Legal

Privacy Policy

How BiteCast collects, uses, and protects your information when you use our platform and services.

Effective Date: 13 July 2026

Contents

  1. 1 Introduction
  2. 2 Who Controls Your Data
  3. 3 Information We Collect
  4. 4 How We Use Information
  5. 5 Data Ownership
  6. 6 Data Sharing
  7. 7 Data Security
  8. 8 Data Retention
  9. 9 Marketing & Consent
  10. 10 Cookies
  11. 11 Your Rights
  12. 12 Children
  13. 13 Updates
Please have a lawyer review this. This policy describes how BiteCast actually handles data, but it is not legal advice. You process personal data and take payments — get a Pakistani lawyer to check it before you rely on it.

1. Introduction

Welcome to BiteCast ("we", "our", "us"). BiteCast is a cloud-based restaurant operating system — WhatsApp ordering bot, POS, online storefront, delivery, reservations and loyalty.

This Privacy Policy explains how we collect, use and protect your information when you use bitecast.ai and our services. It covers both restaurant owners and staff, and the customers of restaurants whose data passes through our platform.

2. Who Controls Your Data

There are two distinct relationships, and it matters which applies to you:

If you are…Then…
A restaurant owner or staff member using BiteCastBiteCast is the data controller. We decide how your account data is used.
A customer ordering from a restaurant that uses BiteCastThe restaurant is the data controller. BiteCast is a processor acting on their instructions.

3. Information We Collect

A. Business Information

  • Restaurant name and branch addresses
  • Owner and staff names
  • Email addresses and phone numbers
  • Billing details and subscription records
  • Payment gateway credentials you configure (encrypted at rest)

B. Customer & Order Data

  • Customer names, phone numbers, email addresses
  • Delivery addresses, coordinates and delivery notes
  • Order details and order history
  • Loyalty points and reward balances
  • Reservation details
  • Marketing consent preferences (SMS / WhatsApp / email — each recorded separately)

C. Technical Information

  • IP address, browser type, device information
  • Usage logs and pages visited
  • An audit log of who accessed which customer record, and when

We do not store card numbers. Card and wallet payments are handled by JazzCash and EasyPaisa on their own systems. We keep only a transaction reference and a paid/failed status.

4. How We Use Information

PurposeData used
Delivering ordersName, phone, address, order contents
Logging you inPhone or email, one-time passcode
Taking paymentOrder total, transaction reference
WhatsApp bot automationPhone number, order contents
Loyalty and rewardsOrder history, points balance
Marketing (consent only)Phone, email, consent flags
Fraud prevention and securityIP address, audit log
Support and improving the systemUsage logs

5. Data Ownership

Restaurants retain full ownership of their customer data.

BiteCast does not sell, rent or trade personal data to third parties. Ever.

Restaurants on our platform see marketplace customers only in masked form (for example 0300-***-1234) unless that customer has ordered directly from them.

6. Data Sharing

We share only what is necessary, and only with:

  • The restaurant you ordered from — they need your order and delivery details to serve you
  • Payment providers (JazzCash, EasyPaisa) — to process the payment you initiated
  • Delivery riders — the assigned rider sees the address and phone for that order only
  • Messaging providers (WhatsApp, email) — to send the confirmations and passcodes you asked for
  • Hosting providers — our servers are located in Germany (Hetzner)
  • Legal authorities — where required by law

7. Data Security

These controls are live, not aspirational:

  • Encryption at rest. Customer names, phone numbers, email addresses and delivery addresses are encrypted with AES-256-GCM. A database leak would not expose them in readable form.
  • Encryption in transit. All traffic uses TLS (HTTPS).
  • Tenant isolation. PostgreSQL row-level security means one restaurant's queries cannot return another restaurant's data — enforced by the database, not just the application.
  • No stored passwords. Authentication is one-time-passcode only, so there is no password database to steal.
  • Role-based access. Staff see only what their role and branch permit.
  • Audit logging of access to customer records.
  • Encrypted off-site backups with integrity verification.
  • Rate limiting on authentication endpoints.

However, no system can guarantee 100% security. We will notify affected users and the relevant authority without undue delay if a breach puts personal data at risk.

8. Data Retention

DataRetention
Order records7 years (tax and accounting requirements)
Customer profileUntil deleted, or until the restaurant closes its account
Delivery addressesUntil you delete them
Audit logs12 months
Backups7 daily, 4 weekly, then permanently destroyed
After cancellation30 days to export, then deleted

9. Marketing & Consent

We send marketing messages only if you have opted in. Consent is recorded per channel — SMS, WhatsApp and email are separate choices, and you can withdraw any of them at any time without affecting your ability to order.

Transactional messages — order confirmations, delivery updates, login passcodes — are not marketing. They are sent regardless, because you need them to complete what you asked for.

10. Cookies

We use cookies and local storage for:

  • Login sessions
  • Remembering your cart and preferences
  • Analytics and performance

We do not use advertising or cross-site tracking cookies.

11. Your Rights

You may request:

  • Access to the personal data we hold about you
  • Correction of anything inaccurate
  • Deletion — the "right to be forgotten". We anonymise your personal details while keeping the order totals a restaurant is legally required to retain for tax
  • Export of your data
  • Withdrawal of marketing consent at any time

Email info@bitecast.ai. We respond within 30 days.

12. Children

BiteCast is not intended for anyone under 18, and we do not knowingly collect data from children. If you believe a child's data has reached us, contact us and we will delete it.

13. Updates

We may update this Privacy Policy from time to time. For material changes we notify account holders by email at least 14 days before they take effect. The date at the top always reflects the current version.

Questions about your privacy?

Our team is here to help you understand how your data is handled and to assist with any requests.

Contact Support →