Privacy
Policy

We collect information relating to authorized users of our platform, including:

• Name (if provided)
• Email address
• Contact number
• Company/restaurant name
• Login credentials for access to our dashboard

This information is used to create and manage user accounts and provide access to our services.

To provide our analytics and consulting services, we may obtain authorized access to our clients' accounts on third-party operational platforms, including but not limited to:

• Zomato
• Swiggy
• Point-of-Sale (POS) systems
• Other food aggregators or operational platforms integrated in the future

Aggregator Platform Access (e.g., Zomato, Swiggy)

In certain cases, clients may grant us authorized access to their business accounts by adding our designated company account as an authorized user or administrator on such platforms. We do not collect or store the primary login passwords of these aggregator accounts. Access is used solely for the purpose of retrieving operational and transactional data necessary to provide analytics, reporting, and consulting insights.

POS System Credentials

For certain POS integrations, clients may provide login credentials or access details to enable system connectivity and data synchronization. Such credentials are:

• Used solely for integration purposes
• Stored securely using appropriate safeguards
• Accessible only to authorized personnel
• Not shared with third parties except as required to provide services

As part of onboarding, compliance verification, or consulting services, we may collect:

• PAN card details
• FSSAI registration/license
• GST registration certificate
• Cancelled cheque
• Banking documents
• Other regulatory or financial documentation

These documents are collected for legitimate business purposes, including compliance verification, onboarding, and operational coordination.

Through integrations with client systems, we may process:

• Order history
• Revenue data
• Menu information
• Customer information (such as name, phone number, and delivery address, where available through client systems)
• Performance metrics
• Other business data

In most cases, such data is processed on behalf of our business clients in our capacity as a data processor.

Clients may upload files such as:

• Excel spreadsheets
• PDF reports
• Operational documents

These files are processed solely for the purpose of delivering our services.

We use account and contact information to:

• Create and manage user accounts
• Provide secure access to our dashboard and services
• Authenticate authorized users
• Communicate service-related updates

We use operational and aggregator data (including order, revenue, and performance data) to:

• Generate dashboards and performance reports
• Analyze sales, customer trends, and operational efficiency
• Provide growth recommendations and strategic consulting
• Improve delivery and dining performance
• Identify revenue optimization opportunities

Such data is processed on behalf of our business clients to support their business decision making and growth strategies.

We use authorized access to third-party platforms (Zomato, Swiggy, POS systems) to retrieve relevant business data necessary to provide analytics and consulting services. This access is used solely for service delivery purposes and not for independent commercial use.

We collect PAN, GST certificates, FSSAI licenses, cancelled cheques, and banking documents for:

• Verifying the identity and legitimacy of the business
• Regulatory and compliance requirements
• Onboarding and contractual documentation
• Facilitating financial transactions between us and the client
• Invoicing and payment processing

Such documentation is collected only where necessary and is handled with appropriate safeguards.

We may use limited data to:

• Improve platform functionality
• Monitor system performance
• Detect and prevent fraud or unauthorized access
• Ensure security of our systems

Where possible, analytics for improvement purposes may use aggregated or anonymized data.

We may process information where required to:

• Comply with applicable laws
• Respond to lawful government requests
• Enforce our contractual rights

Access to client data is restricted to authorized personnel within our organization who require such access for platform maintenance, data integration, analytics generation, consulting services, and customer support. Access is controlled through role-based permissions and security safeguards.

Our platform is hosted on infrastructure provided by Amazon Web Services, including services such as EC2 and RDS for server hosting and database storage. We also use Google Workspace for internal communication and business operations. These service providers may process data on our behalf solely for the purpose of providing infrastructure or operational support services and are bound by their respective security and data protection obligations.

We may engage additional service providers in the future (such as email services, analytics tools, CRM systems, or accounting software) to support our business operations. Any such providers will be required to implement appropriate data protection safeguards.

Where clients authorize integration with third-party platforms such as Zomato, Swiggy, or POS systems, data may be accessed, retrieved, or synchronized between systems as part of service delivery. We do not independently disclose client data to these platforms beyond what is required for integration and operational functionality.

We may disclose information where required to:

• Comply with applicable laws or regulations
• Respond to lawful requests by government authorities
• Comply with court orders or legal processes
• Protect our legal rights

Such disclosures are made only when legally necessary.

Our platform is hosted on secure cloud infrastructure provided by Amazon Web Services. Security measures include:

• Encrypted database storage
• Secure server environments
• Network-level security controls
• Identity and Access Management (IAM)-based access control
• Role-based internal access restrictions

All data transmitted between users and our platform is encrypted using HTTPS/TLS protocols to protect information in transit.

• User account passwords are securely hashed.
• POS system credentials are stored using appropriate encryption safeguards.
• Access to integration credentials is restricted to authorized personnel only.

We do not store primary passwords for third-party aggregator platforms where access is granted through authorized account permissions.

Access to personal and business data is limited to authorized team members. We implement role-based permissions, the principle of least privilege, and controlled internal access management.

We rely on automated infrastructure-level backup mechanisms provided by our cloud hosting provider to support data resilience and system availability.

We implement reasonable safeguards to monitor system activity and protect against unauthorized access, misuse, or data breaches. While we take commercially reasonable measures to protect data, no system can guarantee absolute security.

For active clients, we retain account information, operational and transactional data, integration data, and uploaded files for the duration of the service relationship.

Upon termination of a client’s account:

• Access to systems and integrations is revoked.
• Operational and aggregator data stored within our systems is deleted within 2 business days, unless otherwise required by law.
• Integration access credentials are removed or invalidated.

Clients are advised to revoke our authorized access from third-party platforms and update their credentials upon termination.

Certain business and financial documents (such as invoices, payment records, and regulatory documentation) may be retained for a longer period where required for legal compliance, taxation and accounting obligations, contractual dispute resolution, or regulatory record-keeping. Such data is retained only for the minimum period required under applicable law and is not used for operational analytics after termination.

Data may temporarily remain in secure backup systems for a limited retention cycle before automatic deletion, in accordance with our infrastructure provider's backup policies.

You may request information regarding the personal data we process about you, the purpose of processing, and the categories of data processed.

You may request correction of inaccurate, incomplete, or outdated personal data.

You may request deletion of personal data where the data is no longer necessary for the purpose collected, consent has been withdrawn, or the processing is no longer legally required. Certain information may be retained where required by law (such as accounting or regulatory obligations).

Where processing is based on consent, you may withdraw your consent at any time by contacting us. Withdrawal of consent may affect the availability of certain services.

If you have any questions, concerns, or complaints regarding the processing of your personal data, please contact us at contact@culinarycompass.in. We will acknowledge and respond to requests within a reasonable timeframe in accordance with applicable law.

Where we process personal data on behalf of our business clients, requests relating to such data may be directed to the respective client as the primary data fiduciary.