Privacy Policy

1. Introduction

Welcome to MenuPOS. This Privacy Policy explains how Qubelex Private Limited ("Qubelex", "we", "us", or "our"), a company incorporated under the laws of India, collects, uses, discloses, and safeguards your personal information when you use the MenuPOS application ("App"), our website at www.menupos.in ("Website"), and any related services (collectively, the "Service").

MenuPOS is a point-of-sale (POS) and billing system designed specifically for restaurants, cafes, cloud kitchens, and food-service businesses in India. The App enables you to create menus, take orders, manage tables, generate GST-compliant bills, process payments, manage staff, and view business analytics — all from your Android device.

By downloading, installing, or using MenuPOS, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service. This policy applies to all users of the Service, including business owners, staff members added to a business account, and visitors to our Website.

We are committed to protecting the privacy and security of your data. We process your personal data in compliance with applicable Indian data protection laws, including the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, and any rules or regulations made thereunder.

2. Information We Collect

We collect information that you provide directly to us, information that is generated automatically when you use the Service, and information from third-party sources. The categories of information we collect include:

2.1 Account Information

When you create a MenuPOS account, we collect the following personal information:

• Full name — used to identify you within the application and on invoices.
• Email address — used for account authentication, transactional communications, and password recovery.
• Phone number — used as a primary login identifier and for account verification via OTP (One-Time Password).
• Profile photograph (optional) — uploaded at your discretion and stored securely in cloud storage.
• MP Number — a unique system-generated identifier assigned to every MenuPOS user, used internally for account identification and support purposes.

2.2 Business Information

When you create or manage a business on MenuPOS, we collect:

• Business name — the name of your restaurant, cafe, or food-service establishment.
• Business address — used for invoicing and GST compliance purposes.
• GSTIN (Goods and Services Tax Identification Number) — required for generating GST-compliant tax invoices.
• FSSAI License Number — the Food Safety and Standards Authority of India license number, displayed on bills where required by regulation.
• Business logo — uploaded for branding on bills and receipts.
• Invoice prefix and numbering preferences — used to generate sequential invoice numbers according to your preferred format.

2.3 Operational and Usage Data

As you use MenuPOS to run your business, the Service processes and stores the following operational data:

• Menu items — item names, descriptions, prices, tax profiles (inclusive, exclusive, or no-tax), catalog assignments, station assignments, and modifier sets.
• Orders and billing records — order details, order type (dine-in, takeaway, delivery, online), payment mode, applied charges and discounts, tax breakdowns, timestamps, table assignments, and order status (completed, cancelled, credit).
• Customer records — customer names, phone numbers, and transaction history that you choose to save within the application.
• Table management data — table configurations, sections, session data (guest count, session duration, items ordered), and occupancy status.
• Staff data — staff names, roles, permissions, invite codes, and activity logs associated with staff accounts added to your business.
• Financial summaries — aggregated sales reports, payment breakdowns, revenue analytics, and top-performing item rankings.

2.4 Device and Technical Information

We automatically collect certain technical information when you use the App:

• Device model and manufacturer — to optimize the App's performance for your specific device.
• Operating system and version — primarily Android version information, used for compatibility and troubleshooting.
• App version — the version of MenuPOS installed on your device.
• IP address — collected as part of standard network communications and used for security monitoring.
• Crash reports and performance logs — automatically generated diagnostic data that helps us identify and fix bugs.
• Language preference — your selected language from the ten supported languages (English, Hindi, Telugu, Tamil, Kannada, Malayalam, Marathi, Gujarati, Odia, Bengali).

2.5 Payment Information

When you subscribe to a paid MenuPOS plan (Starter, Pro, or Pro Plus), payment processing is handled entirely by our third-party payment partner, Razorpay Software Private Limited ("Razorpay"). We want to be clear about what we do and do not store:

• We do NOT store your credit card numbers, debit card numbers, UPI PINs, net banking credentials, or any other sensitive financial instrument details.
• We DO store the Razorpay subscription ID, payment ID, subscription status, billing cycle (monthly or annual), and subscription expiry date — solely for the purpose of managing your subscription status within our system.
• All payment transactions are processed through Razorpay's PCI-DSS compliant infrastructure. We encourage you to review Razorpay's Privacy Policy for details on how they handle your payment data.

3. How We Use Your Information

We use the information we collect for the following purposes, each of which constitutes a lawful basis for processing under applicable data protection laws:

3.1 Providing and Operating the Service

• To create and manage your MenuPOS account and associated business profiles.
• To enable you to create menus, process orders, generate bills, manage tables, and perform all core POS functions.
• To synchronize your business data across devices in real time using cloud infrastructure.
• To generate GST-compliant invoices with your GSTIN and FSSAI details.
• To manage staff accounts, permissions, and invite codes associated with your business.

