Data protection rules for the OrderNow website, customer account, restaurant software and operational flows. Last update: 05.05.2026
The controller for the processing described as OrderNow-controlled in this policy is Robert Dziak, operating an unregistered business activity under the OrderNow brand, Warsaw, Poland, unregistered business activity (not entered in CEIDG).
Privacy contact: kontakt@ordernow.pl.
OrderNow acts in different roles depending on the flow. It is the controller for its own website, accounts, security, support, analytics and commercial relationship data. For many restaurant-operated flows, the restaurant is the controller and OrderNow provides the software as a processor.
For restaurant modules involving guests, customers, staff, couriers, suppliers or uploaded documents, the restaurant should have data-processing terms with OrderNow, either in the commercial agreement or a separate data-processing agreement.
If a request concerns data for which a restaurant is the controller, OrderNow may forward the request or ask the user to contact that restaurant directly.
| Person / flow | Data | Purpose | Legal basis | Role | Retention |
|---|---|---|---|---|---|
| Restaurant owner / demo user / contact person | Name, venue name, email, phone, topic, message, location count, locale, source path, anti-spam and rate-limit data. | Handling inquiries, demos, offers, implementation talks and protection against spam. | Art. 6(1)(b) GDPR for pre-contract steps; Art. 6(1)(f) GDPR for relationship management and security. | OrderNow as controller. | Usually up to 24 months after the last meaningful contact, unless cooperation starts or claims/legal duties justify longer storage. |
| Restaurant registration and owner account | Email, hashed password, restaurant name, slug, selected plan, invite code, source path, verification token and reminders. | Creating a restaurant workspace, verifying email, starting a trial or commercial cooperation and securing access. | Art. 6(1)(b), Art. 6(1)(c) and Art. 6(1)(f) GDPR. | OrderNow as controller for account, security and settlement data. | Pending unverified restaurant registrations are removed after 14 days. Verification links last 24 hours. |
| Restaurant staff and couriers | Email, role, name, phone, restaurant assignment, login activity, shifts, courier profile, online status and staff documents uploaded by the restaurant. | Providing staff panels, KDS, waiter/courier workflows, role-based access and operational records. | Restaurant's basis as controller; OrderNow's Art. 6(1)(f) GDPR for security and access logs. | Usually restaurant as controller and OrderNow as processor; OrderNow as separate controller for authentication/security. | For the duration set by the restaurant and contract/DPA; security logs as needed for platform protection and claims. |
| Customer account | Name, email, phone, hashed password, Google OAuth identifier, email verification, saved delivery addresses and account activity. | Account login, delivery orders, saved addresses, loyalty participation, profile management and account security. | Art. 6(1)(b) GDPR; Art. 6(1)(f) GDPR for security; consent where required. | OrderNow as controller for the account; restaurant may be controller for order fulfilment data. | For account duration and then as needed to close the account, defend claims and meet legal duties. Password reset links last 30 minutes. |
| Guest using QR menu | Table token, restaurant slug, anonymous guest identifier, basket, selected products, modifiers, notes, service/bill requests and order status. | Submitting and handling table orders, maintaining session continuity, preventing abuse and showing order status. | Restaurant's order basis; OrderNow's Art. 6(1)(f) GDPR for technical security. | Usually restaurant as controller and OrderNow as processor; OrderNow as controller for platform security. | Browser/session storage follows the Cookie Policy. Restaurant order records follow restaurant retention and legal obligations. |
| Delivery customer | Recipient name, phone, delivery address, instructions, latitude/longitude, quote, distance, ETA, order and delivery status events. | Calculating delivery availability and cost, creating delivery orders, assigning courier/partner status and informing the restaurant/customer. | Art. 6(1)(b) GDPR for requested delivery features; restaurant's order basis; Art. 6(1)(f) GDPR for security. | Mixed: OrderNow as account controller, restaurant as order/delivery controller, OrderNow as processor for restaurant operations. | Delivery quotes are valid for 15 minutes; delivery/order records are retained according to restaurant obligations and claim/security needs. |
| Reservation guest | Name, email, phone, date, time, party size, occasion, notes, preferences, cancellation token and reservation events. | Creating, confirming, changing, cancelling and notifying the restaurant about reservations. | Restaurant's basis for reservation service; Art. 6(1)(b) or Art. 6(1)(f) GDPR depending on context. | Restaurant as controller; OrderNow usually as processor. | According to restaurant settings, operational needs, claims and legal duties. |
