Privacy Policy - Ruchiq DPDP Act 2023 Compliant

1. Introduction

Ruchiq ("we", "our", or "us") is committed to protecting your privacy and personal data in compliance with India's Digital Personal Data Protection Act (DPDP Act) 2023. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our digital restaurant order management platform. By using Ruchiq, you consent to the practices described in this policy.

2. Legal Compliance

This Privacy Policy complies with the Digital Personal Data Protection Act (DPDP Act) 2023 and other applicable Indian data protection laws. As a data fiduciary, we process personal data lawfully, transparently, and for specified legitimate purposes.

3. Data Classification

Restaurant Business Data (Your Data)

You own and control all data you input into Ruchiq, including menu information, pricing, restaurant settings, and team member details. This is YOUR data, not ours.

Customer Order Data (Jointly Controlled)

Customer names, phone numbers, addresses, and order details are collected to fulfill orders. While you own the direct customer relationship, Ruchiq retains rights to this data to operate the platform, improve services, and provide analytics. We function as joint data controllers for this information.

Privacy-By-Design: To protect customer PII (Personally Identifiable Information), Ruchiq implements automated masking and a 90-day automatic redaction policy for inactive consumers (see Section 8 for retention details).

Operational Zero-Trust: Access for staff (Delivery/Riders) is strictly limited to their assigned orders and is revoked automatically after a 60-minute post-fulfillment period or a 3-hour absolute window. Every "unmasking" action is logged in a secure, immutable audit trail for compliance.

Platform Usage Data (Our Data)

We collect analytics on platform usage, feature adoption, and system performance to improve Ruchiq's services.

Agent Identification Data (Verification Only)

For authorized Ruchiq Agents, we collect and process identification data including full names, assigned cities, photographs, and official government ID numbers. This data is processed solely for the "Agent Dynamic Verification" system to protect merchants from unauthorized solicitation.

Information We Collect

Personal Information

When you register, we collect your restaurant name, owner name, business address, phone number, business type, FSSAI license, and GSTIN (if applicable) to provide order management services and generate GST-compliant invoices. Emails are collected for business accounts only for account recovery and dashboard alerts; they are not collected from or required for consumers to place orders.

Usage Data

We collect information about how you interact with our platform, including order data, menu management, integration usage, and dashboard interactions to improve our services.

Location Data

We collect delivery addresses from customer orders to facilitate order fulfillment. Additionally, when you grant permission, we collect precise device geolocation data to provide features like "Find Near Me" in the Ruchiq portfolio directory. This location data is processed

Public Business Information

To help customers find your restaurant, your business name, address, cuisine type, and menu items will be publicly indexed by search engines (like Google) via our automated sitemaps. This is a core feature of your Digital Storefront. You may opt-out of public indexing by contacting support.

4. Automated Payment Synchronization (Privacy-by-Design)

For merchants using the optional Ruchiq Sync Android application, we implement "Edge-Filtering" to protect personal privacy:

Active Whitelisting: The App only listens to specific Bank SMS sender IDs and Financial Package names (e.g., HDFC, GPay) explicitly authorized by you.
Privacy Exclusion List: Messages containing personal keywords (e.g., otp, password, salary, loan, emi, yesterday) are instantly discarded locally on your device and are never transmitted to Ruchiq servers.
Signal-Only Sync: Only binary payment signals (Amount, Timestamp, and Confirmation) are mirrored to your dashboard. No personal conversational data is ever collected or stored.

5. How We Use Your Information

To provide order management and digital order intake services via PWA
To send real-time notifications about orders via WhatsApp (for staff and customers)
To enable integrations with payment processors and delivery partners
To generate GST-compliant invoices and financial reports
To communicate important updates and features
To prevent fraud and ensure platform security via 2-Factor Delivery Verification (2FA)
AI Data Processing: Images of menus, storefronts, payment QR codes, or compliance documents uploaded to the platform are securely processed by AI parsing tools solely to extract business details or menu items during onboarding. We do not use your business data, customer data, or uploaded documents to train public or proprietary AI models. The processed images are securely retained strictly for legal compliance, audit trails, and your reference, and are never supplied to third parties for model training.

Data Sharing

We share your information only when necessary:

With Meta Platforms, Inc. (WhatsApp Business API) to facilitate WhatsApp message delivery for secure authentication, identity verification, and order notifications. Order data processed via WhatsApp is subject to Meta's privacy terms.
With Twilio Inc. as a fallback option for SMS delivery when WhatsApp is unavailable.
With third-party government verification services for FSSAI and GSTIN compliance verification (coming soon - currently verified manually by our admin team during go-live review).
With payment processors to handle transactions securely
With Delivery Partners: Your delivery address and contact details are shared with the merchant, who may then share this information with their chosen third-party delivery services (like Rapido, Porter, or local riders) solely for order fulfillment.
With Ruchiq Agents: Merchants choosing "Agent-Led Onboarding" explicitly consent to sharing their business contact details and draft configuration data with authorized Ruchiq Agents. These agents process your data solely for the purpose of assisting with your initial setup, AI data extraction, and verification. All agents are subject to strict confidentiality agreements.
With Merchants (Agent Verification): To facilitate trust and prevent fraud, Ruchiq shares an authorized agent's name, photograph, and masked government ID details with the Merchant during the "Verify Agent" process initiated via WhatsApp. This sharing is limited to the specific verification session.
With service providers who help operate our platform (hosting, analytics, notifications)
When required by law or to protect our rights and users

Third-Party Privacy Policies

Your data processed by our partners is governed by their respective policies:

We never sell your personal information to third parties.

