottlenecks, test new features, and prioritize development efforts. Where we use personal data for this purpose (such as analyzing error logs that contain user identifiers), we rely on our legitimate interest in improving the Services, balanced against your privacy rights through appropriate safeguards such as data minimization and access restrictions.

Under Article 6 of the GDPR, we must have a lawful basis for each processing activity involving personal data. The legal bases we rely on are:

A. Performance of a Contract (Article 6(1)(b))

Processing that is necessary to fulfill our contractual obligations to you. This covers account creation and management, service provision (hosting your storefront, processing orders, managing reservations), subscription billing, and technical support. For end customers, this basis applies when processing is necessary to fulfill an order or reservation placed through a restaurant's storefront.

B. Consent (Article 6(1)(a))

Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal. We rely on consent for: marketing communications from Ordeliya about product updates and platform news; placement of non-essential cookies and tracking technologies (see our Cookie Policy); and optional data collection such as customer behavior tracking on storefronts (which restaurant operators may enable with appropriate end-customer consent mechanisms).

C. Legitimate Interests (Article 6(1)(f))

We rely on legitimate interests where our processing does not override your fundamental rights and freedoms. Our legitimate interests include: maintaining the security and integrity of the platform (fraud detection, abuse prevention, vulnerability monitoring); improving and developing the Services based on aggregated usage analysis; providing customer support and responding to inquiries; enforcing our Terms of Service; and generating anonymized analytics for internal business intelligence. We conduct balancing tests for each legitimate interest to ensure that your rights are appropriately protected.

D. Legal Obligation (Article 6(1)(c))

Some processing is necessary to comply with legal obligations to which Ordeliya is subject. This includes retaining transaction records and invoices as required by Danish tax and accounting regulations (Bogforingsloven), responding to lawful data access requests from supervisory authorities or law enforcement, complying with food safety record-keeping requirements where applicable, and fulfilling our obligations under the GDPR itself (such as maintaining records of processing activities and responding to data subject access requests).

E. Vital Interests (Article 6(1)(d))

In exceptional circumstances, we may process personal data to protect the vital interests of an individual. For example, if a severe allergic reaction is reported in connection with an order, we may share relevant allergen and order information with emergency services. This basis is rarely invoked and only in genuine emergencies.

We do not sell personal data to third parties. We share personal data only in the circumstances described below, and always with appropriate safeguards.

A. Sub-Processors and Service Providers

We engage trusted sub-processors who assist us in operating the Services. Each sub-processor is bound by a data processing agreement that requires them to process personal data only according to our instructions and to maintain appropriate security measures. Our current sub-processor categories include:

• Cloud Infrastructure: We host our platform on Railway (infrastructure provider), with data stored in European data centers. Railway provides compute, database hosting (PostgreSQL), and deployment infrastructure.
• Email Delivery: We use email service providers to send transactional emails (order confirmations, password resets) and marketing campaigns on behalf of restaurant operators.
• CDN and DNS: Cloudflare provides content delivery, DDoS protection, DNS management, and SSL certificate provisioning.
• Object Storage: AWS S3 (EU region) is used for storing uploaded media assets (restaurant images, logos, menu photos).
• Error Monitoring: Sentry is used for application error tracking and performance monitoring. Error reports may contain technical identifiers but are minimized to exclude unnecessary personal data.
• AI Processing: OpenAI and Anthropic provide language model capabilities for our AI features. Prompts sent to these providers are limited to the minimum data necessary and are subject to the providers' data processing terms.

B. Payment Processors

When a payment is initiated, relevant transaction data is shared with the selected payment processor (Stripe, Adyen, Nets, Reepay, VivaWallet, MobilePay, Vipps, MyPOS, or PayPal). These processors operate as independent data controllers for payment data and are PCI DSS compliant. We receive transaction confirmations and status updates but do not receive or store full payment card details.

C. Restaurant Operators and End Customers

When an end customer places an order or makes a reservation, the relevant information (name, contact details, order contents, delivery address) is shared with the restaurant operator who fulfills that order or reservation. The restaurant operator is the data controller for this exchange, and their privacy policy governs further use of this data.

D. Legal and Regulatory Disclosure

We may disclose personal data when required by law, in response to valid legal process (such as a court order, subpoena, or government investigation), or when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Ordeliya, our users, or the public. We will notify affected users of legal demands for their data unless prohibited from doing so by law or court order.

E. Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, personal data may be transferred as part of the transaction. We will provide notice before personal data is transferred and becomes subject to a different privacy policy. Any acquiring entity will be required to honor the commitments made in this Privacy Policy or provide you with notice and an opportunity to opt out.

