This Privacy Policy explains how Ovenfresh ("we", "us") collects, uses, shares, and protects personal data when you use the Ovenfresh website, mobile applications, and related services (the "Service"). It is published in compliance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023, as applicable.

1. What we collect

We collect data in three broad categories:

Information you provide to us

• Name, mobile number, and (optional) email address when you create an account.
• Saved delivery addresses, including geolocation coordinates and access notes.
• Order details — items, outlet, pickup/delivery slot, special instructions, custom-cake inscriptions and reference photos.
• Payment instrument metadata (issuer, last four digits) returned by the payment gateway. We do not store full card numbers or UPI PINs.
• Optional birthday, when you choose to add it to your profile.

Information collected automatically

• Device and app information — device model, operating system version, app version.
• Approximate IP-derived location, used to suggest the nearest outlet.
• Usage events — pages viewed, items added to cart, orders placed (collected through privacy-preserving analytics that does not use third-party cookies).
• Push-notification token and subscription state, when you opt in to notifications.
• Live location of riders during active deliveries, used solely to show the rider's position to the receiving customer; this stops when the delivery is completed or cancelled.

Information from third parties

• Payment status and refund updates from our payment gateway when you pay online.
• Limited delivery-status data from our mapping partner used to render the live tracking map.

2. How we use your data

• To process orders, communicate order status, and provide pickup or delivery.
• To operate the loyalty programme and referral programme.
• To send transactional notifications you've subscribed to (order confirmations, status changes, custom-cake confirmations).
• To send marketing communications, only with your explicit consent (and with a clear way to opt out).
• To improve the menu, app, and outlet operations.
• To detect, prevent, and investigate fraud or abuse of the Service.
• To comply with our legal obligations under Indian law (FSSAI compliance, tax, consumer-protection law, court orders).

3. When we share your data

We do not sell or rent personal data. We share specific data with carefully selected third parties only as needed to deliver the Service:

• Outlet staff and delivery riders see the customer's name, contact phone, address, and order details required to fulfil the order.
• Payment gateway (Razorpay or equivalent) processes online payments and receives the order reference, amount, and contact details required for transaction processing.
• Notification provider (OneSignal) delivers native push notifications to your device when you opt in. Web push uses VAPID keys that we manage directly.
• Mapping provider (Mapbox) is used to display maps and snap rider routes; only coordinate pairs are shared with the provider.
• Hosting and database (Supabase, hosted on AWS in the Mumbai region by default) stores account, order, and operational data.
• Government authorities, on lawful request and only as required by Indian law.

Each third-party processor is bound by confidentiality and data-protection obligations under their own contractual terms.

4. Data retention

Account information is retained for as long as your account is active. Order records, invoices, and tax documents are retained for the period required by Indian tax and accounting law (typically 8 years from the end of the relevant financial year). Live rider-location data is retained only while a delivery is in progress and is overwritten on each subsequent delivery; historical traces are not stored.

On account deletion, personal data tied to identification (name, contact, addresses) is removed. Anonymised order history may be retained for legitimate business analytics.

5. Your rights

You have the right to:

• access the personal data we hold about you;
• correct inaccurate or outdated data;
• withdraw consent for marketing communications at any time;
• request deletion of your account and associated personal data, subject to retention obligations under Indian law;
• nominate someone to exercise your rights in the event of incapacity or death, where applicable under the Digital Personal Data Protection Act, 2023.

To exercise any of these rights, contact our grievance officer (details below). We will respond within the timelines mandated by applicable law.

6. Cookies and local storage

We use cookies and local storage on the website and in-app web view to:

• keep you signed in across visits;
• remember your cart contents;
• store privacy and notification preferences;
• cache menu data for fast page loads.

We use a privacy-preserving analytics provider (Plausible) that does not set third-party tracking cookies and does not build cross-site profiles. You can clear local storage via your device's browser settings; doing so will sign you out and empty your cart.

7. Push notifications

Native push notifications (via APNs on iOS, FCM on Android) and web push (via VAPID) are sent only after you grant permission on your device. You can revoke this permission at any time in your device settings; doing so disables order-status notifications. We use a third-party provider (OneSignal) for native push delivery.

8. Data security

We implement reasonable security practices and procedures, including TLS encryption for all network traffic, role-scoped database access, and restricted access to production credentials. No system is completely secure; please notify us immediately if you suspect unauthorised activity on your account.

9. Children

The Service is intended for users 18 years and older. We do not knowingly collect data from children under 18 without parental consent. If you believe a child has provided us with data without consent, contact us and we will delete it.

10. International transfers

Your data is primarily processed and stored in India (AWS Mumbai region). Some processors (such as our notification, mapping, and analytics providers) may process limited operational metadata outside India. Where such transfers occur, they take place under standard contractual terms appropriate to the data involved.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced through the Service. Continued use after changes take effect constitutes acceptance.

12. Grievance officer

In accordance with the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023, you can contact our grievance officer for any complaint or query regarding personal data:

• Name: To be added
• Email: To be added
• Phone: To be added
• Address: Zakura Industrial Estate, Srinagar, Jammu & Kashmir 190006