Privacy Policy

Last updated: 15 March 2026

CafeOS (“we”, “us”, “our”) operates the venue management platform at operate.cafe. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our platform as a venue owner, manager, or staff member.

By creating an account and using CafeOS, you agree to the collection and use of information in accordance with this policy.

1. Information we collect

  • Account information: when you register, we collect your name, email address, and password (stored as a secure hash). Venue owners additionally provide venue name, address, and contact details.
  • Payment information: CafeOS uses Stripe Connect to process payments. We do not store card numbers or bank details. Payment data is handled entirely by Stripe in accordance with their PCI DSS compliance. We store references to Stripe payment intent IDs and transfer amounts for order records.
  • Order and reservation data: we store orders, reservation details, menu items, table assignments, and associated transaction records as necessary to operate the platform.
  • Usage data: we collect standard web server logs including IP addresses, browser type, pages visited, and session duration to maintain platform security and performance.
  • Images: if you upload menu item photos, these are stored in your configured S3-compatible storage (RustFS or MinIO). CafeOS does not store images on our servers.

2. How we use your information

  • To operate the CafeOS platform and provide the services you have registered for.
  • To process payments via Stripe Connect and maintain transaction records.
  • To send automated emails for order confirmations, reservation confirmations, and reservation reminders — these are part of the core service.
  • To display analytics data within your venue dashboard.
  • To communicate with you about platform updates, security notices, and support responses.
  • We do not sell your personal data to third parties. We do not use your data for advertising.

3. Data sharing

  • Stripe: payment data is shared with Stripe to process transactions. Stripe's Privacy Policy governs how Stripe handles this data.
  • Email providers: if you configure an SMTP provider, order and reservation notification emails are sent through that provider.
  • We do not share your data with any other third parties except as required by law.

4. Data retention

  • We retain account data for as long as your account is active or as needed to provide services.
  • Order and reservation records are retained for a minimum of 7 years to comply with financial record-keeping obligations.
  • If you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it by law.

5. Your rights

  • Access: you have the right to request a copy of the personal data we hold about you.
  • Correction: you can update your account information at any time from within your CafeOS settings.
  • Deletion: you may request deletion of your account and associated personal data by contacting us at privacy@operate.cafe.
  • Portability: you may request an export of your order and reservation data in a standard format.
  • If you are located in the European Economic Area or the United Kingdom, you have rights under the GDPR and UK GDPR respectively. To exercise any of these rights, contact us at privacy@operate.cafe.

6. Cookies

  • CafeOS uses strictly necessary cookies for authentication (session cookies) and security (CSRF tokens). We do not use advertising cookies or third-party tracking cookies.
  • The customer-facing QR menu (PWA) uses localStorage to store the cart state. This data stays in the customer's browser and is not transmitted to our servers except as part of an order submission.

7. Security

  • We implement industry-standard security measures including TLS encryption for data in transit, bcrypt password hashing, and regular security reviews.
  • Sensitive operations (password changes, Stripe Connect setup) require re-authentication.
  • If you discover a security vulnerability, please contact us at security@operate.cafe.

8. Children

  • CafeOS is intended for business use by adults aged 18 and over. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

9. Changes to this policy

  • We may update this Privacy Policy from time to time. We will notify registered venue owners of material changes by email. Continued use of CafeOS after notification constitutes acceptance of the updated policy.

10. Contact

  • For privacy-related enquiries, contact us at privacy@operate.cafe. For general support, use contact@operate.cafe.