As a Danish company, Ordeliya stores and processes the majority of personal data within the European Economic Area (EEA). Our primary database infrastructure is hosted in European data centers. However, some of our sub-processors and services may involve transferring personal data outside the EEA.

A. Transfers Within the EEA

Data transfers between EU/EEA member states are permitted under the GDPR without additional safeguards, as all member states provide an equivalent level of data protection. Our primary infrastructure, database, and most sub-processors are located within the EEA.

B. Transfers to Adequate Countries

The European Commission has determined that certain countries outside the EEA provide an adequate level of data protection. Transfers to these countries (such as Switzerland, the United Kingdom, Japan, and others on the adequacy list) may occur without additional safeguards beyond what the GDPR requires.

C. Transfers to Other Countries

Where personal data is transferred to countries without an adequacy decision (for example, when using US-based sub-processors), we rely on one or more of the following safeguards:

• Standard Contractual Clauses (SCCs):We enter into the European Commission's approved Standard Contractual Clauses with sub-processors located outside the EEA. These clauses contractually obligate the recipient to protect personal data to a standard equivalent to the GDPR.
• EU-US Data Privacy Framework: For transfers to the United States, we verify whether the recipient is certified under the EU-US Data Privacy Framework, which provides an adequacy mechanism for participating US companies.
• Supplementary Measures: Where required by our transfer impact assessment, we implement supplementary technical and organizational measures such as encryption in transit and at rest, pseudonymization, and access controls to ensure the transferred data remains protected.

You may request information about the specific safeguards applied to transfers of your personal data by contacting us at dpo@ordeliya.com. We maintain an up-to-date list of sub-processors and the countries in which they operate, available upon request.

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Below are the retention periods for different categories of data.

Our platform uses soft-deletion as the primary mechanism for data removal. When data is "deleted" through the user interface, it is marked as archived or inactive rather than immediately purged. This approach prevents accidental data loss and maintains referential integrity in audit trails. Permanently purging archived data occurs according to the retention schedules above, after which data is either irreversibly anonymized or securely destroyed.

When a restaurant operator terminates their Ordeliya subscription, we retain their account data in an archived state for 30 days to allow for reactivation. After 30 days, personal data is anonymized, while transaction records subject to legal retention obligations are retained for the required period in a restricted-access archive.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the GDPR (and equivalent UK and Swiss legislation). You can exercise these rights at any time by contacting us at dpo@ordeliya.com or through the Data Subject Access Request (DSAR) feature in your Ordeliya account settings.

A. Right of Access (Article 15)

You have the right to request confirmation of whether we process your personal data, and if so, to receive a copy of that data along with information about the purposes of processing, categories of data, recipients, retention periods, and the source of the data if it was not collected directly from you. We provide this information free of charge within 30 days of your request.

B. Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data and completion of incomplete personal data. For restaurant operators, most data can be corrected directly in the dashboard settings. For end customers, account profile settings allow direct editing of name, email, phone, addresses, and preferences.

C. Right to Erasure (Article 17)

You have the right to request deletion of your personal data when: the data is no longer necessary for the purpose it was collected; you withdraw consent (and no other legal basis applies); you object to processing and there are no overriding legitimate grounds; or the data has been unlawfully processed. We may retain certain data where required by law (for example, transaction records for tax compliance) or where necessary to establish, exercise, or defend legal claims. End customers can initiate account deletion directly through their storefront profile settings.

D. Right to Restriction of Processing (Article 18)

You have the right to request that we restrict the processing of your personal data in certain circumstances: while we verify the accuracy of data you have contested; where processing is unlawful but you prefer restriction over erasure; where we no longer need the data but you require it for legal claims; or while we assess whether our legitimate interests override your objection. During restriction, we will store the data but not process it further without your consent (except for storage, legal claims, or protection of another person's rights).

E. Right to Data Portability (Article 20)

Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format (such as JSON or CSV). You also have the right to request that we transmit this data directly to another controller where technically feasible. Restaurant operators can export their store data, customer lists, order history, and analytics through the dashboard export features.

F. Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. If you object to direct marketing, we will stop processing your data for that purpose immediately and without exception. For objections based on legitimate interests, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

G. Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects on you. Ordeliya does not currently make fully automated decisions about individuals that produce legal or similarly significant effects. Where our AI features produce recommendations or suggestions, these are provided as tools for human decision-making by restaurant operators, not as automated final decisions.

H. Right to Withdraw Consent

Where we process your data based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal. You can withdraw consent through your account settings, by clicking unsubscribe links in marketing emails, or by contacting us directly.

Depending on your location, you may have additional data protection rights under local laws. While Ordeliya is a Danish company primarily serving the European market, we respect the rights of individuals worldwide.

