Privacy Policy

Who we are

Coffee Mustache ("we", "our", "us") builds an AI-powered customer experience layer for cafés (QR/NFC menu, personalization, upsell, waiter/bill requests, WhatsApp support). This Privacy Policy explains what we collect, why we collect it, how we use it, and your choices.

Scope

This policy covers: (a) diners/customers, (b) café owners/admins and staff, and (c) visitors to our website/WhatsApp/links.

Data we collect

• A. You share with us
  • Contact: name, phone number, email (e.g., when placing an order, joining loyalty, or chatting with us on WhatsApp).
  • Profile (optional): preferences, dietary tags, favorite items, birthday/month.
  • Order & feedback: cart items, order history, ratings, comments.
• B. Collected automatically
  • Usage & device: pages viewed, clicks, time on page, browser/OS, screen size, app version, IP (for security).
  • Location (only if you allow it): to find nearby cafés or tailor suggestions.
  • Table/session context: café id, table id (from QR/NFC).
• C. Staff (café employees, if enabled by the café)
  • Attendance & role data.
  • Biometric vectors (FaceIO) for touchless attendance/anti-spoofing. We never store raw photos/video; FaceIO handles biometric processing.
• D. From third parties
  • Café partners share order/fulfillment status, offers, inventory signals.
  • WhatsApp Business Solution Provider (BSP) shares delivery/read status.

Why we use your data (examples)

• Utility messages on WhatsApp: order confirmations, updates, bill/valet status, support.
• Personalization: show relevant items, reorder favorites, time-of-day suggestions.
• Loyalty & receipts: track visits, Mustache points, send receipts.
• Product safety & analytics: detect fraud/abuse, improve reliability and UX.
• Marketing (only with opt-in): send café events, offers, new features via WhatsApp/SMS/email. You can opt out anytime.

Legal basis (plain English)

• To provide the service you request (orders, receipts, support).
• Your consent (e.g., marketing, location, WhatsApp opt-in).
• Legitimate interests (fraud prevention, service analytics), balanced with your rights.
• Legal obligations (tax/audit/records).

Sharing your data

We do not sell personal data. We share only with:

• Café partners you interact with (to prepare and serve your order, run loyalty, post-order ads).
• Vendors/Processors: hosting (e.g., AWS), analytics, FaceIO (biometric vectors only), WhatsApp BSP/Meta for message delivery. All under contracts and access controls.
• Law enforcement/Regulators: when required by law.

International transfers

If data is processed outside India, we apply contracts and safeguards (standard contractual clauses or BSP/Meta processor terms).

Retention (how long we keep data)

• Customer account/consent records: as long as your account/relationship exists + up to 24 months after last activity, unless you ask us to delete sooner.
• Orders, invoices, tax/finance records: kept as required by law (typically 7 years).
• WhatsApp event logs (delivery/read): up to 13 months for audit/dispute.
• Backups: securely retained and then purged on a rolling schedule (see Data Deletion Policy).

Security

We use encryption in transit, access controls, and least-privilege practices. No system is 100% secure; we continually improve safeguards.

Children

Our service is intended for adults. If you are under 18, use the service only with parent/guardian consent.

Your rights (DPDP, India)

• Access/Portability: ask what we hold.
• Correction: fix inaccurate data.
• Deletion: ask us to erase data (see Data Deletion Policy).
• Withdraw consent: e.g., type "STOP" on WhatsApp or email us.
• Grievance: coffeemustache369@gmail.com (Subject: "Grievance – Privacy").

Changes

If we materially change this policy, we'll notify you in-app or via WhatsApp/email and post the new date above.