EasyAiMenu – Privacy Policy

1. Introduction and Scope

This Privacy Policy ("Policy") describes how Octakris IT Solutions LLP ("Company", "We", "Us", "Our"), the operator of EasyAiMenu (https://easyaimenu.com), collects, processes, stores, shares, and protects personal data in connection with the EasyAiMenu Platform.

This Policy applies to:

• Restaurant Operators — businesses and individuals who subscribe to and administer the Platform
• Restaurant Staff — Managers and Waiters who are granted access to the Platform by their Operator
• Restaurant Guests — end-users who interact with the digital menu via QR code

This Policy is published in compliance with the Information Technology Act, 2000, the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Digital Personal Data Protection Act, 2023 (DPDP Act). The Platform is designed exclusively for use in India, and all data processing is governed by Indian law.

By using the Platform, You consent to the data practices described in this Policy. If you do not agree with this Policy, you must not use the Platform.

2. Data We Collect

2.1 Restaurant Operator Data

When a restaurant business registers on EasyAiMenu, we collect:

• Business name, unique slug or subdomain, and custom domain (if configured)
• Contact name, email address, and phone number
• Business address and registered state
• GSTIN, CGST/SGST configuration, and billing currency preference
• UPI ID (Virtual Payment Address) and business name for display on guest receipts
• Subscription plan details and payment/billing history
• Brand assets: restaurant logo, theme colors (primary, secondary, accent, dark mode)
• Receipt header and footer notes as configured by the Operator

2.2 Restaurant Staff Data

• Full name, email address, and phone number
• Assigned role (Manager or Waiter) and active status
• Hashed login credentials (passwords are never stored in plaintext)
• Session activity logs within the Platform

2.3 Restaurant Guest Data

Guests accessing the digital menu via QR code may have the following data collected, depending on the configuration set by the Restaurant Operator:

• Name and phone number (collected during guest check-in, if enabled by the Operator)
• OTP verification records (if SMS OTP authentication is enabled by the Operator)
• Table number, session timestamp, and check-in flow data
• Order details: items selected, variant choices, custom field responses, and preparation notes

2.4 Technical, Usage, and Device Data

We automatically collect the following technical data when You access or use the Platform:

• IP addresses and approximate geographic location derived from IP
• Device type, operating system, and version
• Browser type, browser language, and browser version
• Internet service provider (ISP) information
• Referring and exit page URLs
• Date, time, and duration of access
• Clickstream data and navigation paths within the Platform
• QR token access events and table session initialization records
• API request volume, frequency, rate, and response status codes
• AI interaction logs — text queries submitted to and responses from the AI Sommelier (raw voice audio is not retained after STT processing)
• Mobile device identifiers (where the waiter application is accessed via mobile), including device model and unique device identifier, used for session management and security

This data is collected automatically via server logs, session management, and analytics tools and is used for security monitoring, performance optimization, abuse prevention, and fair usage enforcement.

2.5 Feedback and Improvement Data

We actively collect feedback from Restaurant Operators and Staff to improve the Platform. This may include:

• Voluntary feedback submitted through in-Platform feedback forms or surveys
• Feature requests, bug reports, and suggestions submitted via email or support channels
• Ratings or satisfaction scores submitted following support interactions
• Testimonials or written reviews provided about the Platform or its features
• Usage patterns and interaction data derived from how Operators navigate and use Platform features (collected in aggregate and anonymized form where possible)

This data is used exclusively for product improvement, feature prioritization, quality assurance, and — where You have explicitly consented — for marketing and promotional purposes such as publishing testimonials on our website or promotional materials.

2.6 Usage Monitoring Data (Fair Usage Policy)

In order to administer and enforce our Fair Usage Policy, we collect and monitor the following usage data across all Restaurant Operator accounts:

• Aggregate counts of AI Sommelier interactions, STT transcription calls, TTS synthesis calls, and LLM API requests per account per billing cycle
• AI Playground session frequency and query volume
• Total number and combined file size of media assets stored under your tenant directory
• Volume of orders processed, receipts generated, and KOTs printed per billing cycle
• Number of active staff accounts, tables, menu items, categories, and discount codes configured
• API request volume, frequency, and rate per account
• Number of active guest sessions and QR code scan events per day

This data is used exclusively for platform resource management, fair usage monitoring, plan entitlement enforcement, and abuse prevention. It is not shared with third parties for commercial purposes and is not used for advertising or profiling.

