1. Who we are
YanaServe (“we”, “us”) is a QR-based ordering platform for restaurants, cafes, and hotels — primarily in Northeast India. We’re based in Shillong, Meghalaya. This policy applies to the website at yanaserve.in and the dashboard customers reach through it.
2. What we collect
From owners (people who run a cafe on YanaServe)
- Account info: email, full name, password (stored hashed, never in plain text).
- Cafe info: name, slug, description, phone, optional WhatsApp number, logo and cover photos you upload.
- Menu data: dishes, prices, categories, availability, item photos.
- Billing info: subscription status and identifiers. Card numbers, UPI handles, and bank details are handled entirely by Razorpay — we never see or store them.
From customers (diners scanning a QR)
- Order data: items chosen, table number, notes, total amount, timestamps. No customer login is required.
- Device data:a session identifier stored in your browser’s localStorage so we can show you your own tab and order history at the same table. Cleared when you clear browser data.
- We do not collect: your name, phone, email, location, contacts, or any payment information.
Technical data (everyone)
- IP address (for request routing and abuse prevention).
- Browser user agent.
- Pages visited, timing, errors — used to debug problems and improve the product.
3. How we use it
- To run the service: show menus to customers, route orders to owners, calculate totals, deliver realtime updates, host images.
- To bill paying owners: we send the subscription ID to Razorpay so they can charge and we can verify the charge succeeded.
- To communicate with owners: service emails (password reset, billing receipts, important changes).
- To debug and improve: aggregated, anonymised usage patterns. We do not run advertising, sentiment analysis, or profile-building on top of this data.
4. Sub-processors we use
We host and process data with a small number of trusted vendors. Each one has its own privacy practices and security commitments.
- Supabase — database and authentication. Stores all account, menu, and order data. Hosted in the EU/US, encrypted at rest.
- Vercel — application hosting and edge caching. Sees inbound HTTP requests for routing but does not persist application data.
- Razorpay — payment processing for subscriptions (when an owner upgrades from the trial). PCI-DSS compliant. All card and UPI data lives only with them.
- Email provider — used for transactional emails like password reset.
5. What we don’t do
- We do not sell your data. To anyone. Ever.
- We do not share data with advertisers or data brokers.
- We do not run third-party analytics or marketing tracking on your customer menu pages.
- We do not use customer order data to do AI / sentiment / marketing analysis.
6. When we share data
- With our sub-processors (listed above), only what they need to do their job.
- With law enforcementwhen we receive a valid legal order under Indian law. We’ll tell you about it unless we’re legally barred from doing so.
- If we’re acquired or merge— your data moves with us, subject to this policy. We’ll notify owners by email before any such change.
7. How long we keep your data
- Active accounts: until you delete the account.
- Deleted accounts:we wipe within 30 days, except for records we’re legally required to keep (billing records: 8 years under Indian tax law).
- Order data: retained while your subscription is active for reports and historical context; archived on account deletion.
8. Your rights
Under India’s Digital Personal Data Protection Act (DPDPA) and good practice generally:
- Access: ask for a copy of the data we hold on you.
- Correct:fix anything that’s wrong — most things you can change yourself in Settings.
- Delete:ask us to remove your account and data. Some legal retention applies (see “How long”).
- Export: get your data in a machine-readable format.
- Withdraw consent: stop receiving non-essential emails at any time.
- Grievance:if you think we’ve mishandled your data, write to our Grievance Officer (see below). We respond within 30 days.
9. Security
We follow standard security practices: passwords hashed with bcrypt, data encrypted in transit (HTTPS everywhere), database access scoped via row-level security, secrets stored in environment variables. No system is impervious — if we ever detect a breach affecting you, we’ll notify you within 72 hours along with what we know and what we’re doing.
10. Cookies
We use a small number of strictly-necessary cookies: an authentication session cookie when you’re signed in to the dashboard, and a few preferences (theme, etc). The customer menu pages use localStorage to remember your in-progress tab at a table — that’s on-device only, not sent to us. We do not use cookies for advertising or cross-site tracking.
11. Children
YanaServe is built for businesses. You must be at least 18 to create an owner account. We don’t knowingly collect data from children; if you believe we have, write to us and we’ll remove it.
12. International transfers
Some of our sub-processors host data outside India (Supabase and Vercel may use US or EU regions). We require contractual safeguards in line with applicable Indian data protection requirements before any such transfer happens.
13. Changes to this policy
If we make material changes — like adding a new sub-processor or changing how we use data — we’ll notify owners by email at least 14 days before the change takes effect. The “last updated” date at the top tells you when it was last revised.
14. Contact & Grievance Officer
Questions, requests, or complaints about this policy or your data:
Grievance Officer, YanaServe
Email: hello@yanaserve.in
Based in Shillong, Meghalaya, India
We aim to acknowledge within 48 hours and resolve within 30 days.
This policy is provided for general transparency. If you have specific legal needs, consider consulting an Indian privacy lawyer.