Privacy Policy

1. Overview

MeroRestro ("we", "us", or "our") provides restaurant management software including ordering, point-of-sale, kitchen order tickets (KOT), staff management, finance reporting, and customer-facing QR menus. This policy explains what data we collect when you, your staff, and your customers use MeroRestro, and what we do with it.

By creating an account or using MeroRestro, you agree to this Privacy Policy. If you do not agree, please do not use the service.

2. Information We Collect

2.1 Account information (restaurant owners)

• Name, email address, and password (stored as a one-way bcrypt hash — we cannot read it back)
• Profile photo, if you upload one
• Restaurant name, logo, and contact details
• If you sign in with Google: your Google account name, email, and profile picture (we do not receive your Google password)

2.2 Staff account information

• Staff name, email, assigned Staff ID code, role, and password hash
• Optional attendance and salary records, if you use those modules
• Activity logs (which staff member performed which action and when), retained for audit purposes

2.3 Operational data you enter

• Menu items, categories, prices, and item images
• Tables, orders, KOT entries, reservations, and notifications
• Inventory levels, finance entries, and reports you generate

2.4 Customer-facing data

When a diner scans a QR code at your table and places an order, we receive the order details (items, quantities, table number) and any optional info they provide (e.g. waiter-call requests). We do not require diners to create accounts or share personal information to place an order.

2.5 Payment information

When you purchase a subscription, you may upload a screenshot of your bank transfer or e-wallet payment for our team to verify. We store the screenshot, transaction ID, plan name, and (for Custom plans) the list of add-ons you selected. We do not collect or store your full card number, CVV, or banking credentials. If you pay through a third-party gateway such as eSewa, that gateway handles the payment and provides us only with a success/failure confirmation.

2.6 Technical data

• Browser type, operating system, screen size, and language preference
• IP address and approximate location (city / country) for security and audit logs
• Pages visited and features used inside MeroRestro, to diagnose bugs and improve the product
• Cookie identifiers (see Section 5)

3. How We Use Information

We use the data above to:

• Provide the MeroRestro service — show your menu, take orders, run reports, send notifications
• Authenticate you and your staff and keep your account secure
• Verify payments and activate the correct subscription plan
• Send service notifications (new orders, waiter calls, subscription expiry warnings)
• Respond to support requests you send us by email, phone, or WhatsApp
• Diagnose bugs, monitor uptime, and improve performance
• Detect and prevent fraud, abuse, and unauthorised access
• Comply with applicable Nepali law (e.g. tax records, court orders)

4. Sharing & Disclosure

We share data only in these limited cases:

• Service providers we depend on — our web host, email delivery service (SendGrid), and payment gateways (eSewa, banks). These providers process data on our behalf and are bound by confidentiality.
• Google OAuth — if you choose "Continue with Google", we exchange data with Google as part of the sign-in flow.
• ZAPTAG.ORG — if you order NFC business cards or NFC QR stands as part of your plan, we share the shipping address you provide with ZAPTAG to fulfil the order.
• Legal compliance — if we receive a valid court order, subpoena, or government request, we may disclose data to the extent required by law. We will notify you unless legally prohibited.
• Business transfer — if MeroRestro is acquired or merged, your data may transfer to the new owner under the same protections as this policy.

5. Cookies & Notifications

5.1 Cookies

We use a small number of cookies:

• Session cookie (PHPSESSID) — keeps you logged in. Required for the service to work.
• "Remember me" cookie (mero_remember) — if you tick "Remember me" at login, this lets you stay signed in for up to 30 days. You can clear it by logging out.

We do not currently use third-party analytics or advertising cookies.

5.2 Browser notifications

If you grant permission, MeroRestro can send native browser notifications (Windows toast / Android notification shade) for new orders and waiter calls. Notifications are sent only from the open MeroRestro tab; we never push notifications when you are not actively using the service. You can revoke the permission at any time in your browser settings.

6. Data Retention

• Account data is kept for as long as your account is active.
• Operational data (orders, KOTs, finance entries) is kept for as long as you keep your account, or as long as required by Nepali tax law — whichever is longer.
• Activity logs are kept for at least 12 months for security and audit purposes.
• Payment screenshots are kept for at least 3 years to support refund or dispute investigations.
• If you delete your account, we will erase your personal data within 30 days, except for data we are legally required to retain.

7. Security

We take reasonable steps to protect your data:

• Passwords are hashed with bcrypt; we cannot view them in plain text
• Sessions are regenerated on login to prevent session fixation
• Database access is restricted and credentials are kept outside the public web root
• We strongly recommend you access MeroRestro only over HTTPS — on HTTPS, all traffic between your browser and our servers is encrypted in transit
• You are responsible for keeping your own password secure and for granting staff accounts only to people you trust

No system is perfectly secure. If we discover a breach that affects your data, we will notify you without undue delay and explain the impact and what we are doing to fix it.

8. Your Rights

You can:

• Access any data we hold about you — most of it is already visible inside your dashboard
• Correct inaccurate data through the dashboard or by emailing us
• Export your menu, orders, and finance reports using the built-in export features
• Delete your account — email us at the address in Section 11
• Withdraw consent for things you opted into (e.g. notifications) at any time

Restaurant owners are responsible for handling these requests from their own staff and customers, since the owner controls their data inside MeroRestro.

9. Children

MeroRestro is a business product and is not intended for children under 18. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

10. Changes to this Policy

We may update this policy from time to time. When we make material changes, we will update the "Last updated" date at the top and notify active account holders by email and a dashboard banner at least 14 days before the change takes effect. Continued use of MeroRestro after the change means you accept the updated policy.

11. Contact Us

If you have questions, requests, or complaints about this Privacy Policy or how we handle your data:

• Email: sales@merorestaurant.com
• Phone / WhatsApp: +977 9802853939

We aim to respond to all data-related requests within 7 business days.