3. How We Use Personal Data

3.1 Service Delivery

• To provision and maintain Restaurant Operator accounts and isolated tenant environments
• To serve digital menus to guests via QR code-initiated sessions
• To process and display orders, manage table sessions, and facilitate guest check-ins
• To authenticate waiter staff and support table and order management operations
• To generate GST-compliant receipts and Kitchen Order Tickets (KOTs)

3.2 AI and Voice Features

• To process guest text inputs and voice queries through configured AI providers for menu assistance and recommendations
• To generate AI-powered upselling suggestions based on current cart composition
• To perform Speech-to-Text (STT) and Text-to-Speech (TTS) operations via configured third-party voice providers

3.3 Billing and Statutory Compliance

• To process subscription payments and issue GST-compliant tax invoices
• To maintain financial and accounting records as required under the GST Act, 2017, and the Income Tax Act, 1961
• To comply with legal obligations arising under Indian law, including court orders, regulatory requirements, and statutory reporting

3.4 Platform Security and Improvement

• To detect, investigate, and prevent fraudulent, abusive, or unauthorized use of the Platform
• To monitor Platform performance, identify and fix bugs, and improve features
• To analyze aggregate and anonymized usage patterns for internal product development (no identifiable personal data is shared externally for this purpose)
• To monitor per-account resource consumption across all Platform features and enforce the Fair Usage Policy in a manner that protects platform integrity and equitable access for all Restaurant Operators

3.5 Feedback and Product Improvement

• To collect, store, and analyze voluntary feedback and suggestions submitted by Restaurant Operators and Staff
• To prioritize and develop new Platform features based on operator needs and usage patterns
• To publish testimonials or reviews on our website, marketing materials, or promotional content, where the submitting party has provided explicit consent or where the feedback was submitted in a public or semi-public context
• To conduct satisfaction surveys and follow-up communications relating to support interactions or new feature rollouts
• To generate anonymized, aggregate insights from usage behavior for internal product development; such insights do not identify individual users or businesses

3.6 Communications and Notifications

• To send transactional emails relating to your subscription, including payment receipts, tax invoices, plan expiry notices, and dormancy warnings
• To send in-platform and email notifications relating to Platform updates, new features, and maintenance windows
• To send promotional communications, newsletters, or product announcements where You have opted in to receive such communications

You may opt out of promotional email communications at any time by clicking the unsubscribe link in any such email or by writing to [email protected]. Opting out of promotional communications will not affect transactional notifications that are necessary for the operation of your account.

4. Legal Basis for Processing (DPDP Act, 2023)

Under the Digital Personal Data Protection Act, 2023, we process personal data on the following lawful grounds:

• Consent: Guest personal data is collected on the basis of consent obtained at check-in, where enabled by the Restaurant Operator. Restaurant Operators provide implied consent to data processing by subscribing to and using the Platform. For use of testimonials in marketing, explicit consent is obtained separately.
• Contract: Processing necessary to perform and deliver the subscription services agreed to by Restaurant Operators.
• Legitimate Use: Platform security, fraud prevention, abuse detection, fair usage monitoring, and internal service improvement including analysis of aggregate feedback and usage patterns.
• Legal Obligation: Compliance with Indian tax law (GST), the IT Act, the DPDP Act, and other applicable statutory requirements.

5. Data Sharing and Disclosure

5.1 Third-Party Service Providers

We share personal data with third-party service providers strictly to the extent necessary to operate the Platform. These providers are contractually obligated to process data only as instructed and to maintain appropriate security standards:

• AI/LLM Providers (OpenAI, Anthropic, Google Gemini, OpenRouter, Sarvam AI): Guest text inputs and AI prompts are transmitted for processing and response generation
• Voice Providers (ElevenLabs, Google Cloud TTS, Sarvam AI): Text transmitted for speech synthesis; guest voice audio transmitted for transcription and not retained post-processing
• Payment Processors (Razorpay and others): Subscriber billing information for payment collection; raw card data is not stored by us
• Cloud Storage Providers (Amazon S3 or compatible): Restaurant media assets, branding files, and menu export archives
• SMS Gateway Providers: Guest phone numbers transmitted solely for OTP delivery

5.2 Restaurant Operators and Guest Data Visibility

Restaurant Operators can view and manage guest data for their own restaurant exclusively, via the admin panel, where the "Store Guest Information" CRM feature is enabled. Strict tenant isolation ensures that no Restaurant Operator can access, view, or modify data belonging to any other tenant on the Platform.

5.3 Legal Disclosures

We may disclose personal data to law enforcement agencies, courts, or regulatory authorities when required by applicable Indian law, pursuant to a valid court order or summons, or where disclosure is necessary to protect the legal rights or safety of Octakris IT Solutions LLP, Restaurant Operators, or restaurant guests.

5.4 No Sale of Personal Data

Octakris IT Solutions LLP does not sell, rent, trade, share for commercial consideration, or otherwise exploit the personal data of any user — Restaurant Operators, Staff, or Guests — to any third party for marketing, advertising, or any commercial purpose.

6. Data Storage and Security

6.1 Storage Location

Personal data is stored on servers and cloud infrastructure located in India. Cross-border transmission of data may occur when guest text queries or voice inputs are processed by third-party AI or voice providers hosted internationally. Such transfers are conducted under appropriate data processing agreements and contractual safeguards in line with applicable Indian law.

