Privacy Policy

Effective date: 20 June 2026

Zesty is a restaurant operations platform for QR ordering, staff ordering, kitchen display, billing, payments, inventory, customers, staff access, analytics, mobile workflows, support, and related services.

This Privacy Policy explains how Zesty collects, uses, stores, shares, and protects personal data and restaurant operating data across the public website, authenticated web application, mobile application, public customer ordering flows, APIs, support tools, and related services.

Scope and roles

For users in India, this policy is intended to be read consistently with the Digital Personal Data Protection Act, 2023, the Digital Personal Data Protection Rules, 2025 as they come into force, the Information Technology Act, 2000, and applicable rules.

Restaurants, restaurant groups, franchise operators, owners, and organization admins control much of the customer, staff, menu, billing, tax, inventory, and operational data they enter into Zesty. Zesty provides software tools and may process that data to provide, secure, support, and improve the service.

Data we collect

We may collect account and identity data such as name, email address, phone number, authentication records, organization membership, role, permissions, security settings, active sessions, device metadata, support activity, and audit records.

Restaurant organizations may store operating data such as restaurant profiles, branches, tables, menus, item prices, item images or icons, taxes, inventory, suppliers, recipes, purchase orders, stock counts, expenses, staff records, customer records, loyalty activity, orders, bills, payment status, refund context, analytics, white-label settings, support tickets, attachments, and configuration settings.

Customer ordering flows may collect customer name, phone number, table or pickup details, order items, notes, payment state, OTP challenge state, receipt context, feedback, and communication preferences where enabled by the restaurant.

We also collect technical and security data such as IP address, browser and device information, operating system, approximate network-derived location, request logs, error reports, rate-limit events, webhook events, storage events, abuse signals, and diagnostics needed to operate and protect Zesty.

How we use data

We use data to provide and secure Zesty, authenticate users, manage organizations and branches, enforce roles and permissions, process orders and bills, verify payment and refund workflows, run inventory and analytics features, send transactional communications, support restaurants, troubleshoot issues, prevent abuse, maintain audit logs, improve reliability, and comply with legal obligations.

We do not sell personal data. We do not use restaurant customer data to create fabricated marketing claims, fake usage metrics, or fake testimonials.

Restaurant responsibilities

Restaurants are responsible for the data they choose to collect, upload, export, import, or process in their workspace. This includes giving required notices, collecting required consents, maintaining accurate customer-facing information, honoring lawful customer and staff requests, configuring tax and payment details correctly, and using exports or integrations in compliance with applicable law.

If a restaurant uses Zesty to contact customers by SMS, WhatsApp, email, phone, or another channel, the restaurant is responsible for having a lawful basis and required consent for those communications.

Payments

Zesty may use Razorpay and other configured providers for subscriptions, customer payments, payment verification, refunds, reconciliation, and billing-provider access. Zesty does not store full card numbers, UPI credentials, CVV, or bank login credentials.

Payment providers may process payment identifiers, transaction status, billing details, fraud-prevention signals, chargeback data, settlement information, and related records under their own terms and privacy policies.

Support access and attachments

Eligible organization owners or admins may allow audited support access when creating or managing support tickets. Support access should be used only when relevant to the ticket. Support tickets and attachments may contain operational or personal data, so restaurants should upload only lawful, relevant, and necessary files.

Sharing and processors

We share data only as needed to operate Zesty, including with providers for hosting, databases, object storage, authentication, email, messaging, payments, analytics, monitoring, logging, security, customer support, and infrastructure operations.

We may disclose data when required by law, court order, government request, fraud prevention, platform security, enforcement of terms, protection of rights and safety, or a business transfer.

Security

We use organization and branch scoping, role-based access controls, authenticated APIs, audit logs, signed upload and download flows, payment webhook verification, rate limiting, security headers, monitoring, and operational safeguards.

No system is perfectly secure. Organization owners and admins should use strong credentials, enable available security controls, remove departed staff, review permissions, protect provider credentials, and avoid sharing accounts.

Retention and deletion

We retain data while accounts or restaurant workspaces are active and as needed for operations, audit logs, billing, tax, payment disputes, refunds, support, security, backups, fraud prevention, and legal requirements.

We may delete, archive, de-identify, or anonymize data when it is no longer needed or when a valid deletion request can be honored. Some records may need to be retained for legal, tax, accounting, payment, security, backup, or dispute reasons even after a deletion request.

Rights and requests

Users may request access, correction, export, grievance redressal, withdrawal of consent where applicable, or deletion of personal data, subject to identity verification, restaurant administrator controls, contractual duties, security needs, and legal retention obligations.

Restaurant customers and staff should usually contact the restaurant first because the restaurant controls much of the workspace data. Zesty may redirect requests to the relevant restaurant organization when appropriate.

Children

Zesty is intended for restaurant operations and is not directed to children. Restaurants should not use Zesty to knowingly collect children's personal data unless they have a lawful basis and required notices, consents, or guardian approvals.

International transfers

Zesty and its providers may process data in India or other locations where infrastructure, support, security, or provider services operate. When data is transferred, we use practical safeguards required for the service and applicable law.

Changes

We may update this Privacy Policy as the platform, law, providers, or security practices change. Material changes will be reflected by updating the effective date or by providing notice through appropriate channels.

Contact

For privacy questions, use Contact Zesty, email hello@zesty.id, or use the support channel available in the application.