Effective Date: 1 July 2026 | Last Reviewed: 1 July 2026 | Applies to: tablekard.com and all Tablekard sub-services
At Tablekard, operated by growtez, your privacy is not an afterthought — it is an architectural principle. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and what rights you have over your own data.
By using Tablekard, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use of the platform and contact us to have your data removed.
1. Who This Policy Covers
This policy covers two categories of users:
- Restaurant Operators — individuals and businesses who create a Tablekard account to manage their restaurant's digital menu, orders, and staff.
- Dining Customers — individuals who scan a restaurant's QR code to browse the menu or place an order. We minimize the data we collect from this group to only what is operationally necessary.
2. Information We Collect
From Restaurant Operators, we collect:
- Name, email address, and phone number (for account creation and authentication)
- Restaurant name, address, operating hours, and logo (for your public-facing digital menu)
- Menu content: item names, descriptions, prices, and photos you upload
- Payment account information: Razorpay API credentials stored in encrypted form (we do not store bank account details directly)
- Usage data: pages visited within the admin dashboard, features used, session duration (for product improvement analytics)
From Dining Customers, we collect:
- Order contents (items ordered, quantities, special instructions)
- Table number (from the QR code scan context)
- Phone number, if provided voluntarily for order confirmation purposes
- Payment transaction reference ID (from Razorpay) — we never see or store raw card numbers or UPI PINs
3. How We Use Your Data
- To create and maintain your restaurant account and provide access to the admin dashboard
- To display your restaurant's menu to customers who scan your QR codes
- To relay orders from customers to your kitchen/dashboard in real-time
- To process payments via Razorpay and provide transaction confirmations
- To generate analytics reports on your restaurant's order volume, revenue, and popular items
- To send you transactional emails (account confirmation, password reset, subscription notifications)
- To improve the Tablekard platform through aggregated, anonymized usage analytics
We do not use your data for third-party advertising. We do not sell your data to any third party. We do not use your customers' order data to build advertising profiles.
4. Data Isolation & Multi-Tenant Security
Tablekard uses Supabase (PostgreSQL) with Row Level Security (RLS) policies enforced at the database layer. This means that every query executed against our database is automatically filtered by your restaurant's unique identifier. It is architecturally impossible for Restaurant A to read Restaurant B's orders, menus, or analytics — even if both are on the same physical database server.
All data in transit is encrypted via TLS 1.3. Data at rest is encrypted using AES-256 managed by Supabase's cloud infrastructure (hosted on AWS).
5. Data Retention
- Active accounts: Data is retained for as long as the account is active.
- Cancelled accounts: Data is retained for 30 days after cancellation to allow account reactivation, then permanently deleted.
- Order records: Retained for 12 months for analytics purposes, then anonymized.
- Deletion requests: You can request complete account deletion at any time by emailing privacy@tablekard.com. We will complete the deletion within 7 business days and send a confirmation.
6. Cookies & Tracking
The Tablekard admin dashboard uses session cookies for authentication purposes only. We use minimal, privacy-respecting analytics (no third-party tracking pixels) to understand how the product is being used. The customer-facing QR menu does not set any tracking cookies.
7. Your Rights (PDPB 2023 Compliance)
In accordance with India's Personal Data Protection Bill and applicable data protection principles, you have the following rights:
- Right to Access: Request a copy of all personal data we hold about you
- Right to Correction: Request correction of inaccurate personal data
- Right to Erasure: Request deletion of your personal data
- Right to Portability: Request your data in a machine-readable format (JSON/CSV)
To exercise any of these rights, email privacy@tablekard.com from your registered email address.
8. Contact the Data Controller
Data Controller: growtez (operating Tablekard)
Email: privacy@tablekard.com
For urgent data protection concerns, include "URGENT: Data Protection" in the subject line.