Privacy Policy

The controller for the processing covered by this policy is Robert Dziak, operating an unregistered business activity under the OrderNow brand, Warsaw, Poland, unregistered business activity (not entered in CEIDG).

Privacy contact: kontakt@ordernow.pl.

For restaurant order fulfilment, menu content, delivery handling, loyalty settings, complaints about the food order and other venue-side commercial decisions, the restaurant using OrderNow is generally the controller.

In restaurant-operated flows, OrderNow may act as a processor or as a separate controller to the extent it independently decides about platform security, anti-abuse controls, claim defence, system diagnostics or compliance duties.

For requests concerning data for which the restaurant is the controller, the user should contact the relevant restaurant directly.

• Website and contact forms

  Name, venue name, email, phone, topic, message, location count, locale, source path and technical anti-spam data.

• Customer account and login

  Name, email, phone number, encrypted password, Google identifier and login or session data.

• Restaurant staff and operational accounts

  Email, optional password, role, name, restaurant assignment, forced password change flag, last login, employee documents, work shifts, courier profiles and related operational data.

• Restaurant orders and deliveries

  Order identifiers, table or token context, selected products, modifiers, notes, order totals, guest identifiers, customer identifiers, delivery recipient name, phone number, address, delivery instructions, delivery quote data and order-status events.

• Loyalty, coupons and reviews

  Loyalty balances, transactions, reward redemptions, coupon validations, ratings, comments, source of the opinion, Google redirection timestamp and manager replies.

• Geolocation and browser data

  Latitude and longitude entered by the user or obtained from browser geolocation, cookies, local storage, session storage, IP-related metadata, rate-limit and security logs, browser path, referrer host and UTM data where consent has been given.

• Sources of data

  Data comes directly from the user, from the restaurant using the platform, from the browser or device, from Google during OAuth login and from operational events generated while using the service.

• Art. 6(1)(b) GDPR

  Processing necessary to provide the website functions, customer account, login, table-order continuity, delivery quote or another service requested by the user.

• Art. 6(1)(c) GDPR

  Processing necessary to comply with legal obligations, for example accounting, tax, complaint-handling, anti-fraud or security obligations.

• Art. 6(1)(f) GDPR

  Processing based on legitimate interests, in particular service security, abuse prevention, claim defence, diagnostics and service reliability.

• Art. 6(1)(a) GDPR

  Consent where required, especially for optional analytics, optional attribution storage or future optional marketing processing that depends on consent.

OrderNow uses cookies and similar technologies to maintain login sessions, guest and order continuity, QR table context, delivery forms, opinion prompts and optional analytics.

Optional analytics and attribution storage activate only after consent. Details, including the exact names of the main cookies and browser-storage keys, are available in the Cookie Policy.

Data may be disclosed to trusted providers only to the extent necessary to run the service. Depending on the relevant module, this may include in particular:

• hosting and infrastructure providers used by OrderNow,
• database providers and data-storage providers, including providers used for restaurant media and employee document storage,
• Upstash for rate limiting and service protection,
• Pusher for real-time restaurant dashboards and private order-tracking channels,
• Google for OAuth login and, if the restaurant enables it, redirection to Google review services,
• Vercel Analytics and Vercel Speed Insights where the user consents to optional analytics.

Some providers used by OrderNow may process data outside the European Economic Area. Where that happens, OrderNow relies on an appropriate transfer mechanism, such as an adequacy decision, standard contractual clauses or another lawful safeguard required under the GDPR.

• Contact and sales-lead data: for the time necessary to handle the inquiry and then for the period needed to document the contact, defend claims and avoid duplicate outreach, usually not longer than 24 months unless a longer relationship begins.
• Customer account data: for the duration of the account and then for the period needed to close the account, defend claims and fulfil legal duties. Where technically possible, deleted accounts are dissociated from historic orders.
• Saved delivery addresses: until deleted by the user or until the account is deleted.
• Restaurant-order and delivery records: for the period required by the restaurant's own legal and operational obligations; OrderNow may retain security and integrity records for the time necessary to protect the platform and defend claims.
• Staff documents and work-related records: for the duration of cooperation and afterwards as required by labour, accounting, contractual or claim-related obligations.
• Cookies and browser-stored data: according to the periods stated in the Cookie Policy and until deleted or overwritten by the user or browser.

Depending on the legal basis and context, you may request:

• access to your data,
• rectification of inaccurate data,
• erasure of data,
• restriction of processing,
• data portability,
• objection to processing based on legitimate interests,
• withdrawal of consent at any time, without affecting prior lawful processing.

Requests should be sent to kontakt@ordernow.pl.

You also have the right to lodge a complaint with the competent data protection authority, in Poland: the President of the Personal Data Protection Office (UODO).

OrderNow may use automated technical rules, for example delivery-zone calculations, coupon validation, abuse checks or loyalty calculations. These mechanisms support service delivery and fraud prevention. Based on the current product design, OrderNow does not intentionally make fully automated decisions producing legal effects for the user within the meaning of Art. 22 GDPR.

• encrypted HTTPS communication and security headers,
• hashed passwords and signed or bound session mechanisms,
• rate limiting, authentication hardening and anti-abuse controls,
• role-based access and private real-time channels for restaurant and order-tracking modules.

This policy may be updated when the product, legal requirements or processor set changes. The current version is published on the website with its effective date.