6.2 Multi-Tenant Data Isolation

The Platform enforces strict data isolation between restaurant tenants. Each restaurant's data is logically separated using a "BelongsToRestaurant" scoping mechanism applied across all database queries and API responses. No Restaurant Operator can access, view, or interact with data belonging to any other tenant.

6.3 Public Visibility of Uploaded Assets

Menu item images, restaurant logos, and promotional banners uploaded to the Platform are stored with public-read access to enable guest-facing menu display via QR code. Restaurant Operators must not upload sensitive, personal, or confidential information as public media assets.

6.4 Technical Security Measures

• All data in transit is encrypted using HTTPS/TLS
• Staff and operator passwords are stored using industry-standard one-way cryptographic hashing (bcrypt or equivalent)
• Context-aware rate limiting applied to all API endpoints
• HTTP security headers enforced: HSTS, Content Security Policy (CSP), XSS-Protection
• Tenant identification via domain/subdomain resolution, X-Restaurant-Slug header validation, and QR token verification
• Access and security logs maintained for audit purposes

While we implement robust technical and organizational security measures, no system is entirely immune to security incidents. In the event of a data breach likely to result in risk to individuals, we will take prompt remedial action and notify affected parties in accordance with obligations under the DPDP Act, 2023.

7. Data Retention

Data Type	Retention Period
Restaurant Operator account data	Active subscription + 30 days post-termination
Restaurant Staff data	Duration of association with Operator's active account
Guest data	Controlled by Operator's "Store Guest Information" setting; not persisted if disabled
Financial and billing records	Minimum 7 years (GST Act, 2017 & Income Tax Act, 1961)
AI interaction logs	Limited operational period for debugging and QA
Access and security logs	90 days
Feedback, surveys, and testimonials	Duration of relevance; removal within 15 days on request
Usage monitoring data (FUP)	Rolling 90 days; summaries up to 12 months
Transactional email records	12 months
Device and mobile analytics	90 days (rolling)

8. Your Rights as a Data Principal (DPDP Act, 2023)

8.1 Rights of Restaurant Operators and Staff

• Right to Access: Request a summary of personal data held by us about you or your business
• Right to Correction: Request correction of inaccurate or outdated personal data
• Right to Erasure: Request deletion of your account and associated personal data, subject to statutory retention obligations (e.g., financial and tax records). To delete your account, write to us at [email protected]
• Right to Data Portability: Export your menu and operational data at any time using the Menu Export feature in the Platform's Settings section
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time, subject to the consequential impact on service delivery
• Right to Withdraw Testimonial Consent: Where a testimonial or review attributed to You has been published by Octakris IT Solutions LLP, You may request its removal at any time by writing to [email protected]. Removal will be completed within 15 days of the written request
• Right to Grievance Redressal: Lodge a complaint with our Grievance Officer (see Section 11)

8.2 Rights of Restaurant Guests

• Restaurant guests may contact the relevant Restaurant Operator directly to exercise data rights, as the Operator is the primary controller of guest data collected through their establishment
• Where Octakris IT Solutions LLP processes guest data as a data processor, requests may also be directed to our Grievance Officer at [email protected]

To exercise any of the above rights, please write to: [email protected]

9. Cookies and Local Storage

The Platform uses session cookies and browser local storage strictly for authentication and session management purposes. We do not use third-party advertising cookies, tracking pixels, or behavioral profiling tools. The guest-facing web application may use browser local storage to maintain temporary cart and session state during an active dining session. By using the Platform, You consent to this strictly necessary use of cookies and local storage.

10. Children's Privacy

The Platform is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from minors. Restaurant Operators are responsible for ensuring that their guest-facing digital menu does not knowingly solicit data from individuals under 18 years of age. If we become aware that personal data has been collected from a minor without verifiable consent, we will take prompt steps to delete such data.

11. Grievance Officer

In accordance with Rule 3(2) of the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and the Digital Personal Data Protection Act, 2023, Octakris IT Solutions LLP has appointed the following Grievance Officer:

Any user — Restaurant Operator, Staff Member, or Restaurant Guest — may file a grievance relating to the collection, use, sharing, or security of their personal data, the misuse of submitted Feedback or testimonials, or any other aspect of this Privacy Policy. Complaints must be submitted in writing to the grievance email address above.

Complaints will be acknowledged within 24 hours and resolved within 15 (fifteen) days of receipt, as mandated by applicable Indian law.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, Platform features, or applicable legal requirements. The updated Policy will be published at https://easyaimenu.com/privacy with a revised effective date. We review and update this Policy at least once every 12 months.

For material changes, we will notify Restaurant Operators via email or in-platform notification. Your continued use of the Platform after an updated Policy is posted constitutes your acceptance of the revised Policy.

13. Contact Information