Homeβ€ΊPrivacy Policy

Privacy Policy

We believe in plain-English privacy. Here's exactly what we collect, why we collect it, and how you can control it.

πŸ“… Effective date: May 25, 2026πŸ“ Governing law: Alberta, Canada (PIPEDA / Alberta PIPA)🏒 Controller: GrabOrder, Calgary, Alberta

The short version

  • We never sell your personal information.
  • We never use your data for third-party advertising.
  • Restaurant owners control their customers' data β€” we only process it on their behalf.
  • You can request access, correction, or deletion of your data at any time.
  • We use US-based cloud providers (Supabase, Vercel, Stripe). Your data may be stored in the US.

Contents

  1. Who We Are
  2. Who This Policy Covers
  3. Information We Collect
  4. How We Use Your Information
  5. How We Share Your Information
  6. AI Processing
  7. Data Retention
  8. International Transfers
  9. Your Rights
  10. Security
  11. Cookies & Tracking
  12. Do Not Track
  13. Children's Privacy
  14. Changes to This Policy
  15. Contact Us

1. Who We Are

GrabOrder ("GrabOrder", "we", "us", "our") is a Canadian company headquartered in Calgary, Alberta. We operate the GrabOrder platform at graborder.ai β€” an AI-powered growth operating system for local restaurants, providing tools for loyalty programs, customer marketing, website building, Google presence management, review management, and more.

This Privacy Policy explains how we collect, use, disclose, and safeguard personal information when you visit our website or use our services as a merchant, restaurant customer, or website visitor.

2. Who This Policy Covers

This policy applies to three types of people:

  • Merchants β€” restaurant owners and staff who create a GrabOrder account and use our platform.
  • End consumers β€” customers of GrabOrder-powered restaurants who join loyalty programs, submit inquiry forms, or interact with our widgets (e.g. WhatsApp lead widget, chatbot).
  • Website visitors β€” anyone who visits graborder.ai or any GrabOrder-powered restaurant website.

Note for end consumers: When your data is collected through a restaurant's GrabOrder-powered loyalty program or contact form, that restaurant is the primary data controller responsible for their use of your information. GrabOrder acts as a data processor, handling your data only on the restaurant's behalf. Contact the restaurant directly for questions about how they use your data.

3. Information We Collect

3.1 Information merchants provide directly

  • Account information β€” name, email address, business name, phone number, and password when signing up.
  • Business profile data β€” restaurant address, opening hours, menu items, photos, description, cuisine type, and other content you upload to the platform.
  • Google Business Profile credentials β€” when you connect your Google account, we store OAuth access tokens to fetch analytics and post updates on your behalf. We do not store your Google password.
  • Payment information β€” billing name and address. Card numbers are processed directly by Stripe and are never stored on our servers.
  • Communications β€” messages you send us via support email or contact forms.
  • Integration credentials β€” GrabOrder Restaurant ID and webhook credentials you enter to connect your online ordering system.

3.2 Information collected about restaurant customers (end consumers)

When your restaurant's customers interact with GrabOrder-powered features, we collect the following on the restaurant's behalf:

  • Loyalty program β€” name, phone number, and optionally email address when joining a stamp card. We also store stamp count, reward history, and visit timestamps.
  • WhatsApp Lead Widget β€” name and phone number entered by visitors on a restaurant's website before being connected to the restaurant's WhatsApp.
  • Inquiry and catering forms β€” name, email, phone number, and message content submitted through restaurant website contact or catering forms.
  • Chatbot interactions β€” messages sent to the AI chatbot on a restaurant website, along with a session identifier. We do not link chatbot conversations to a named individual unless the customer volunteers their details.
  • Apple Wallet pass registration β€” device push token and device library identifier, used only to send silent pass-update notifications. We do not receive location data from Apple Wallet.

3.3 Information collected automatically from all users

  • Usage data β€” pages visited, features used, time on platform, click patterns, and feature interactions.
  • Device and browser information β€” IP address, browser type, operating system version, and referring URLs.
  • Session data β€” authentication tokens stored in cookies and browser local storage to keep you signed in.

