How wdpw handles your data.

wdpw (“we”, “us”, “the platform”) provides restaurant operations software to restaurant operators (“tenants”) and their staff (“users”). This Privacy Policy explains what personal data the platform processes, how we store it, who we share it with, and the rights data subjects have over their information.

1. Who is the data controller

For the data restaurant operators enter about their own customers, the operator is the data controller and wdpw is the data processor. For account-level data (tenant owner identity, billing contact), wdpw is the data controller.

2. Data we process

2.1 Account & staff data

• Email address (used to sign in and to contact you about the account)
• Name (displayed in the operator UI and on receipts where relevant)
• Bcrypt-hashed passwords (we never store plaintext)
• Role assignments (cashier, waiter, manager, etc.)
• PIN codes for clock-in (bcrypt-hashed)
• Coarse location, only when a branch geofence is configured by the operator — used solely to verify that a staff clock-in happened at the correct branch. The app requests this through Apple’s standard location permission prompt; you can decline and clock-in still works (just without geofence verification).

2.2 Customer (CRM) data entered by operators

• Customer name and phone number (required to identify a guest)
• Optional customer email
• Order history, loyalty points, loyalty tier
• User Content — free-text fields including order notes, reservation notes, and operator notes added to a customer profile
• Reservation date, time, party size

2.3 Operational data

• Orders, line items, payments (amounts, methods, status)
• Inventory levels, suppliers, purchase orders
• Shift timesheets, time-off requests
• Audit log entries (who did what, when)
• Customer Identifiers used internally to scope operator data:accountId (the tenant), branchId(the location), and the user’s own userId. These identifiers stay inside the wdpw platform and are never shared with advertising networks or tracking services.

2.4 Diagnostic data (not linked to user identity)

• Crash reports and stack traces sent to Sentry when the app encounters an unhandled error
• Performance traces sampled at 10% (request timings) sent to Sentry to help us spot regressions
• Anonymous interaction breadcrumbs (clicks, navigation transitions) included in crash reports for context

Authentication tokens are scrubbed from diagnostic data before transmission. We never log plaintext passwords, payment card numbers, or government identification numbers. Diagnostic data is collected for app stability and is not linked to advertising identifiers.

3. Where data is stored

• Application database: PostgreSQL hosted on Neon (AWS region: us-east-1).
• Backend service: Render web service (region: Frankfurt, EU). Receives requests, processes them, stores in the database.
• Frontend bundle: Cloudflare Pages CDN (global). Serves the static JavaScript application.
• Media uploads: stored on the same infrastructure or on Cloudflare R2 for product/brand images.
• Diagnostic data: Sentry (region: Germany). Retained for 30 days then deleted.

4. Third parties we share data with

We do not sell personal data. We share specific data with operational service providers:

• Sentry— receives crash reports and anonymous performance traces for incident response.
• Paymob— processes card payments. Only the order amount, currency, and customer reference are passed; full card numbers are handled directly between Paymob and the customer’s browser and never touch our servers.
• Egyptian Tax Authority (ETA)— for restaurants subject to Egyptian e-receipt requirements, receipt data is submitted as required by law.
• Aggregator partners(Talabat, Uber Eats, Deliveroo, etc.) — when tenants enable an aggregator integration, order data flows between the platform and that aggregator under the aggregator’s own terms.

5. Data retention

• Active operational data: retained for the duration of the tenant account.
• Audit log entries: retained for 90 days, then automatically deleted by a scheduled cleanup job.
• Sentry diagnostic data: retained for 30 days per Sentry’s default retention.
• Cancelled-tenant data: retained for 180 days after cancellation (to allow re-activation), then permanently deleted unless legal hold applies.
• Tax-related receipts: retained per local regulation (e.g. 5 years for ETA submissions in Egypt).

6. Your rights

Where applicable law (including the EU General Data Protection Regulation, Egypt’s Personal Data Protection Law, and similar regulations) grants you rights over your personal data, you may:

• Request a copy of the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data (subject to legal retention requirements)
• Object to specific processing activities
• Withdraw consent where processing is based on consent

For staff users: contact your tenant administrator first — they control your access. For tenant owners or end customers: contact us at [email protected]. We aim to respond within 30 days.

7. Security

• All traffic is TLS-encrypted (HTTPS).
• Passwords are bcrypt-hashed with cost factor 12.
• Authentication uses short-lived JWT access tokens with refresh-token rotation.
• Sensitive credentials (Paymob keys, ETA secrets) are encrypted at rest using AES-256-GCM.
• Tenant data is isolated by accountId on every database query.
• Real-time socket connections require JWT authentication and tenant scope checks.

8. Tracking and advertising

wdpw does notuse Apple’s Identifier for Advertisers (IDFA), Android’s Advertising ID, or any cross-app/cross-site tracking SDK. We do not present an App Tracking Transparency (ATT) prompt because the app does not engage in any activity Apple defines as tracking.

• No advertising networks are integrated.
• No data we collect is linked with data from other companies’ apps, websites, or offline properties for the purposes of advertising or measurement.
• No data we collect is shared with a data broker.
• Operator and customer identifiers (accountId, branchId, userId) are used only inside the wdpw platform to scope multi-tenant data, never as cross-app identifiers.

On the App Store privacy questionnaire, our answer to “Used for Tracking?” is No for every data type we collect.

9. Children

wdpw is a business application for restaurant operators. We do not knowingly collect personal data from anyone under 16 years old. If you believe a child has submitted data, contact us and we will remove it.

10. Changes to this policy

We may update this Privacy Policy as the platform evolves or as regulations change. Material changes will be communicated to tenant administrators by email at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.

11. Contact

Questions, requests, or complaints can be sent to [email protected]. If you are an EU/UK data subject and remain unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.