3.2 Processing Payments and Subscriptions

• To facilitate subscription payments through Razorpay for paid plans.
• To manage subscription lifecycle events including activation, renewal, cancellation, and expiry.
• To enforce plan-based feature limits (number of menu items, tax profiles, staff members, businesses, etc.).

3.3 Improving the Service

• To analyze usage patterns and feature adoption to prioritize product improvements.
• To identify and fix bugs, crashes, and performance issues using diagnostic data.
• To develop new features based on aggregated, anonymized usage trends.
• To optimize the App's performance across different Android devices and versions.

3.4 Communication

• To send transactional notifications related to your account (subscription confirmations, payment receipts, password resets).
• To notify you of important changes to the Service, including updates to this Privacy Policy or our Terms of Service.
• To provide customer support via in-app chat, email, and WhatsApp (for eligible plan holders).
• To send optional product updates and feature announcements. You may opt out of non-essential communications at any time.

3.5 Security and Fraud Prevention

• To monitor for unauthorized access attempts and suspicious activity on your account.
• To verify user identity during account recovery and support interactions.
• To enforce our Acceptable Use Policy and Terms of Service.

3.6 Legal Compliance

• To comply with applicable laws, regulations, and legal processes in India.
• To respond to lawful requests from government authorities and law enforcement agencies.
• To maintain financial records as required under the Income Tax Act, GST Act, and other applicable Indian statutes.

4. Data Storage and Security

We take the security of your data seriously and employ multiple layers of protection to safeguard your personal and business information.

4.1 Infrastructure

MenuPOS uses Google Firebase as its primary backend infrastructure. Firebase is a product of Google LLC and is built on Google Cloud Platform, which maintains some of the most stringent security certifications in the industry, including ISO 27001, SOC 1/2/3, and PCI DSS compliance. Your data is stored in Firebase services including:

• Firebase Authentication — for secure user identity management and login.
• Cloud Firestore — for real-time database storage of your business, menu, order, and operational data.
• Cloud Storage for Firebase — for storing uploaded files such as business logos and profile photographs.
• Firebase Cloud Functions — for server-side processing of subscription events, payment verification, and webhook handling.

4.2 Encryption

• In transit — all data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security) 1.2 or higher. This includes API calls, database reads/writes, and file uploads.
• At rest — all data stored in Cloud Firestore and Cloud Storage is encrypted at rest using AES-256 encryption, managed by Google Cloud's Key Management Service.

4.3 Data Residency

We configure our Firebase projects to use data centres located in the Asia-South1 (Mumbai) region wherever technically feasible. This ensures that your data is stored within Indian territory to the greatest extent possible. However, certain Firebase services may process data in other Google Cloud regions as part of their global infrastructure. Google's data processing agreements and standard contractual clauses govern any such cross-border data transfers.

4.4 Access Controls

• We implement Firestore Security Rules that enforce strict access controls at the database level. Each business's data is isolated and accessible only to the business owner and authorized staff members.
• Staff permissions are granular — business owners can control exactly which actions each staff member can perform (making sales, viewing reports, managing menu items, cancelling orders, etc.).
• Administrative access to our backend systems is restricted to authorized Qubelex personnel and is protected by multi-factor authentication.
• We follow the principle of least privilege, granting team members access only to the data and systems necessary for their specific roles.

4.5 Security Practices

• We conduct periodic reviews of our Firestore Security Rules and Cloud Function code to identify and remediate potential vulnerabilities.
• We monitor Firebase usage and access patterns for anomalies that may indicate unauthorized activity.
• We keep all dependencies and third-party libraries up to date to address known security vulnerabilities.
• Payment-related operations (subscription creation, verification, webhook handling) use cryptographic signature validation (HMAC-SHA256) to prevent tampering.

5. Sharing of Information

We value your trust and are committed to being transparent about who has access to your data. We do not sell, rent, or trade your personal information to third parties for marketing purposes. We share your information only in the following limited circumstances:

5.1 Service Providers

We share data with third-party service providers who assist us in operating the Service. These providers are contractually obligated to use your data only for the purposes we specify and in accordance with this Privacy Policy:

• Google / Firebase — infrastructure provider for authentication, database, storage, and serverless functions. Google processes your data under their Firebase Data Processing Terms.
• Razorpay — payment gateway provider for processing subscription payments. Razorpay receives payment instrument details directly from you during checkout and processes them under their own Privacy Policy.
• Google Analytics — website analytics service that collects anonymized usage data about how visitors interact with our Website. This data helps us understand traffic patterns and improve our online presence.

