Legal

Privacy Policy

Last Updated: June 30, 2026

NextGenRestaurant ("we", "our", or "us") is a multi-tenant restaurant management and point-of-sale SaaS platform operated by Prashant Shah and Rahul Pajiyar.

This Privacy Policy describes how we collect, use, store, share, and protect personal data and business data when you use the NextGenRestaurant backend, web application, mobile application, and related services (the "Services").

By using the Services, you agree to the practices described in this Policy.

1. Information We Collect

We collect information necessary to operate, secure, and improve the platform.

Account & Admin Data

  • Email address, username, and password (stored as an Argon2id hash — never in plaintext)
  • Account status, email verification status, failed login count, and lock timestamps
  • Login timestamps, IP address, and user-agent hash at authentication

Staff Data

  • Employee code, branch assignment, employment status, and suspension/termination reason
  • Staff PIN (stored as an Argon2id hash), roles, and permission grants
  • Schedules, wages, payroll-related data, time-clock entries, break records, and tip-pool data
  • Attendance photos and geolocation records (where enabled by the Admin — see Permissions section)

Restaurant & Business Data

  • Company name, branch configuration, settings, and subscription plan
  • Menus, categories, modifiers, prices, tax rules, and availability
  • Tables, floors, reservations, and seating policies
  • Orders, bills, KOT/KDS records, payment records (method, amount, tip, refund, reference), and receipts
  • Inventory items, stock levels, purchase orders, suppliers, and lot/recall records
  • Gift cards, credit accounts, promotions, coupons, and discount records
  • Reporting data, audit logs, entity change logs, and security event records
  • Subscription payment tickets and optional proof document URLs

Customer Data

  • Name, phone number, email address, delivery address, and notes
  • Date of birth, marketing opt-in/consent flag, visit count, and last-visit timestamp
  • Order history, reservation records, guest counts, gift card balances, and credit ledger
  • QR ordering guest session data and online booking records

Device & Session Data

  • Unique device identifier and human-readable device label (platform and OS)
  • Session IDs, trusted device records, and socket session metadata
  • Push notification tokens registered with Firebase Cloud Messaging
  • Login attempts and security event records (e.g. suspicious login alerts)

Uploaded Files

  • Menu item images (uploaded to Cloudinary)
  • Staff time-clock attendance photos (uploaded to Cloudinary where enabled)
  • Subscription payment proof document URLs (may point to external or Cloudinary-hosted files)

Local & Offline Device Data

The mobile app stores data locally to support offline operation:

  • Secure storage: access token, refresh token, session ID, auth context, and device ID
  • Offline sync database (SQLite): queued operations, payload JSON, entity snapshots of menus, branches, tables, orders, and staff, conflict records, and sync checkpoints
  • Print queue database (SQLite): durable print jobs with order ID, print payload, status, attempt count, and errors
Important: Logging out clears your authentication credentials from secure storage. However, offline sync data and print queue data stored in local SQLite databases are not automatically wiped on logout. Restaurants should manage physical device access accordingly and instruct staff accordingly.

2. Mobile App Permissions

📍 Location — Geo-Fencing Attendance

📍
When: Only when an Admin has enabled geo-fencing for your organization.
Purpose: Verify the employee is within the permitted restaurant radius at clock-in/out; monitor boundary compliance during an active shift.
Enforcement: Employees who leave the approved geo-fence radius during a shift are automatically logged out.
Storage: Location coordinates and boundary check results are stored as part of the attendance record, accessible only to authorized Admins.

Location is never accessed when geo-fencing is disabled by the Admin.

📷 Camera — Attendance Photo & Menu Images

📷
Attendance photos: Only when an Admin has enabled photo-based attendance. A selfie is captured at clock-in/out to verify staff identity. Camera is accessed only at the moment of capture — never in the background.
Menu images: When a manager uploads a menu item photo using the image picker.
QR/barcode scanning: For order scanning workflows when the scanner widget is active.

🔵 Bluetooth & Local Network

  • Discover and connect to Bluetooth and LAN thermal receipt printers
  • Connect and synchronize POS devices within the restaurant's local network
  • Maintain kitchen print workflows via a foreground service (Android)

Bluetooth and local network data is used only for restaurant printing and device operations — never for advertising or cross-device tracking.

🔔 Push Notifications

The app registers a Firebase Cloud Messaging (FCM) token with our backend to receive push notifications for operational events (orders, kitchen alerts, subscriptions, etc.). The FCM token is unregistered on deliberate logout on a best-effort basis.

🖼 Photo Library

Accessed only when a manager selects an existing image from the device library for menu item upload.

3. What We Do Not Collect

  • GPS location when geo-fencing is disabled by your Admin
  • Camera access in the background or without a user-initiated action
  • Contacts, personal files, messages, or call logs
  • Activity across other apps or websites
  • Analytics or crash-reporting data via third-party analytics SDKs
  • Live payment gateway transaction data (no Stripe/Khalti/eSewa/Fonepay SDK is integrated)

We do not sell, rent, or trade your personal or business data.

