Privacy Policy

1. Who we are

FoodApp ("we", "us") is the data controller for personal data collected through this website and the FoodApp service. We are established in the European Union and process data in accordance with the EU General Data Protection Regulation (GDPR) and the Bulgarian Personal Data Protection Act.

2. What we collect

From restaurant owners: name, email, phone, business name, subdomain choice, address, password hash, payment metadata (when paid plans launch), and operational data you enter (categories, products, orders received).

From end customers ordering through a tenant page: name, phone, optional email, delivery/pickup details, order content, IP address and basic device data. We process this data on behalf of the restaurant (the tenant), which is the controller for its own customer data.

Automatically: log data (IP, user agent, request path, timestamps), cookies strictly necessary for session management, and aggregated usage analytics.

3. Why we use it (legal basis)

• Contract performance — to provide the service you subscribed to.
• Legitimate interest — to operate, secure, debug and improve the service, prevent fraud, and communicate service-related notices.
• Legal obligation — to keep accounting records and respond to lawful requests.
• Consent — for marketing emails and optional analytics, where required.

4. Who we share data with

We use a small number of vetted processors strictly for infrastructure: hosting (EU region), transactional email, error monitoring and, when paid plans launch, a payment provider (Stripe). All processors are bound by GDPR-compliant data processing agreements. We do not sell personal data and do not share data with advertisers.

5. International transfers

Data is stored in the European Union. Where a processor handles data outside the EU/EEA, transfers are protected by Standard Contractual Clauses and equivalent safeguards.

6. Retention

Account and operational data is retained while your account is active. After cancellation we keep data for 30 days to allow export, then permanently delete it. Accounting records are kept for the period required by Bulgarian law (currently 10 years for invoices). Logs are rotated within 30 days.

7. Your rights

Under the GDPR you have the right to access, correct, delete, port or restrict processing of your personal data, and to object to processing based on legitimate interest. To exercise any of these rights, email privacy@foodapp.bg. You also have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP).

8. Cookies

We use strictly necessary cookies for session management and CSRF protection. We do not use third-party advertising cookies. Optional analytics, when enabled, are anonymised and IP-truncated.

9. Security

We use TLS in transit, hashed passwords (bcrypt), encrypted at-rest storage on managed hosting, role-based access for staff, audit logging, and regular dependency updates. No system is perfectly secure; we will notify affected users and the regulator within 72 hours of confirming a breach involving personal data.

10. Children

FoodApp is not directed at children under 16 and we do not knowingly collect data from them.

11. Changes

Material changes to this policy will be announced via email or in-app notice at least 14 days before they take effect.

12. Contact

Data protection enquiries: privacy@foodapp.bg.