OrderTap
Legal

Privacy Policy

Last updated: 22 April 2026

Template notice. This document is a working draft and has not been reviewed by a UK solicitor. Before relying on it, have it reviewed by a qualified legal advisor.

This Privacy Policy describes how OrderTap collects, uses, and protects information about you. We follow UK GDPR and the Data Protection Act 2018.

1. Who we are

OrderTap is the data controller for the information described below. Contact: privacy@ordertap.uk.

2. Information we collect

From restaurant owners:

  • Email address, password (hashed with bcrypt), restaurant name
  • Optional: logo, brand colour, tipping and table preferences
  • Stripe account ID (to route payments to you — we never see card details)
  • Your menu content that you upload

From restaurant customers:

  • Table number or customer-supplied name (used to deliver the order)
  • Order contents and total
  • Approximate IP address (for rate-limiting and abuse prevention)
  • Payment data goes directly to Stripe. We don't see or store card details.

3. Why we use it

  • To run the service (show your menu, route orders, process payments via Stripe)
  • To reply when you contact us
  • To detect abuse (rate limiting)
  • To improve the product (anonymised usage trends)

4. Lawful basis (UK GDPR)

  • Contract: to provide the service you've signed up for.
  • Legitimate interest: abuse prevention, security, analytics.
  • Legal obligation: tax, accounting, allergen compliance records.

5. Sharing

We share data only with the sub-processors below, each on the basis of standard UK GDPR data-processing agreements:

  • Stripe (Ireland/US) — payments processing
  • OpenAI (US) — menu photo OCR, when you use it
  • Our hosting and database providers (UK-based)

We never sell your data.

6. Retention

  • Restaurant accounts: as long as the account is active, plus 6 years for tax records after closure.
  • Order records: 6 years (HMRC requirement).
  • Contact form messages: 2 years.
  • You can request earlier deletion by emailing us (subject to our legal retention duties).

7. Your rights

  • Access: request a copy of what we hold.
  • Correction: ask us to fix inaccurate data.
  • Deletion: ask us to delete your data (subject to legal retention).
  • Portability: export your menu and order history.
  • Complaint: file one with the ICO (ico.org.uk).

Email privacy@ordertap.uk to exercise any of these. We aim to respond within 30 days.

8. Cookies

We use strictly-necessary cookies only: your session cookie (to keep you logged in) and a CSRF token. We don't use analytics or advertising cookies. If that changes, we'll show a cookie banner first.

9. Security

  • Passwords hashed with bcrypt (cost factor 12).
  • HTTPS in production, HTTP-only secure cookies.
  • Card data never touches our servers — it goes direct to Stripe.
  • Multi-tenant isolation enforced at every data access.

10. Changes

We'll update this page as the service evolves. Material changes will be emailed to account holders.