Privacy Policy
Last updated: May 13, 2026
This policy explains how Kaidou collects, uses, and protects your personal information in compliance with Republic Act No. 10173 (Data Privacy Act of 2012) of the Philippines.
1. Who This Policy Covers
This policy applies to two types of users:
- –Restaurant operators ("Operators") — restaurant owners, managers, and staff who create and manage a Kaidou account to run their restaurant's digital menu and ordering system.
- –Dining customers ("Customers") — individuals who scan a restaurant's QR code and use the Kaidou customer app to browse menus and place orders.
2. Information We Collect
2.1 Information You Provide
For Operators: Full name and email address, password (hashed — never stored in plain text), business name and address, menu content (item names, descriptions, prices in PHP, images), table layout configuration, and subscription preferences.
For Customers: Name (optional), order details (items, quantities, special instructions, modifiers), and a table session identifier derived from the QR code scan.
2.2 Collected Automatically
When you use the Service we may collect: device type, operating system, and browser version; IP address and approximate location (city/region level — not GPS); pages visited and features used; session timestamps and interaction events.
2.3 From Third-Party Sign-In
If you sign in with Google or Facebook, we receive your name, email address, and profile picture from those providers. We never receive your passwords from them, and we do not post to your social accounts.
3. How We Use Your Information
| Purpose | Legal Basis |
|---|---|
| Provide and operate the Service | Performance of a contract |
| Authenticate your identity and secure your account | Legitimate interest / Legal obligation |
| Process and display food orders in real time | Performance of a contract |
| Send account-related notifications (e.g., email verification) | Performance of a contract |
| Analyze usage patterns to improve the platform | Legitimate interest |
| Monitor system performance and prevent fraud | Legitimate interest / Legal obligation |
| Comply with applicable Philippine laws and regulations | Legal obligation |
We do not sell your personal information to third parties, ever.
4. Data Sharing
4.1 Service Providers (Sub-processors)
| Provider | Purpose | Location |
|---|---|---|
| Convex (Convex, Inc.) | Real-time database and backend infrastructure | United States |
| Cloudinary | Image hosting and transformation | United States |
| Mixpanel | Product analytics and usage tracking | United States |
| Cloudflare (Turnstile) | Bot detection and abuse prevention | United States |
| OAuth authentication | United States | |
| Meta | OAuth authentication | United States |
| Vercel | Web hosting and edge delivery | United States |
All sub-processors are bound by data processing agreements and are required to protect your information in accordance with applicable law.
4.2 Within the Restaurant
When a Customer places an order, the order details (items, table, special instructions) are shared with the restaurant Operator and displayed on the Kitchen Display System (KDS). This is necessary to fulfill the order.
4.3 Legal Requirements
We may disclose your information if required by Philippine law, court order, or a government authority including the National Privacy Commission (NPC).
4.4 Business Transfers
In the event of a merger, acquisition, or asset sale, your information may be transferred. We will notify you at least 30 days before any such transfer and you may request deletion of your data before it takes effect.
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Operator account and profile data | Until account deletion, then purged within 30 days |
| Menu, item, and category data | Until account deletion |
| Customer order history | 90 days from order date |
| Server and access logs | 12 months |
| Authentication tokens and sessions | Until revoked or naturally expired |
Encrypted backups are purged within 30 days of the primary data deletion date.
6. Data Security
We protect your information using industry-standard practices:
- –Encryption in transit: TLS 1.2+ for all data transmitted over the network
- –Encryption at rest: Data stored in Convex is encrypted at rest
- –Access controls: Role-based access limits who can view sensitive data
- –Hashed passwords: Passwords are hashed using a strong one-way algorithm — plain-text passwords are never stored or logged
- –Bot protection: Cloudflare Turnstile protects authentication endpoints from automated abuse
Despite these measures, no system can guarantee 100% security. If you suspect your account has been compromised, contact us immediately at security@kaidou.io.
7. Your Rights Under the Data Privacy Act of 2012
As a data subject under Philippine law (RA 10173), you have the following rights:
| Right | What It Means |
|---|---|
| Right to be informed | Know what data we collect and how it is processed |
| Right to access | Request a copy of your personal data held by us |
| Right to correction | Have inaccurate or incomplete data corrected |
| Right to erasure ("right to be forgotten") | Request deletion of your personal data |
| Right to data portability | Receive your data in a structured, machine-readable format |
| Right to object | Object to processing based on legitimate interest |
| Right to damages | Seek compensation for violations of your data privacy rights |
| Right to complain | Lodge a complaint with the National Privacy Commission (npc.gov.ph) |
To exercise any of these rights, email privacy@kaidou.io with the subject line "Data Privacy Request". We will acknowledge receipt and respond within 15 working days.
8. Cookies and Tracking
- –Session cookies — required for user authentication and maintaining login state. These expire when you close your browser or after 30 days of inactivity.
- –Analytics (Mixpanel) — helps us understand how the platform is used to guide product improvements. These are analytics-only and not used for advertising.
You can disable cookies in your browser settings. Disabling session cookies will prevent you from staying logged in to the admin dashboard.
9. Children's Privacy
The Kaidou Service is not directed to individuals under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected data from a child, please contact us at privacy@kaidou.io and we will delete it promptly.
10. International Data Transfers
Some service providers listed in Section 4.1 are located outside the Philippines, primarily in the United States. When we transfer personal data internationally, we ensure appropriate safeguards are in place consistent with RA 10173 and NPC guidelines on cross-border data transfers.
11. Changes to This Policy
We may update this policy periodically. When we make material changes, we will update the "Last updated" date at the top of this page and send an email notice to Operators at least 14 days before significant changes take effect. Continued use of the Service after the effective date constitutes acceptance.
12. Contact Us
For privacy-related inquiries, rights requests, or complaints:
To file a complaint with the National Privacy Commission of the Philippines: npc.gov.ph · Hotline: 16.NPC (16672)