Skip to main content

Privacy Policy

Effective: 27 September 2025

Overview

Indostra (“Indostra”, “we”, “our”) processes digital personal data in line with India’s Digital Personal Data Protection Act, 2023, and maintains “reasonable security practices” consistent with legacy SPDI expectations.

This notice explains what data is collected, how it’s used, how it’s secured, cross‑border transfers, and how data principal rights can be exercised with a grievance channel available.

What we collect

  • Account and business info: name, email, phone, venue/company details, and preferences provided during sign‑up or contact.
  • Usage and device data: logs, IP address, browser, device, and interactions used to secure and improve services.
  • Payments: subscription and billing details processed via compliant third‑party gateways; limited payment data is retained in our systems.

Lawful basis, consent, and withdrawal

Processing relies on consent or other permitted grounds under Indian law; consent is free, specific, informed, unconditional, and unambiguous and may be withdrawn at any time via settings or by contacting support.

Where consent is withdrawn, processing that relies solely on consent will cease, and related data will be erased upon purpose completion unless retention is required by law.

How we use data

  • Provide, operate, and improve QR ordering, KOT routing, payments, and support.
  • Secure accounts and systems, monitor for abuse, and investigate incidents.
  • Comply with legal obligations including taxation, audits, and lawful requests.

Sharing and processors

No sale of personal data; disclosures occur to vetted processors for hosting, analytics, payments, email, or support, under contracts requiring appropriate security and lawful processing.

Disclosures to authorities are made only when legally required and appropriately scoped to the stated purpose.

Security

Security measures include encryption in transit and at rest, access controls, audit logging, backups, and vulnerability management, aligned with “reasonable security practices” expected for SPDI.

A documented incident response process governs detection, containment, remediation, and communication, including breach notices required under applicable law.

Cross‑border transfers

Data may be processed outside India subject to applicable restrictions; where transferred, appropriate contractual and technical safeguards are applied consistent with Indian requirements.

Retention

Personal data is retained for as long as necessary for stated purposes and legal obligations, then deleted or irreversibly anonymized; purpose‑completed data is erased consistent with DPDP principles.

Your rights and requests

Data principals can request access, correction, deletion/erasure on purpose completion, and to withdraw consent; identity verification may be required to protect accounts.

To exercise rights, use the product interface where available or email grievance@indostra.com; responses will be provided within a reasonable period under applicable law.

Children’s data

The service is intended for adults; where children’s data is in scope for a venue, verifiable consent of the parent/guardian and heightened protections apply as required.

Grievance redressal

A grievance mechanism is available; contact the Grievance Officer at grievance@indostra.com for personal‑data concerns or rights requests, with best‑efforts redressal within a reasonable period.

Changes

This policy may be updated; material changes will be communicated, and continued use after updates indicates acceptance of the revised policy.