Skip to main content
Legal

Privacy Policy

Last updated: 24 April 2026

This service is in closed beta until 15 July 2026. Terms may change with 24 hours' notice during beta. Production-grade terms will be published at public launch, reviewed by Estonian counsel.

1. Who we are

BahiKash is an Estonian cloud point-of-sale platform operated by Bhupender Kumar Verma ("we", "us"). BahiKash OÜ incorporation is in progress; until registration is complete, the named individual is the legal operator of this service. Contact details are on the Imprint page.

This policy explains how BahiKash handles personal data at the platform level. Each restaurant using BahiKash ("tenant") is independently the data controller for customer data entered into their tenant (for example, customer names attached to orders). The tenant's own privacy policy governs that use. BahiKash acts as a data processor on the tenant's behalf; see our Data Processing Agreement.

2. What information we collect

  • Tenant account information: business name, registry number, VAT number, address, owner email, owner phone.
  • Signup telemetry: IP address, country, timestamp, and a coarse referrer classification (for example "social_linkedin" or "google_search"). No device fingerprinting.
  • Operational logs: request URLs, response codes, tenant slug, timestamps. Personal data is not intentionally logged; if it leaks into a URL or error message it is retained for no more than 30 days and then purged.
  • Email communication: messages sent to our support address are stored for as long as the conversation is open plus 12 months.

Customer data entered by tenants (order names, phone numbers, loyalty identifiers) is not controlled by BahiKash. Where you are an end customer of a restaurant, please ask that restaurant for its own privacy policy.

3. Legal basis under GDPR Art. 6

  • Contract (Art. 6(1)(b)): for tenant account information, billing, and service delivery.
  • Legitimate interest (Art. 6(1)(f)): for signup telemetry and operational logs, to detect fraud and keep the platform running.
  • Consent (Art. 6(1)(a)): for optional marketing communications if you opt in (none are sent by default during beta).

4. Who we share data with

We use the following sub-processors. All are bound by written contracts at least as strict as our obligations to you.

  • Cloudflare, Inc. (US/EEA) - DNS, CDN, DDoS protection, bot management, TLS termination.
  • Resend, Inc. (US/EU) - transactional email delivery.
  • GitHub, Inc. (US) - source code and container registry hosting; no customer personal data stored here.
  • Hetzner Online GmbH (Helsinki, Finland, EEA) - disaster-recovery Postgres replica hosting.

The primary Postgres cluster and Kubernetes control plane are run on hardware under our direct control in Estonia (EEA) and are not provided by a third-party sub-processor.

We do not sell personal data. We do not share it with third parties for marketing.

5. Retention

  • Tenant account data: kept while the account is active, plus 90 days after closure for wind-down and dispute resolution.
  • Signup telemetry (signup_audit): 12 months, under legitimate interest for fraud prevention, then auto-purged.
  • Operational logs: 30 days.
  • Email correspondence: duration of the conversation plus 12 months.
  • Backups: 7-day rolling window; backups older than 7 days are destroyed automatically.

6. Your rights (GDPR Art. 15 to 22)

You have the right to access, rectify, erase, restrict processing, object to processing, and port your data. To exercise any of these, email support@bahikash.com with "GDPR request" in the subject line. We respond within 30 days.

You can complain to the Estonian Data Protection Inspectorate (www.aki.ee/en) if you believe we are handling your data incorrectly.

7. Cookies and local storage

The customer QR ordering surface uses browser localStorage (not cookies) to track the active order session. This storage is cleared when the tab is settled. No tracking cookies are set. No advertising identifiers are read. Marketing-site cookie settings can be reviewed at any time via the footer's "Cookie settings" link.

8. International transfers

Our primary data storage is in Estonia (EEA). Some sub-processors (Cloudflare, Resend, GitHub) may route traffic or store metadata outside the EEA. Standard Contractual Clauses (SCCs) or equivalent safeguards apply under GDPR Chapter V.

9. Changes to this policy

During beta we may change this policy with 24 hours' notice, communicated via the Beta Partner's registered email. After beta, material changes will be notified at least 30 days in advance.

10. Contact

For any privacy question, including GDPR requests: support@bahikash.com.

Privacy · Terms · DPA · Imprint