1. Introduction
Welcome to BiteCast ("we", "our", "us"). BiteCast is a cloud-based restaurant operating system — WhatsApp ordering bot, POS, online storefront, delivery, reservations and loyalty.
This Privacy Policy explains how we collect, use and protect your information when you use bitecast.ai and our services. It covers both restaurant owners and staff, and the customers of restaurants whose data passes through our platform.
2. Who Controls Your Data
There are two distinct relationships, and it matters which applies to you:
| If you are… | Then… |
|---|---|
| A restaurant owner or staff member using BiteCast | BiteCast is the data controller. We decide how your account data is used. |
| A customer ordering from a restaurant that uses BiteCast | The restaurant is the data controller. BiteCast is a processor acting on their instructions. |
3. Information We Collect
A. Business Information
- Restaurant name and branch addresses
- Owner and staff names
- Email addresses and phone numbers
- Billing details and subscription records
- Payment gateway credentials you configure (encrypted at rest)
B. Customer & Order Data
- Customer names, phone numbers, email addresses
- Delivery addresses, coordinates and delivery notes
- Order details and order history
- Loyalty points and reward balances
- Reservation details
- Marketing consent preferences (SMS / WhatsApp / email — each recorded separately)
C. Technical Information
- IP address, browser type, device information
- Usage logs and pages visited
- An audit log of who accessed which customer record, and when
We do not store card numbers. Card and wallet payments are handled by JazzCash and EasyPaisa on their own systems. We keep only a transaction reference and a paid/failed status.
4. How We Use Information
| Purpose | Data used |
|---|---|
| Delivering orders | Name, phone, address, order contents |
| Logging you in | Phone or email, one-time passcode |
| Taking payment | Order total, transaction reference |
| WhatsApp bot automation | Phone number, order contents |
| Loyalty and rewards | Order history, points balance |
| Marketing (consent only) | Phone, email, consent flags |
| Fraud prevention and security | IP address, audit log |
| Support and improving the system | Usage logs |
5. Data Ownership
Restaurants retain full ownership of their customer data.
BiteCast does not sell, rent or trade personal data to third parties. Ever.
Restaurants on our platform see marketplace customers only in masked form (for example 0300-***-1234) unless that customer has ordered directly from them.
7. Data Security
These controls are live, not aspirational:
- Encryption at rest. Customer names, phone numbers, email addresses and delivery addresses are encrypted with AES-256-GCM. A database leak would not expose them in readable form.
- Encryption in transit. All traffic uses TLS (HTTPS).
- Tenant isolation. PostgreSQL row-level security means one restaurant's queries cannot return another restaurant's data — enforced by the database, not just the application.
- No stored passwords. Authentication is one-time-passcode only, so there is no password database to steal.
- Role-based access. Staff see only what their role and branch permit.
- Audit logging of access to customer records.
- Encrypted off-site backups with integrity verification.
- Rate limiting on authentication endpoints.
However, no system can guarantee 100% security. We will notify affected users and the relevant authority without undue delay if a breach puts personal data at risk.
8. Data Retention
| Data | Retention |
|---|---|
| Order records | 7 years (tax and accounting requirements) |
| Customer profile | Until deleted, or until the restaurant closes its account |
| Delivery addresses | Until you delete them |
| Audit logs | 12 months |
| Backups | 7 daily, 4 weekly, then permanently destroyed |
| After cancellation | 30 days to export, then deleted |
9. Marketing & Consent
We send marketing messages only if you have opted in. Consent is recorded per channel — SMS, WhatsApp and email are separate choices, and you can withdraw any of them at any time without affecting your ability to order.
Transactional messages — order confirmations, delivery updates, login passcodes — are not marketing. They are sent regardless, because you need them to complete what you asked for.
11. Your Rights
You may request:
- Access to the personal data we hold about you
- Correction of anything inaccurate
- Deletion — the "right to be forgotten". We anonymise your personal details while keeping the order totals a restaurant is legally required to retain for tax
- Export of your data
- Withdrawal of marketing consent at any time
Email info@bitecast.ai. We respond within 30 days.
12. Children
BiteCast is not intended for anyone under 18, and we do not knowingly collect data from children. If you believe a child's data has reached us, contact us and we will delete it.
13. Updates
We may update this Privacy Policy from time to time. For material changes we notify account holders by email at least 14 days before they take effect. The date at the top always reflects the current version.