| Feedback, loyalty and coupons | Ratings, comments, manager replies, Google review redirect timestamp, loyalty balances, transactions, reward/coupon redemption and order links. | Collecting restaurant feedback, running loyalty/reward logic, validating coupons and preventing abuse. | Restaurant's basis; Art. 6(1)(b) for requested loyalty features; Art. 6(1)(f) for abuse prevention and claims. | Restaurant as controller for guest relationship; OrderNow as processor and separate controller for security. | According to restaurant/customer account retention and claim/security needs. |
| Inventory suppliers and restaurant operations | Supplier name, email, phone, tax ID, notes, purchase orders, goods receipts, warehouses and stock movements. | Restaurant inventory, supplier management, purchasing and operational reporting. | Restaurant's legal basis as controller; OrderNow's Art. 6(1)(f) GDPR for platform security. | Restaurant as controller; OrderNow as processor. | According to restaurant accounting, tax, operational and claim obligations. |
| Technical, security and analytics data | IP-related metadata, rate-limit identifiers, logs, browser path, referrer host, UTM parameters, consent state, Vercel Analytics/Speed data after consent. | Security, diagnostics, abuse prevention, legal compliance, optional analytics and website performance. | Art. 6(1)(f) GDPR for security/diagnostics; Art. 6(1)(a) GDPR for optional analytics where consent is required. | OrderNow as controller. | Security data only as long as needed for protection/claims. Analytics browser storage lasts for the session; consent state up to 180 days. |
Contract or requested pre-contract steps: accounts, login, delivery quote, registration and requested electronic services.
Legal duties, including accounting, tax, complaint, security and compliance duties where they apply.
Legitimate interests: security, fraud prevention, diagnostics, claim defence, service reliability and relationship management.
Consent: optional analytics and any future processing that legally requires consent.
Data is disclosed only where needed to provide, secure, maintain or document the service. The current product map includes:
Vercel
Hosting, application infrastructure, Vercel Blob for public restaurant/media files, optional Analytics and Speed Insights after consent.
Database and storage providers, including Supabase Storage
Application database and private storage for uploaded staff documents and operational files.
Upstash Redis
Rate limiting, anti-abuse protection and service-security throttling.
Pusher
Private real-time restaurant, kitchen, courier, reservation and order-tracking channels.
Resend
Transactional emails such as verification, password reset and reservation messages.
DeepL
Management-user requested translations of short product/menu texts in the admin panel.
Google OAuth login and optional redirects to Google review services configured by restaurants.
Professional advisers and authorities
Accounting, legal, security, claim handling or lawful public-authority requests where necessary.
OrderNow does not currently load Google Analytics, GA4 or Google Tag Manager in the runtime application.
Necessary cookies and browser storage support login, table sessions, guest continuity, basket state, order tracking, staff preferences and security. Optional analytics and attribution storage are enabled only after consent.
Exact names and retention periods are listed in the Cookie Policy.
Some providers may process data outside the European Economic Area. Where this happens, OrderNow relies on an adequacy decision, standard contractual clauses or another GDPR-compliant safeguard.
Depending on the context and legal basis, the user may request access, rectification, erasure, restriction, portability, objection to legitimate-interest processing and withdrawal of consent.
Requests should be sent to kontakt@ordernow.pl.
The user may also lodge a complaint with the competent data-protection authority. In Poland this is the President of the Personal Data Protection Office (UODO).
OrderNow uses automated technical rules such as delivery-zone calculation, coupon validation, loyalty calculations, abuse checks and sales/upsell events. These rules support service delivery and reporting. OrderNow does not intentionally make fully automated decisions producing legal or similarly significant effects for the user within the meaning of Art. 22 GDPR.
Current contact and chat forms are inquiry forms, not newsletter sign-ups. OrderNow may reply to an inquiry and conduct reasonable B2B follow-up connected with the request. Separate marketing consents will be collected where legally required.
This policy is updated when the product, law, provider map or data flows change. The current version is published with its update date.