4. How We Use Your Information

4.1 To operate the GrabOrder platform

  • Create and manage merchant accounts and restaurant profiles
  • Run loyalty programs, send stamp and reward notifications
  • Deliver AI-generated content (business descriptions, email copy, SEO content, review responses, post ideas)
  • Sync and display Google Business Profile data and analytics
  • Power restaurant websites and chatbots
  • Send Apple Wallet silent push notifications when a loyalty pass is updated

4.2 To communicate with you

  • Send transactional emails β€” stamp confirmations, reward notifications, billing receipts
  • Send platform updates, new feature announcements, and usage tips (you can unsubscribe at any time)
  • Respond to support requests
  • Send automated loyalty campaign emails on behalf of restaurants (birthday rewards, win-back campaigns) β€” only to end consumers who have opted in by joining that restaurant's loyalty program

4.3 To improve our services

  • Analyse aggregated, anonymised usage patterns to improve platform features
  • Detect and prevent fraud, abuse, and security incidents
  • Generate platform-wide performance metrics (no individual data is exposed)

4.4 To comply with legal obligations

  • Maintain financial records as required by Canadian tax law
  • Respond to lawful requests from government authorities
  • Enforce our Terms of Service

We do not sell your personal information. We do not use your data to serve you ads on any third-party platform.

5. How We Share Your Information

We share personal information only in the circumstances listed below. We do not rent or sell data to third parties for their own marketing.

5.1 Service providers

We use carefully selected third-party services to operate the platform. Each provider only receives the data necessary to perform their function:

  • Supabase β€” database, authentication, and file storage (US/EU servers)
  • Vercel β€” web hosting, edge computing, and cron jobs (US/EU)
  • Stripe β€” payment processing (US). Stripe processes card data directly; we receive only billing name and payment confirmation.
  • Resend β€” transactional email delivery (US)
  • Anthropic (Claude) β€” AI content generation (US). We send restaurant context (name, cuisine, city, public profile info) to generate copy. We do not send identifiable customer data (names, phone numbers, emails) to Anthropic.
  • Voyage AI β€” text embedding for chatbot knowledge base (US). Knowledge base content is vectorised; no customer PII is transmitted.
  • Google β€” Google Places API for business data sync and Google Business Profile API for analytics and post publishing (US). Requires merchant OAuth consent.
  • Apple β€” APNs (Apple Push Notification service) for silent Wallet pass updates (US). We send only device push tokens β€” no personal data.

5.2 Restaurant operators

When end consumers join a restaurant's loyalty program, submit a form, or interact with a restaurant's widget, that restaurant's owner can view the data you provided (name, phone number, stamps, visit history) through their GrabOrder merchant dashboard. You are in a direct relationship with that restaurant.

5.3 Legal requirements

We may disclose personal information if required by law, court order, or government authority, or to protect the legal rights, property, or safety of GrabOrder, our users, or the public.

5.4 Business transfers

If GrabOrder is involved in a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

6. AI Processing

GrabOrder uses Claude (by Anthropic) to generate content including business descriptions, email copy, review responses, Google posts, and promotional ideas. When AI features are used:

  • We send restaurant profile information (business name, cuisine, city, public details) to Anthropic's API to generate relevant content.
  • We do not send customer PII (names, phone numbers, email addresses) to any AI provider.
  • AI-generated content is returned to you for review β€” you decide what to publish.
  • Anthropic's data use policy applies to prompts sent via their API. See anthropic.com/privacy.

7. Data Retention

  • Active merchant accounts β€” retained for as long as the account is active.
  • Cancelled accounts β€” we retain your data for 90 days after cancellation to allow for reactivation. After that, personal data is permanently deleted.
  • Financial and billing records β€” retained for 7 years as required by Canadian tax law, even after account closure. This data is limited to billing name, amount, and date β€” not payment card details.
  • End consumer loyalty data β€” retained as long as the restaurant account is active. If a merchant closes their account, their customers' loyalty data is deleted within 90 days.
  • Chatbot conversation logs β€” retained for 12 months then permanently deleted.
  • WhatsApp leads β€” retained until the merchant deletes them or the merchant account closes.
  • Aggregated analytics β€” anonymised, non-identifiable aggregate data may be retained indefinitely as it cannot identify any individual.

