Privacy Policy

ShopInStreet ("we", "our", "us") operates a restaurant technology platform including the Vendor App, Customer App, Driver App, and associated websites at shopinstreet.com and its subdomains.

This Privacy Policy applies to all users of our platform — restaurant owners, customers, and delivery partners.

Restaurant Owners (Vendor App):

• Name, phone number, email address
• Restaurant name, address, GSTIN, FSSAI license number
• Bank account details (for payment settlements only)
• Menu items, photos, pricing you upload
• Order history and revenue data

Customers (Customer App & Website):

• Phone number (for OTP login)
• Name and delivery addresses
• Order history and preferences
• Device information and location (for delivery)
• Payment transaction records (processed by Razorpay)

Delivery Partners (Driver App):

• Name and phone number
• Live location during active deliveries
• Delivery history and earnings

• To provide and operate the ShopInStreet platform
• To process orders and payments
• To send order notifications and delivery updates via SMS, WhatsApp, and push notifications
• To enable restaurant owners to run marketing campaigns to their customers
• To improve our products and fix bugs
• To comply with legal obligations

We do not sell your personal data to third parties. We do not use your data for advertising on other platforms.

We share data only when necessary to provide our services:

• Razorpay — payment processing
• 2Factor.in — OTP SMS delivery
• Meta (WhatsApp Business API) — order and marketing notifications
• Google (Gmail API) — when a restaurant connects their Gmail account to send marketing emails to their customers (limited to the gmail.send scope only)
• Cloudinary — image storage
• Railway / AWS — cloud hosting
• Expo — push notifications

All third-party providers are bound by data processing agreements and applicable privacy laws.

ShopInStreet allows restaurant owners to optionally connect their Google account (Gmail) to send marketing emails to their own customers from their own Gmail address. This section describes how we handle Google user data.

Google OAuth Scopes We Request:

When a restaurant owner connects their Gmail account, we request only the following Google OAuth scopes:

• openid — to identify the connecting user
• https://www.googleapis.com/auth/userinfo.email — to display the connected Gmail address
• https://www.googleapis.com/auth/userinfo.profile — to display basic profile info
• https://www.googleapis.com/auth/gmail.send — to send emails on behalf of the user

How We Use Gmail Data:

• We use the gmail.send scope solely to send marketing emails composed by the restaurant owner inside the ShopInStreet vendor app
• We send emails only when the restaurant owner explicitly clicks "Send Campaign"
• We log only message metadata (recipient address, timestamp, delivery status, opens, clicks, bounces) for the restaurant's own analytics

What We Do NOT Do With Gmail Data:

ShopInStreet's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, we do not:

• Read, access, scan, or store the contents of any existing emails, drafts, threads, labels, or attachments in your Gmail
• Modify, delete, archive, or label any existing emails
• Transfer Gmail data to any third party except as necessary to provide the user-facing feature (e.g., sending the email through Gmail's own API)
• Use Gmail data to serve advertisements
• Use Gmail data to train artificial intelligence or machine learning models
• Allow humans to read your Gmail data, except (a) with your explicit consent, (b) for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data is aggregated and de-identified

OAuth Token Storage:

• OAuth access and refresh tokens are stored encrypted at rest in our PostgreSQL database
• Tokens are transmitted only over HTTPS
• Tokens are never shared with any third party
• You can revoke access at any time by clicking "Disconnect Gmail" in the vendor app, which deletes all stored tokens within 24 hours
• You may also revoke access directly at https://myaccount.google.com/permissions

• All data is stored on encrypted servers in secure cloud infrastructure
• Passwords are hashed and never stored in plain text
• OAuth tokens (Google, Meta, etc.) are encrypted at rest
• Payment data is handled entirely by Razorpay — we never store card numbers
• Access to production data is restricted to authorized team members only
• We use HTTPS across all platforms

You have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request deletion of your account and all associated data
• Withdraw consent for marketing communications at any time
• Disconnect any connected Gmail account at any time, which immediately revokes our access and deletes stored OAuth tokens within 24 hours
• Export your data in a portable format

To exercise any of these rights, contact us at hello@shopinstreet.com or use our Data Deletion Request page.

• Active account data is retained while your account is active
• Order records are retained for 7 years for tax and legal compliance
• Upon account deletion, personal data is removed within 30 days
• OAuth tokens are deleted within 24 hours of account disconnection
• Anonymised, aggregated data may be retained indefinitely for analytics

ShopInStreet is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with their data, contact us immediately and we will delete it.

Our websites use minimal cookies necessary to operate the service (session management, authentication). We do not use advertising tracking cookies. You can disable cookies in your browser settings, but some features may not work correctly.

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date above and notify users via email or in-app notification for significant changes.