Privacy Policy

Restaurant accounts (owners and staff): name, email address, password (hashed; never stored in plain text), phone number, restaurant business information, and payment information (handled by Stripe; we never see card numbers).

Customers (diners):phone number, name (optional), birthday (optional, customer-provided), and your visit history at restaurants where you've joined the loyalty program. Each visit records the timestamp and amount spent (as entered by restaurant staff). We do not collect government IDs, payment methods, location, or photos.

Automatically collected: standard server logs (IP address, browser, timestamps) for security and abuse prevention. Cookies necessary for authentication and session management.

To run the loyalty program.We track your visits and progress toward rewards at the restaurants you've joined.

To send SMS messages with your consent.When you join a restaurant's loyalty program, you provide a phone number and confirm with a one-time SMS verification code. By doing so, you consent to receive recurring marketing messages from that restaurant via SMS — for example, reminders when you're close to earning a reward, win-back messages when you haven't visited in a while, birthday treats, and occasional announcements. Message frequency varies. Message and data rates may apply. We respect a minimum 48-hour gap between any two messages from the same restaurant to prevent spam.

To improve the service.Anonymized, aggregated usage data helps us understand which features matter and which don't.

To prevent fraud and abuse. Detect suspicious account activity, abuse of SMS, etc.

Reply STOPto any marketing SMS to unsubscribe from that restaurant's messages. Standard SMS opt-out keywords are honored (STOP, UNSUBSCRIBE, CANCEL, END, QUIT). Reply HELPfor assistance. Opting out of one restaurant does not opt you out of others — each restaurant's loyalty program is separate.

You can also delete your account entirely by contacting us at alvargaya@megobrands.com; this removes all your personal data from FidFood and stops all messages from any restaurant via our platform.

Restaurants you've joinedsee your name, phone number, visit history, and total spend at their restaurant only. They do not see information from other restaurants you've joined.

Service providers we depend on to run FidFood: Supabase (database and authentication), Stripe (payment processing), Twilio (SMS delivery), Vercel (hosting), and OpenAI (menu photo extraction, when the restaurant uses that feature). Each of these handles data only as needed to provide their service to us, under contract.

We do not sell your data. We do not share customer data across restaurants. We do not run third-party advertising on the customer-facing app.

Legal compliance. We may disclose information when required by law (subpoena, court order) or to protect against imminent harm.

We keep your account and visit history for as long as your account is active, plus a reasonable period afterward to handle disputes and comply with legal obligations. SMS logs are retained for 24 months for compliance purposes. You can request earlier deletion at any time via alvargaya@megobrands.com.

You have the right to:

• Access a copy of the data we hold about you
• Correct inaccurate data (you can update most of this in your portal directly)
• Delete your account and associated data
• Opt out of all marketing SMS (reply STOP)
• For California residents: rights under the CCPA including the right to know, delete, correct, and opt-out of sale (we do not sell data)
• For EU/UK residents: rights under GDPR/UK-GDPR including the right to portability and to object to certain processing

Contact alvargaya@megobrands.com to exercise any of these rights. We respond within 30 days.

We use industry-standard practices to protect your data: encryption in transit (TLS) and at rest, hashed passwords, role-based access controls, and routine security audits. No system is perfect; if we ever detect a data breach affecting your information, we will notify you and the appropriate authorities as required by law.

FidFood is not intended for use by anyone under the age of 13 (or 16 in the EU/UK). We do not knowingly collect data from children. If we discover we have collected such data, we will delete it.

We may update this Privacy Policy from time to time. Material changes will be announced via email (for restaurant accounts) or notice in the customer portal (for diners). Continued use after the effective date of an updated policy means you accept the changes.

Questions, requests, or concerns: alvargaya@megobrands.com