8. International Data Transfers

GrabOrder is a Canadian company, but we use US-based infrastructure providers (Supabase, Vercel, Stripe, Resend, Anthropic, Voyage AI, Apple, Google). This means your data may be transferred to, stored, and processed in the United States.

The US may not have the same data protection laws as Canada. However, we ensure all providers maintain adequate security standards and contractual data protection obligations. By using GrabOrder, you consent to this transfer.

9. Your Rights

Under PIPEDA and the Alberta Personal Information Protection Act (PIPA), you have the following rights regarding your personal information:

  • Right to access β€” request a copy of the personal information we hold about you.
  • Right to correction β€” request that we correct inaccurate or incomplete information.
  • Right to deletion β€” request that we delete your personal information (subject to our legal retention obligations).
  • Right to withdraw consent β€” withdraw consent to our processing of your data at any time. This will not affect processing done before withdrawal.
  • Right to data portability β€” receive your data in a structured, machine-readable format.
  • Right to opt out of marketing β€” unsubscribe from marketing emails using the link in any email, or by emailing us. Transactional emails (receipts, security alerts) will continue.

To exercise any of these rights, email privacy@graborder.ai. We will acknowledge your request within 5 business days and respond fully within 30 days. We may ask for identity verification before processing your request.

If you are unsatisfied with our response, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada or the Office of the Information and Privacy Commissioner of Alberta.

10. Security

We implement industry-standard security measures to protect your personal information:

  • Encryption in transit β€” all data is encrypted using TLS 1.2+
  • Encryption at rest β€” database stored with AES-256 encryption via Supabase
  • Row-level security β€” database policies ensure each merchant can only access their own data
  • Access controls β€” admin access is restricted and protected by multi-factor authentication
  • No plain-text passwords β€” all passwords are hashed using industry-standard algorithms via Supabase Auth

No system is completely secure. We encourage you to use a strong, unique password for your GrabOrder account and to notify us immediately if you suspect unauthorised access at privacy@graborder.ai.

11. Cookies & Tracking

We use cookies and similar browser storage technologies to operate the platform. We use only:

  • Essential cookies β€” required for authentication and session management. Without these, you cannot stay logged in. These cannot be disabled while using the platform.
  • Preference storage (localStorage) β€” used to remember UI preferences such as sidebar state on the merchant dashboard.

We do not use advertising cookies, third-party tracking pixels, or cross-site tracking technologies. We do not use Google Analytics or any behavioural ad targeting on graborder.ai or on restaurant websites we host.

You can delete or block cookies in your browser settings. Blocking essential cookies will prevent you from staying signed in.

12. Do Not Track

Some browsers offer a "Do Not Track" (DNT) setting. Because we don't engage in cross-site tracking, DNT signals have no practical effect on how we operate. We do not change our data collection practices based on DNT signals.

13. Children's Privacy

GrabOrder is a business platform not directed at individuals under 18. Our restaurant websites are general-audience and not directed at children under 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected such information, we will delete it promptly. If you believe we have collected information from a child, please contact us at privacy@graborder.ai.

14. Changes to This Policy

We may update this Privacy Policy from time to time as our platform evolves or legal requirements change. When we make material changes, we will:

  • Update the "Effective date" at the top of this page
  • Notify registered merchants by email at least 14 days before the change takes effect

Your continued use of GrabOrder after the effective date of the updated policy constitutes your acceptance of the changes. If you do not agree with the updated policy, you should stop using the platform and request deletion of your account.

15. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or your personal information, please reach out:

We aim to respond to all privacy-related enquiries within 5 business days.