PRIVACY POLICY

Last updated: 8 March 2026

1. INTRODUCTION

Kryetor Pty Ltd (ABN pending) ("Kryetor", "we", "us", "our") is committed to protecting the privacy of personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs").

This Privacy Policy explains how we collect, use, disclose, and store personal information through the Kryetor platform ("Platform"). By using the Platform, you consent to the practices described in this policy.

2. INFORMATION WE COLLECT

Restaurant Partners

Account details: name, email address, password (hashed)
Business details: restaurant name, ABN, phone number, suburb, cuisine type
Branding assets: logo, primary colour, URL slug
Subscription plan and billing information
Stripe Connect account ID and onboarding status

Customers

Order details: name, email, phone number
Delivery address: street address, suburb, postcode
Order contents: items ordered, quantities, prices
Payment information: processed by Stripe (we do not store card numbers)
Delivery distance (calculated for fee determination)

Automatically Collected

Device and browser information
IP address and approximate location
Pages visited and interactions with the Platform
Cookies and similar tracking technologies

3. HOW WE USE YOUR INFORMATION

We use personal information to:

Provide and operate the Platform, including order processing and delivery dispatch.
Create and manage Restaurant Partner accounts.
Process payments via Stripe Connect and calculate per-order fees.
Dispatch delivery drivers via DoorDash Drive and Uber Direct APIs.
Send order confirmation and tracking notifications to Customers via email.
Send operational communications to Restaurant Partners (order alerts, account updates).
Calculate and display business analytics (revenue, savings, order statistics) on the dashboard.
Comply with legal obligations, including Australian tax record-keeping requirements.
Improve and develop the Platform.

4. THIRD-PARTY SERVICES

We share personal information with the following third-party service providers, each of which has their own privacy policy:

Supabase (Database & Authentication)

Restaurant Partner account data, menu data, and order records are stored in Supabase (hosted on AWS in the Sydney region). Authentication credentials are managed by Supabase Auth.

Stripe (Payment Processing)

Customer payment details are processed directly by Stripe. We receive only a payment confirmation and transaction ID. Restaurant Partners connect their bank accounts via Stripe Connect. See Stripe's Privacy Policy.

DoorDash Drive & Uber Direct (Delivery Dispatch)

To dispatch delivery drivers, we share the Customer's delivery address, name, and phone number, as well as the restaurant pickup address, with DoorDash or Uber. This is necessary to fulfil the delivery.

Resend (Email Notifications)

We use Resend to send transactional emails (order confirmations, tracking links). Customer and Restaurant Partner email addresses are shared with Resend for this purpose.

5. DATA STORAGE & SECURITY

Personal information is stored in Supabase PostgreSQL databases with Row Level Security (RLS) policies ensuring that Restaurant Partners can only access their own data. All data is encrypted in transit (TLS) and at rest.

We implement reasonable security measures including:

Row Level Security (RLS) database policies
Hashed and salted passwords (via Supabase Auth)
HTTPS encryption for all data in transit
Stripe PCI-DSS compliance for payment data
Environment variable protection for API keys and secrets

While we take reasonable steps to protect your data, no method of electronic storage or transmission is 100% secure.

6. DATA RETENTION

Order data: Retained for a minimum of 5 years to comply with Australian tax record-keeping requirements (Taxation Administration Act 1953).
Account data: Retained for the duration of the Restaurant Partner's subscription and for 2 years after termination.
Customer data: Retained as part of order records. Customers may request deletion of non-essential data by contacting us.

7. OVERSEAS DISCLOSURE

Some of our third-party service providers may store or process data outside Australia (e.g. Stripe operates globally, Supabase infrastructure uses AWS). Where data is transferred overseas, we take reasonable steps to ensure the recipient handles it in accordance with the APPs.

8. YOUR RIGHTS

Under the Australian Privacy Act, you have the right to:

Access: Request a copy of the personal information we hold about you.
Correction: Request correction of inaccurate or out-of-date information.
Complaint: Lodge a complaint if you believe your privacy has been breached.

Restaurant Partners can access and update their information directly through the Platform dashboard. Customers may contact us to exercise their rights.

If you are unsatisfied with our response to a privacy complaint, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

9. COOKIES

The Platform uses cookies for:

Authentication: Session cookies to keep Restaurant Partners logged in (managed by Supabase Auth).
Functionality: Remembering preferences and cart contents.

We do not currently use third-party advertising or analytics cookies. If this changes, we will update this policy and provide appropriate notice.

10. CHILDREN'S PRIVACY

The Platform is not directed at children under 18. We do not knowingly collect personal information from children. If we become aware that a child has provided personal information, we will take steps to delete it.

11. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. Material changes will be communicated via email to Restaurant Partners and posted on the Platform. The "Last updated" date at the top of this page indicates when the policy was last revised.

12. CONTACT US

For privacy-related enquiries or to exercise your rights, contact us at:

Kryetor Pty Ltd
Privacy Officer
Email: privacy@kryetor.com
Website: kryetor.com