5.2 Legal Requirements

We may disclose your information if required to do so by law or in response to valid legal processes, including:

• Court orders, subpoenas, or other mandatory legal process issued by a court of competent jurisdiction in India.
• Lawful requests from government or regulatory authorities, including tax authorities, law enforcement agencies, and the Data Protection Board of India.
• To protect our rights, property, or safety, or the rights, property, or safety of our users or the public, as permitted by law.

5.3 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of all or substantially all of our assets, your personal information may be transferred to the acquiring entity. We will notify you via email or a prominent notice within the App before your information becomes subject to a different privacy policy.

5.4 With Your Consent

We may share your information with third parties when you have given us your explicit consent to do so. For example, if you choose to connect a third-party integration with your MenuPOS account in the future, we will clearly explain what data will be shared before you authorize the connection.

6. Your Rights (DPDP Act 2023)

Under the Digital Personal Data Protection Act, 2023 (DPDP Act) and other applicable Indian data protection laws, you have the following rights with respect to your personal data. You may exercise these rights by contacting us at support@menupos.in.

6.1 Right to Access

You have the right to obtain confirmation as to whether we are processing your personal data and, if so, to request a summary of your personal data that we hold. Much of your data is directly accessible within the MenuPOS App through your account settings, business profile, and order history. For data that is not directly accessible, you may submit an access request and we will respond within 30 days.

6.2 Right to Correction

You have the right to request the correction of inaccurate or incomplete personal data. You can update most of your account and business information directly within the App (name, email, phone number, business details). For corrections that cannot be made through the App, please contact our support team.

6.3 Right to Erasure

You have the right to request the deletion of your personal data, subject to certain exceptions. Upon receiving a valid erasure request, we will delete your personal data within 90 days, except where retention is required by law (for example, financial records that must be maintained under Indian tax regulations). To request account deletion, please contact us at support@menupos.in from the email address associated with your account.

6.4 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format. Upon request, we can provide your account data, business information, and order history in standard formats such as JSON or CSV.

6.5 Right to Withdraw Consent

Where we process your personal data based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. Please note that withdrawing consent for essential data processing may result in the inability to use certain features of the Service.

6.6 Right to Grievance Redressal

If you are unsatisfied with our response to your data protection request, you have the right to lodge a complaint with the Data Protection Board of India as established under the DPDP Act, 2023. We encourage you to contact us first so we can attempt to resolve your concern directly.

6.7 Right to Nominate

Under the DPDP Act, 2023, you have the right to nominate another individual to exercise your data protection rights on your behalf in the event of your death or incapacity. If you wish to register a nominee, please contact us at support@menupos.in.

7. Cookies and Tracking

Our Website (www.menupos.in) uses cookies and similar tracking technologies to enhance your browsing experience and help us understand how visitors use the site. The MenuPOS App itself does not use browser cookies, as it is a native Android application.

7.1 Types of Cookies We Use

• Essential / Session Cookies — these are strictly necessary for the Website to function and cannot be disabled. They enable core functionality such as page navigation and access to secure areas of the Website. These cookies do not store any personally identifiable information and expire when you close your browser.
• Analytics Cookies — we use Google Analytics to collect anonymized data about how visitors interact with our Website, including pages visited, time spent on site, bounce rate, and referral sources. This data is aggregated and does not identify individual visitors. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.
• Preference Cookies — these cookies remember choices you have made on the Website, such as your language preference or region, to provide a more personalized experience. They persist across sessions and typically expire after 12 months.

7.2 Managing Cookies

When you first visit our Website, a cookie consent banner allows you to accept all cookies or manage your preferences. You can also control cookies through your browser settings at any time. Please note that disabling certain cookies may affect the functionality of the Website.

For full details about the cookies we use, their purposes, and their durations, please see our Cookie Policy.

8. Third-Party Services

MenuPOS integrates with the following third-party services to provide its functionality. Each service has its own privacy policy governing how it handles your data:

8.1 Firebase Authentication

Purpose: Secure user authentication via phone number (OTP) and email/password. Firebase Auth manages user sessions and tokens.

Data shared: Phone number, email address, authentication tokens.

Privacy policy: firebase.google.com/support/privacy

8.2 Cloud Firestore

Purpose: Real-time NoSQL database for storing all business, menu, order, staff, table, and customer data. Firestore enables real-time synchronization across devices and offline data persistence.

Data shared: All operational data you create and manage within the App.

Privacy policy: cloud.google.com/terms/cloud-privacy-notice

8.3 Cloud Storage for Firebase

Purpose: Secure file storage for user-uploaded content, including business logos, profile photographs, and other media assets.

