Privacy Policy

ShopInStreet (“we,” “our,” or “us”) operates an online ordering and restaurant management platform available through our website (shopinstreet.com), mobile applications, and related services (collectively, the “Platform”). This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our Platform as a restaurant owner (“Vendor”), customer (“Customer”), or visitor.

ShopInStreet is operated by ShopInStreet Inc., a company registered in Canada. We serve restaurants and customers in Canada and India.

By using our Platform, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use our Platform.

2.1 Information You Provide

For Restaurant Owners (Vendors):

• Business name, address, phone number, and email
• Business registration details (GST number, business license)
• Bank account or payment information for receiving payouts
• Menu items, pricing, photos, and business hours
• Staff member names, roles, and contact information
• Facebook, Instagram, and WhatsApp Business account credentials (when you choose to connect these services through our Platform)

For Customers:

• Name, phone number, and email address
• Delivery addresses
• Order history and preferences
• Payment information (processed securely through Razorpay and Stripe)
• Reviews and ratings
• Loyalty program membership and points balance

2.2 Information Collected Automatically

• Device information (device type, operating system, unique device identifiers)
• Log data (IP address, browser type, pages visited, access times)
• Location data (with your consent, for delivery and restaurant discovery)
• Usage data (features used, interaction patterns, session duration)
• Cookies and similar tracking technologies

2.3 Information from Third-Party Services

When restaurant owners connect their social media and messaging accounts through our Platform, we receive information from Meta Platforms, Inc. (Facebook, Instagram, WhatsApp). This includes:

• Facebook Page information (page name, page ID, page access tokens)
• Instagram Business Account information (username, account ID, media)
• WhatsApp Business Account information (phone number, business profile, message delivery status)
• Engagement data from posts published through our Platform (likes, comments, reach, impressions)

We only access this information with the explicit consent of the restaurant owner during the account connection process. Restaurant owners can disconnect their accounts at any time.

3.1 Core Platform Services

• Process and fulfill online food orders
• Enable restaurants to manage menus, orders, and business operations
• Facilitate payments between customers and restaurants
• Provide delivery tracking and order status updates
• Manage loyalty programs and rewards
• Generate analytics and business insights for restaurant owners

3.2 Marketing and Communication Services

• Send promotional WhatsApp messages to customers on behalf of restaurants (using Meta WhatsApp Business API)
• Publish promotional content on restaurants' Instagram and Facebook pages (with restaurant owner authorization)
• Send order confirmations, delivery updates, and transactional notifications via WhatsApp and SMS
• Manage automated marketing campaigns (welcome messages, loyalty rewards, win-back offers)
• Segment customers based on ordering behavior for targeted, relevant promotions

3.3 Platform Improvement

• Analyze usage patterns to improve our Platform
• Develop new features and services
• Prevent fraud and ensure platform security
• Comply with legal obligations

This section specifically addresses how we handle data from Meta Platforms (WhatsApp, Instagram, Facebook) in compliance with Meta Platform Terms and Policies.

4.1 WhatsApp Business API

• Restaurant owners connect their WhatsApp Business number through Meta Embedded Signup
• We send messages to customers only on behalf of the restaurant that owns the customer relationship
• Message content includes: order confirmations, delivery updates, promotional offers, loyalty rewards
• Customers can opt out of promotional messages at any time by replying STOP or through the restaurant's website
• We do not sell, share, or use WhatsApp message data for any purpose other than providing our Platform services
• Message delivery status (sent, delivered, read) is tracked for campaign analytics provided to the restaurant owner
• WhatsApp access tokens are stored encrypted and are never shared with third parties

4.2 Instagram and Facebook

• Restaurant owners authorize ShopInStreet to publish content on their Instagram and Facebook pages
• We publish promotional posts, stories, and updates only with the restaurant owner's explicit action or pre-approved automation
• We access engagement data (likes, comments, reach) solely to provide analytics to the restaurant owner
• We do not post on any account without the owner's authorization
• We do not access personal Instagram/Facebook profiles of customers
• Restaurant owners can revoke access at any time through our Platform or through Facebook/Instagram settings
• Page access tokens are stored encrypted and are never shared with third parties

4.3 Data Retention for Meta Services

• WhatsApp message logs are retained for 90 days for campaign analytics, then anonymized
• Instagram/Facebook post data is retained as long as the restaurant's account is connected
• Upon disconnection, all Meta-related tokens and data are deleted within 30 days
• Customers who opt out are immediately removed from future marketing campaigns

We share your information only in the following circumstances:

Between Vendors and Customers: When a customer places an order, the restaurant receives the customer’s name, phone number, delivery address, and order details necessary to fulfill the order.

Payment Processors: We share transaction information with Razorpay (India) and Stripe (Canada) to process payments securely. These processors are PCI-DSS compliant.

Meta Platforms: When restaurants use our WhatsApp, Instagram, or Facebook features, relevant data is transmitted through Meta’s APIs in accordance with Meta Platform Terms.

Cloud Infrastructure: We use Amazon Web Services (AWS) to host our Platform. Data is stored on servers in Canada and India.

Legal Requirements: We may disclose information if required by law, court order, or government request.

We implement industry-standard security measures to protect your information, including encryption of data in transit (TLS/SSL) and at rest, secure authentication using JWT tokens with OTP verification, encrypted storage of third-party API tokens and credentials, regular security audits and vulnerability assessments, access controls and role-based permissions, and secure payment processing through PCI-DSS compliant providers.

7.1 For All Users

You have the right to access, correct, or delete your personal information. You may request a copy of the data we hold about you. You can opt out of marketing communications at any time. You may delete your account, and we will remove your data within 30 days (except as required by law for transaction records).

7.2 For Customers (Marketing Opt-Out)

You can opt out of WhatsApp marketing messages by replying “STOP” to any promotional message. You can also contact the restaurant directly or email us at privacy@shopinstreet.com. Opting out of marketing does not affect transactional messages (order confirmations, delivery updates).

7.3 For Restaurant Owners (Social Media Disconnection)

You can disconnect your WhatsApp, Instagram, or Facebook accounts at any time through the ShopInStreet vendor app settings. Upon disconnection, we will stop sending messages and posting content on your behalf. All stored access tokens will be deleted within 24 hours. You can also revoke access directly through Facebook Business Settings.

7.4 Canadian Privacy Rights (PIPEDA)

If you are a resident of Canada, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA), including the right to access your personal information, the right to challenge the accuracy of your information, and the right to withdraw consent for data collection.

7.5 Indian Privacy Rights (DPDP Act)

If you are a resident of India, you have rights under the Digital Personal Data Protection Act 2023, including the right to access, correct, and erase your personal data, the right to nominate another person to exercise your rights, and the right to grievance redressal.

To request deletion of your data, you may use the delete account option within the ShopInStreet app, email privacy@shopinstreet.com with your registered phone number or email, or for Meta-related data specifically, use our data deletion callback endpoint. We will process deletion requests within 30 days. Certain transaction records may be retained as required by applicable tax and financial regulations. For more details, see our Data Deletion Policy.

Our Platform is not intended for children under 13 years of age (or under 16 in certain jurisdictions). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our Platform and updating the “Last Updated” date. Continued use of our Platform after changes constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

ShopInStreet Inc.
Email: privacy@shopinstreet.com
Website: shopinstreet.com