Privacy Policy

Effective: 26 April 2026 Last updated: 26 April 2026

This Privacy Policy describes how Ordesify (“we”, “us”, “our”) collects, uses, discloses, and protects your personal information when you use ordesify.com and related services (the “Service”).

We operate in compliance with Thailand’s Personal Data Protection Act B.E. 2562 (PDPA).

1. Information We Collect

1.1 Information you give us directly

Restaurant owners and staff

• Full name
• Email address
• Password (stored as a one-way hash; not retrievable)
• Restaurant details: name, logo, address, coordinates
• Menu data, order data, and accounting entries you record

Customers ordering at a table

• The table you scanned (from the QR code)
• Items you ordered and quantities
• Amounts paid
• We do not ask QR-ordering customers for name, email, or phone number.

Recipe community members

• Full name
• Email address
• Password (when registering with email)
• Recipes, photos, comments, and ratings you post

1.2 Information from social login

If you choose to sign in with Google, Facebook, or LINE, we receive only:

• Email address
• Full name

We do not receive or store any other information from your social account, such as friend lists, profile pictures, posts, or activity.

1.3 Information collected automatically

• IP address, browser type, operating system
• Pages visited and time spent
• Cookies and related tracking technologies

1.4 Payment information

When you pay via PromptPay, payments are processed by Omise. Payment details do not pass through our servers.

2. How We Use Your Information

We use your information to:

• Provide the platform and ordering functionality
• Authenticate accounts and protect against unauthorized access
• Process payments and refunds
• Send notifications about orders and the service
• Improve and develop the service
• Comply with legal obligations

We will not use your information for third-party marketing without your consent.

3. Cookies, Analytics, and Consent

3.1 Essential cookies

Our website uses essential cookies to:

• Maintain your login session (Sanctum / Laravel cookies)
• Remember your language preference
• Maintain your table-ordering session
• Remember your cookie consent choice

These cookies are always active and cannot be disabled, as they are necessary for the website to function.

3.2 Analytics (Google Analytics with Consent Mode v2)

We use Google Analytics 4 (GA4) with Google Consent Mode v2 to understand site usage in aggregate.

How it works:

• The Google Analytics script loads on every page visit.
• On your first visit, a consent banner appears. Analytics cookies are denied by default until you give consent.
• Without consent: GA operates in a limited, cookieless mode. It may send anonymized, aggregated pings (without cookies or persistent identifiers) to help us understand basic traffic patterns. No personal data is collected in this mode.
• With consent: GA sets analytics cookies to measure visits, sessions, and page interactions. Data collected includes anonymized IP addresses, pages visited, device type, and referring source.

You can change your analytics consent at any time via the “Cookie settings” link in the website footer.

3.3 Advertising

We do not use advertising cookies. The following Google consent categories are permanently denied: ad_storage, ad_user_data, and ad_personalization.

3.4 Disabling cookies

You may disable cookies or browse in private/incognito mode. Essential functionality (such as login) may not work without cookies enabled.

Google’s privacy policy: https://policies.google.com/privacy

4. Disclosure of Information

We do not sell your personal information. We disclose it only in the following cases:

• Service providers — Omise (payments), Google (login & analytics), Facebook, LINE — to deliver the service
• The relevant restaurant — order details are visible to the restaurant you ordered from
• When legally required — court orders, government requests, or similar legal process
• To protect rights — in the event of disputes or violations of our Terms of Service

5. Data Retention

• Account data is retained while your account is active.
• Order and accounting records are retained for the period required by tax law (typically 5 years).
• Data is deleted or anonymized once it is no longer needed for the purpose collected.

6. Security

We use appropriate measures to protect your information:

• HTTPS encryption on every page
• Bcrypt password hashing
• Cookie-based authentication (Laravel Sanctum)
• Login rate limiting
• PCI-DSS-compliant payment processing via Omise

No system is 100% secure. If a data breach occurs, we will notify you and the relevant authorities as required by law.

7. Your Rights

Under the PDPA, you have the right to:

• Access — request a copy of your personal data
• Rectification — correct inaccurate data
• Erasure — request deletion (the right to be forgotten)
• Object to certain processing
• Withdraw consent previously given
• Data portability — request transfer of your data to another provider
• Lodge a complaint with the Personal Data Protection Committee (PDPC)

Contact us at: privacy@ordesify.com

8. Cross-Border Data Transfers

Some service providers (such as Google and Facebook) operate servers outside Thailand. When you use those services, your data may be transferred to countries with different data-protection laws. We choose providers that maintain appropriate security standards.

9. Children

The service is not directed to anyone under 13. We do not knowingly collect data from children. If a parent learns that a child has provided us data, please contact us so we can delete it.

10. Changes to This Policy

We may update this policy from time to time. For material changes, we’ll notify you by email or via a notice on the website before the changes take effect.

11. Contact

For questions about this policy or to exercise your PDPA rights:

Ordesify Email: privacy@ordesify.com Website: https://ordesify.com