Your Privacy Rights

You can:

Update your profile information at any time
Manage your notification preferences for push notifications, WhatsApp, and emails
Request account deletion by contacting us at support@ruchiq.com
Contact us for any privacy-related questions or concerns

8. Data Storage and Residency

Data Residency: All personal data is stored on cloud servers located in India, ensuring compliance with data localization requirements.

Database Security: Data is stored in encrypted PostgreSQL databases with regular automated backups. Access is restricted to authorized personnel only. Sensitive Business Credentials (PAN, GSTIN, Bank Details) are logically segregated into high-security tables with Zero-Knowledge access patterns, accessible only by the Restaurant Owner.

Backup Retention: Database backups are retained for 30 days and then securely deleted.

Long-Term Compliance Records: Pursuant to industrial tax laws and financial compliance, Ruchiq maintains an immutable 9-Year Audit Trail for all orders and business configuration changes. These records are stored in specialized partitioned storage, ensuring they are preserved even if the associated account is closed, for legal and audit purposes. To balance this with consumer privacy, PII (Name/Phone/Address) is automatically scrubbed from operational data exports and dashboard views once a consumer has been inactive for more than 90 days at a specific restaurant.

Device Storage: When you install the Ruchiq management app or your customers install your branded restaurant app (PWA) on their mobile devices, some data is cached locally for offline functionality and faster performance. This includes menu images, recent orders, and user preferences. This data resides solely on the user's device and can be cleared via browser/app settings.

9. Data Security

We implement industry-standard security measures to protect your data, including encryption, secure authentication, and secure servers. However, no method of transmission over the internet is 100% secure.

10. Cookies and Tracking

We use cookies and similar technologies to maintain your session, remember your preferences, and analyze platform usage. You can control cookie settings through your browser.

11. Data Retention

Early Access Beta Notice: During Early Access, we make commercially reasonable efforts to preserve your data. However, as a beta service, we cannot guarantee data preservation indefinitely. We recommend regularly exporting your data. Upon Early Access conclusion, we will provide clear notice and a migration period before any data transitions or shutdowns occur.

We retain your personal data for as long as your account is active or as needed to provide services. However, to comply with legal, tax, and auditing obligations, certain critical records are retained for 9 years after account closure (applies after Early Access ends). This includes:

Transaction and order history
Historical business details and tax configurations
Policy version history

Phone Number Recycling & Inactivity Policy

Mobile numbers in India are subject to reassignment (recycling) by telecom operators after periods of inactivity. To protect your privacy and prevent account takeovers by new owners of recycled numbers:

Active Verification: We use live WhatsApp-based authentication to ensure that the individual accessing the account currently holds the active SIM for that number.
Level 1 - Phone Unlinking (90 Days WhatsApp Inactivity): If your registered WhatsApp number is not used on our platform for 90 days, we automatically unlink specific phone verification data. You will need to re-verify your number to regain phone-based access. This ensures that if you discarded your SIM, the new owner cannot access your existing account.
Level 2 - Account Scrubbing (90 Days Total Inactivity): If your account remains inactive via BOTH Email and WhatsApp for 90 continuous days, we classify the account as "Abandoned". To protect your personal data, we will automatically anonymize your profile (Name, Phone, Email) and revoke all access. This is a permanent action to ensure data minimization.

Consumer Account Inactivity (End Customers)

For end customers who use Ruchiq to order food (Phone-Only Accounts):

90-Day Privacy Reset: If a consumer phone number has not been active on the platform for 90 days, we automatically clear all saved delivery addresses and non-essential profile data associated with that number.
Re-Verification: Upon the next attempt to login or order, the user will be required to re-verify their phone number via WhatsApp OTP to confirm they are still the valid owner of that SIM card.
This policy strictly prevents a new owner of a recycled phone number from viewing the previous owner's address history.

If you request account deletion, we will remove non-essential personal information within 30 days. Mandatory audit records will be archived securely and restricted from active access. Cached data in PWA or browser storage is cleared when you sign out or uninstall the app.

12. Your Rights Under DPDP Act

Under India's DPDP Act 2023, you have the following rights:

Right to Access: Request a copy of all personal data we hold about you
Right to Correction: Update inaccurate or incomplete personal data
Right to Erasure: Request deletion of your account and personal data
Right to Data Portability: Export your data in a machine-readable format (JSON/CSV)
Right to Withdraw Consent: Opt out of marketing communications or notification preferences
Right to Grievance Redressal: File complaints regarding data protection violations

To exercise these rights, contact our Data Protection Officer at support@ruchiq.com. We will respond within 30 days.

13. Data Breach Notification

In the event of a data breach that may cause harm to you, we will notify you and the Data Protection Board of India within 72 hours via email and platform notification. The notification will include details about the breach, affected data, and remedial actions taken.

14. Children's Privacy

Ruchiq is a B2B platform intended for business use only. We do not knowingly collect data from individuals under 18 years of age. Restaurant operators must be 18+ to create accounts.

15. Contact Us

For privacy-related questions, contact us at support@ruchiq.com

16. Grievance Redressal

For privacy complaints or concerns, contact our Grievance Officer:

Email: support@ruchiq.com

Response Time: Within 30 days