Privacy Policy
Last updated: 14 June 2026
This document is provided in English, which is the authoritative version. Translations may be offered for convenience only.
This Privacy Policy explains how DishGate (“DishGate”, “we”, “us”) collects, uses, and protects personal data when you use dishgate.com and our services. We aim to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), and applicable data-protection laws in the GCC and other regions where our customers operate.
1. Who we are (controller)
For your account and our marketing, DishGateis the data controller. For the personal data your restaurant collects from its own guests through the menu (for example a guest’s order and table number), the restaurant is the controller and DishGateacts as a processor on the restaurant’s behalf. Contact us about privacy at Contact@dishgate.com.
2. Data we collect
- Account data — restaurant name, your name, email, phone, country, password (stored hashed).
- Restaurant content — menus, prices, photos, 3D models, logos, branches, promotions.
- Billing data — handled by our payment provider Paddle. We do not store your full card details; we receive only limited information such as plan, status, and country.
- Guest & usage analytics — anonymous menu views, QR vs link source, language chosen, item/AR interactions, and (where ordering is enabled) order contents, table number, and notes a guest enters.
- Technical data — IP address, device/browser type, and log data, used for security and reliability.
- Local storage — we store your language preference and login session in your browser. We do not use third-party advertising or cross-site tracking cookies.
3. How we use data & legal bases (GDPR/UK)
- To provide the service (create your menu, publish it, process orders) — performance of a contract.
- To bill you via our payment provider — performance of a contract.
- To secure and improve the service, prevent abuse, and produce aggregate analytics — our legitimate interests.
- To send service and, where permitted, marketing messages — legitimate interests or your consent, which you may withdraw at any time.
- To comply with legal obligations — legal obligation.
4. Cookies & similar technologies
We use only strictly necessary browser storage (your login session and language preference) and our payment provider may set cookies needed to process payment securely. We do not use advertising or analytics cookies that track you across other sites.
5. Sharing & sub-processors
We do not sell your personal data. We share data only with service providers that help us run DishGate:
| Provider | Purpose |
|---|---|
| Supabase | Database, authentication & file storage hosting |
| Vercel | Application hosting & content delivery |
| Paddle | Payment processing & Merchant of Record (billing, tax, invoices) |
| Google Fonts | Web font delivery on page load |
We may also disclose data if required by law, to enforce our Terms, or to protect rights and safety.
6. International transfers
Our providers may process data in countries outside your own, including the EU and the United States. Where required, such transfers are protected by appropriate safeguards such as the European Commission’s Standard Contractual Clauses or an equivalent mechanism.
7. Data retention
We keep account and content data while your account is active and for a reasonable period afterwards to comply with legal, tax, and accounting obligations, after which we delete or anonymise it. You can ask us to delete your account data sooner (see your rights below).
8. Your rights
EU / UK / similar regimes
You have the right to access, correct, delete, or port your personal data; to restrict or object to processing; to withdraw consent; and to lodge a complaint with your local data-protection authority. To exercise these rights, email Contact@dishgate.com.
California (CCPA/CPRA)
California residents have the right to know what personal information we collect and how we use it, to delete it, to correct it, and to opt out of “sale” or “sharing” of personal information. We do not sell or share your personal information as those terms are defined under the CPRA. We will not discriminate against you for exercising your rights.
GCC & other regions
Where local laws (such as in Saudi Arabia, the UAE, Bahrain, Qatar, Oman, or Egypt) grant rights to access, correct, or delete your data, you may exercise them by contacting us at the address above, and we will respond as those laws require.
9. Guests’ personal data
When a guest places an order through a restaurant’s menu, we process that data as a processor for the restaurant. Guests with questions about their data should contact the restaurant directly; we will assist the restaurant in responding to such requests.
10. Children
The service is intended for businesses and is not directed to children. We do not knowingly collect personal data from children under 16. If you believe a child has provided us data, contact us and we will delete it.
11. Security
We use reasonable technical and organisational measures — including encryption in transit, hashed passwords, access controls, and reputable hosting providers — to protect personal data. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
12. Changes
We may update this Policy and will revise the “Last updated” date. Material changes will be notified by a reasonable means.
13. Contact
Privacy questions or requests: Contact@dishgate.com. DishGate, 77276, Cairo, Egypt.