A. California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) provides you with specific rights regarding your personal information. These include the right to know what personal information we collect and how it is used, the right to request deletion, the right to opt out of the sale or sharing of personal information, and the right to non-discrimination for exercising your privacy rights. Ordeliya does not sell personal information as defined under the CCPA/CPRA. To exercise your rights, contact us at privacy@ordeliya.com.

B. Brazilian Residents (LGPD)

If you are a resident of Brazil, the Lei Geral de Protecao de Dados (LGPD) provides you with rights similar to the GDPR, including confirmation of processing, access to your data, correction of incomplete or inaccurate data, anonymization or deletion of unnecessary data, data portability, information about shared data, and the ability to revoke consent. To exercise your rights under the LGPD, contact our Data Protection Officer at dpo@ordeliya.com.

C. South African Residents (POPIA)

If you are a resident of South Africa, the Protection of Personal Information Act (POPIA) grants you the right to be notified when your personal information is collected, to request access to your personal information, to request correction or deletion, to object to processing, and to submit a complaint to the Information Regulator. You may exercise these rights by contacting privacy@ordeliya.com.

D. Other Jurisdictions

We are committed to respecting data protection rights regardless of your location. If your jurisdiction grants privacy rights not explicitly addressed above, please contact us and we will evaluate your request in accordance with applicable law. We apply the GDPR standard as our baseline for all individuals, meaning that even where local law may provide fewer protections, we endeavor to provide the same level of rights and transparency described in this Policy.

Our Services use cookies and similar technologies (such as local storage and session storage) to provide functionality, maintain security, and understand how our platform is used. A comprehensive description of the specific cookies and tracking technologies we employ is available in our Cookie Policy. Below is a summary.

A. Essential Cookies

These cookies are necessary for the Services to function and cannot be disabled. They include session cookies for authentication (httpOnly refresh tokens stored as secure cookies), language preference cookies (used to remember your selected locale), and CSRF protection tokens. Essential cookies do not require consent under the ePrivacy Directive because they are strictly necessary for the service you have requested.

B. Functional Cookies

Functional cookies enhance the user experience by remembering preferences such as selected market (country), theme settings, and recent store visits. These cookies are not strictly necessary but improve usability. We set functional cookies only with your consent, which you can manage through our cookie preference settings.

C. Analytics Cookies

We use analytics technologies to understand how users interact with our platform, identify performance issues, and measure the effectiveness of features. Analytics data is aggregated and, where possible, anonymized. We set analytics cookies only with your consent.

D. Local Storage and Session Storage

Our applications use browser local storage to persist authentication tokens (access tokens for the admin dashboard, platform admin, and customer storefront) and user preferences (such as sidebar state and selected store view). Session storage is used for temporary state that should not persist across browser tabs. These storage mechanisms are subject to the same consent and transparency requirements as cookies.

E. Managing Your Preferences

You can manage cookie preferences through the cookie consent banner displayed on your first visit, through your browser settings, or by contacting us. Disabling essential cookies may prevent you from using the Services. Disabling functional or analytics cookies will not affect core functionality but may reduce the personalization and performance insights available to you. For detailed information about each cookie, its purpose, duration, and provider, please refer to our Cookie Policy.

Ordeliya's Services are designed for use by businesses and adult consumers. We do not knowingly collect personal data from children.

A. Age Requirements

Under the GDPR, children below the age of 16 (or a lower age set by individual EU member states, but not below 13) require parental consent for the processing of their personal data in relation to information society services. In Denmark, the age of digital consent is 13 years. In the United States, the Children's Online Privacy Protection Act (COPPA) requires verifiable parental consent before collecting personal information from children under 13.

Restaurant operator accounts require the account holder to be at least 18 years of age or the age of legal majority in their jurisdiction, whichever is higher. Customer storefront accounts are intended for individuals who are at least 16 years of age (or 13 where the applicable member state has set a lower threshold).

B. What We Do If We Discover Underage Data

If we become aware that we have collected personal data from a child below the applicable age threshold without valid parental consent, we will take prompt steps to delete that data from our systems. If you believe that a child has provided us with personal data without appropriate consent, please contact us at privacy@ordeliya.com and we will investigate and take appropriate action.

C. Orders Placed by Minors

We recognize that food orders may sometimes be placed by or on behalf of individuals under 16. Where a guest checkout is used (without account creation), minimal personal data is collected (name, delivery address, and contact information for order fulfillment only). This data is processed under the legal basis of contract performance with the restaurant and is retained only for the standard order retention period. Parents or guardians may contact us to request deletion of any such order data.