Data shared: Uploaded image files and associated metadata.

Privacy policy: cloud.google.com/terms/cloud-privacy-notice

8.4 Razorpay

Purpose: Payment processing for MenuPOS subscription plans. Razorpay handles all payment instrument details (credit/debit cards, UPI, net banking) through its PCI-DSS compliant infrastructure. We use Razorpay Subscriptions for recurring billing.

Data shared: Your name, email, phone number, and subscription plan details are passed to Razorpay to initiate a subscription. Payment instrument details are provided by you directly to Razorpay during checkout and are never transmitted to or stored on our servers.

Privacy policy: razorpay.com/privacy

8.5 Google Analytics

Purpose: Website analytics to understand visitor behaviour, traffic sources, and user engagement on www.menupos.in.

Data shared: Anonymized browsing data including page views, session duration, geographic region (country/city level), device type, and referral source. No personally identifiable information is shared with Google Analytics.

Privacy policy: policies.google.com/privacy

9. Children's Privacy

MenuPOS is a business application designed for use by restaurant owners, managers, and staff. The Service is not intended for use by individuals under the age of 18. We do not knowingly collect, solicit, or process personal data from children or minors under 18 years of age.

If we become aware that we have inadvertently collected personal data from a person under 18, we will take immediate steps to delete such information from our servers and terminate the associated account. If you are a parent or guardian and believe that your child has provided personal data to us through the Service, please contact us immediately at support@menupos.in so that we can take appropriate action.

In accordance with the DPDP Act, 2023, we acknowledge the heightened protections afforded to children's data and commit to obtaining verifiable parental consent before processing any data of individuals under 18, should such processing ever become necessary for the Service.

10. Data Retention

We retain your personal and business data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our retention practices are as follows:

10.1 Active Account Data

Your account information, business profiles, menu data, staff data, and operational settings are retained for as long as your MenuPOS account remains active. You can access, modify, or delete this data at any time through the App.

10.2 Post-Deletion Retention

When you request deletion of your account, we will delete or anonymize your personal data within 90 days of the request. During this period, your data may be retained in our backup systems but will not be actively processed. After 90 days, your data will be permanently and irreversibly deleted from all active systems.

10.3 Financial and Tax Records

Order records, billing data, and financial transaction summaries are retained for a minimum of 8 (eight) years from the end of the relevant financial year, as required under the Income Tax Act, 1961, the Central Goods and Services Tax Act, 2017, and other applicable Indian financial regulations. This retention is necessary for tax audit and compliance purposes and applies even after account deletion.

10.4 Anonymized Analytics

We may retain aggregated, anonymized data derived from your use of the Service indefinitely. This data cannot be used to identify you and is used solely for statistical analysis, product improvement, and benchmarking. Examples include aggregate order volumes, average transaction values, and feature usage statistics across our user base.

10.5 Legal Hold

If your data is subject to a legal hold, litigation, regulatory investigation, or other legal obligation, we may retain your data beyond the standard retention periods described above, for as long as the legal obligation persists.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, the Service, or applicable laws. When we make changes:

• Minor changes (clarifications, formatting, or non-material updates) will be posted on this page with an updated "Last updated" date. We encourage you to review this page periodically.
• Material changes (changes to the types of data collected, new purposes for processing, new third-party data sharing, or changes that significantly affect your rights) will be communicated to you through one or more of the following channels: an in-app notification within MenuPOS, an email to the address associated with your account, or a prominent notice on our Website.
• For material changes that require your explicit consent under the DPDP Act, 2023, we will obtain your affirmative consent before implementing the changes. If you do not consent to the updated policy, you may discontinue use of the Service and request deletion of your data.

Your continued use of the Service after the posting of non-material changes constitutes your acknowledgement and acceptance of the revised Privacy Policy. We recommend bookmarking this page and checking back regularly.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us through any of the following channels:

General Inquiries and Support

• Email: support@menupos.in
• In-App Support: Use the Help & Support section within the MenuPOS App to start a live chat or browse tutorial videos.
• Website: www.menupos.in/contact

Data Protection Officer

For requests specifically related to your data protection rights under the DPDP Act, 2023, including access, correction, erasure, portability, and consent withdrawal requests, please contact our Data Protection Officer:

• Email: support@menupos.in (subject line: "Data Protection Request")
• Response time: We aim to acknowledge all data protection requests within 48 hours and provide a substantive response within 30 days.

Company Address

Qubelex Private Limited
Hyderabad, Telangana, India

If you are not satisfied with our response to your query or complaint, you may escalate the matter to the Data Protection Board of India in accordance with the provisions of the Digital Personal Data Protection Act, 2023.