We do not use your data for behavioral advertising or profiling.

4. How We Use Your Information

  • Authenticate users and manage sessions, devices, permissions, and security events
  • Operate all restaurant workflows: menus, orders, POS/billing, KDS/KOT, kitchen stations, inventory, customers, reservations, QR ordering, gift cards, promotions, and reporting
  • Support offline sync and local print queue management
  • Deliver in-app, realtime, push, and email notifications where enabled
  • Manage subscription plans, trials, manual payment verification, and account lifecycle
  • Maintain audit logs, security records, and operational support records
  • Detect fraud and unauthorized or anomalous access
  • Process deletion requests and respond to support queries

5. Data Sharing & Third-Party Services

We do not sell, rent, or trade your data. We share data only with the following service providers, as necessary to operate the platform:

Cloudinary

Hosts menu item images and staff time-clock attendance photos via signed direct upload. Data sent: images, Cloudinary public IDs, tenant/branch folder references.

Firebase (Google)

Firebase Cloud Messaging delivers push notifications. Data sent: FCM device token, notification title, body, and data payload.

SMTP Email Provider

Transactional emails (password reset, verification, security alerts, report delivery) sent via Nodemailer. Data sent: recipient email, subject, and body.

Hosting & Database

Our backend and PostgreSQL database run on cloud hosting infrastructure. The provider has access to persisted data as required to provide infrastructure services.

We may also disclose information if required by law, valid legal process, or to protect the rights and safety of our users. In the event of a merger or acquisition, user data may be transferred as part of that transaction.

6. Data Retention

Active Accounts

Data is retained while your account is active.

Deactivated Accounts

Data becomes inaccessible but may be retained for reactivation.

Expired Subscriptions

Company data may be permanently deleted 1–6 months after expiration.

Session & Audit Logs

Temporary diagnostic logs are removed after approximately 30 days.

Attendance Photos

Punch photos are deleted per the photo-retention period configured by your branch Admin.

Local Device Data

Offline sync and print queue SQLite data persist on-device until the app is uninstalled or manually cleared.

7. Data Deletion & Your Rights

You have the right to access, update, and request deletion of your data.

In-App Company Deletion

Admins can permanently delete their company and all associated data:

  1. Open NextGenRestaurant
  2. Navigate to Settings › Account Security
  3. Select Permanently Delete Company
  4. Complete email verification and the one-time challenge code

Deletion is irreversible once confirmed.

Email Deletion Request

If you cannot access the application, email us at:

📧
Deletion & Privacy Requests
support@prashantshah.dev

Use your registered owner email for identity verification. Deletion requests are processed within 30 days.

8. Security Measures

  • Argon2id hashing for Admin passwords and Staff PINs
  • Opaque refresh tokens stored as HMAC hashes with rotation and replay-detection revocation
  • JWT access token sessions with global and per-route authorization guards
  • Logout and logout-all session revocation
  • HttpOnly, SameSite-strict refresh token cookies with CSRF double-submit for web sessions
  • Encrypted secure storage for auth credentials on the mobile app
  • Rate limiting on authentication and sensitive API endpoints
  • Request validation with whitelist enforcement and unknown-field rejection
  • CORS allowlist and security headers (Helmet, HSTS)
  • Tenant/branch folder isolation for Cloudinary uploads

While we take reasonable steps to protect your data, no system guarantees absolute security. Restaurants are responsible for the security of their own devices, physical POS terminals, local networks, and staff practices.

9. Restaurant Responsibility for Customer & Staff Data

Restaurants are responsible for ensuring they have a lawful basis to collect and process the data they enter into the Service. This includes obtaining any required consent for:

  • Staff time-clock attendance photos and geolocation tracking
  • Staff wages, payroll, scheduling, and device-level tracking
  • Customer profiles, marketing communications, and loyalty program enrollment
  • Guest QR ordering sessions and reservation records

Restaurants are also responsible for managing staff access controls and for complying with all labor, employment, and data protection laws applicable to their operations.

10. Children's Privacy

NextGenRestaurant is intended for business use by restaurants and hospitality organizations.

We do not knowingly collect personal information from individuals under 18 years of age.

If we become aware that such information has been collected, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy when our Services, data practices, or legal requirements change. The "Last Updated" date at the top of this page will be revised accordingly. We may also provide notice within the application for material changes. Continued use of the Services after an update constitutes acceptance of the revised Policy.

12. Contact Us

For questions about this Privacy Policy, your data, or to submit a privacy request:

📧
Privacy & Support
support@prashantshah.dev
👨‍💻
Developers
Prashant Shah & Rahul Pajiyar

NextGenRestaurant is an independent software platform developed and maintained by its creators for restaurant management and point-of-sale operations.