We implement comprehensive technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. Security is integrated into every layer of our platform architecture.

A. Encryption

• All data transmitted between clients and our servers is encrypted using TLS 1.2 or higher. SSL certificates are provisioned and managed automatically through Cloudflare.
• Database connections use encrypted transport. Sensitive fields such as MFA secrets and payment provider credentials are encrypted at rest.
• Passwords are hashed using bcrypt with a cost factor of 10, making brute-force attacks computationally infeasible.
• Refresh tokens are stored as SHA-256 hashes, not in their raw form, so that even in the event of a database breach, tokens cannot be used directly.

B. Authentication and Access Controls

• Three separate JWT realms (tenant, platform admin, and customer) with distinct signing secrets and audience claims prevent cross-realm authentication attacks.
• Role-based access control (RBAC) with hierarchical roles (Owner, Admin, Manager, Staff) ensures that users can only access data and features appropriate to their role.
• Platform admin accounts require multi-factor authentication (TOTP-based) for all login attempts.
• Refresh token rotation with reuse detection: each refresh creates a new token and invalidates the old one. If a revoked token is reused, all sessions for that user are terminated as a precaution.
• Sessions expire automatically (access tokens after 15 minutes, refresh tokens after 7 days), and users can view and revoke active sessions.

C. Infrastructure Security

• Our platform is hosted on Railway with infrastructure isolated per service (API, web dashboard, storefront, and marketing site run as separate containers).
• Cloudflare provides DDoS protection, web application firewall (WAF) rules, and bot management at the edge.
• Security headers are enforced on all responses, including Content-Security-Policy, X-Frame-Options (DENY), X-Content-Type-Options, Strict-Transport-Security (HSTS), and Referrer-Policy.
• API rate limiting is enforced globally (100 requests per 60-second window by default) to prevent abuse and brute-force attacks.

D. Tenant Isolation

Our multi-tenant architecture enforces strict data isolation at the application layer. Every database query is scoped to the authenticated tenant's store identifier, which is derived from the JWT token and verified by server-side guards — never accepted from client-supplied request parameters. This design ensures that one restaurant operator cannot access another's data, even in the event of application-level vulnerabilities.

E. Monitoring and Incident Response

• Application errors and exceptions are monitored through Sentry with real-time alerting for critical issues.
• Audit logs record security-relevant events such as login attempts, role changes, data exports, and configuration modifications.
• We maintain an incident response plan that includes identification, containment, eradication, recovery, and post-incident review phases.
• In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33, and affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34).

F. Employee and Contractor Access

Access to production systems and personal data is restricted to authorized personnel on a need-to-know basis. All Ordeliya team members with data access are subject to confidentiality obligations. We conduct regular access reviews to ensure that permissions remain appropriate as roles change.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or business operations. When we make changes, we will update the "Last updated" date at the top of this page.

A. Notification of Material Changes

For material changes that significantly affect how we collect, use, or share personal data, we will provide prominent notice through one or more of the following methods:

• An email notification sent to the primary email address associated with your account.
• A prominent banner or notification within the Ordeliya admin dashboard.
• A notice on our website at least 30 days before the changes take effect.

Material changes include, but are not limited to: introducing new categories of personal data collection, sharing personal data with new categories of third parties, changing the legal basis for processing, or reducing your rights under this Policy.

B. Non-Material Changes

For non-material changes (such as clarifications, formatting improvements, or updates to contact information), we will update this page without additional notice. We encourage you to review this Policy periodically to stay informed about how we protect your data.

C. Continued Use

Your continued use of the Services after the effective date of any changes constitutes your acceptance of the revised Policy. If you do not agree with the changes, you should stop using the Services and, if applicable, close your account. Where changes require renewed consent under GDPR, we will seek that consent explicitly before the changes take effect.

D. Version History

We maintain an archive of previous versions of this Privacy Policy. You may request access to any prior version by contacting us at legal@ordeliya.com. The version history helps establish the terms that were in effect at any given time.

If you have questions, concerns, or requests regarding this Privacy Policy or our data protection practices, you may contact us through the following channels:

Supervisory Authority

If you are unsatisfied with our response to your privacy concern or believe that we are processing your personal data in a manner inconsistent with applicable law, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is:

If you are located outside Denmark but within the EU/EEA, you may also lodge a complaint with the data protection authority in your country of residence. A list of EU data protection authorities is available on the European Data Protection Board website at edpb.europa.eu.

We encourage you to contact us first before escalating to a supervisory authority, as we are committed to resolving privacy concerns promptly and transparently. Our goal is to address your concern in a manner that respects your rights and maintains your trust in our platform.