CliqMenu Legal
Privacy Policy
What personal information we collect, why, how long we keep it, who we share it with, and your rights (AU / NZ / IN).
In short
We collect the minimum needed to run ordering, store it in Australia (Sydney), never sell it, and never store card numbers.
This summary is for convenience only — the full document below is what applies.
On this page
What changed4 versions
This Privacy Policy explains how CliqMenu collects, uses, discloses, and protects personal information when you use the CliqMenu platform — the marketing website, the BMS, the OMS, and the FOS ordering app (the "Platform"). CliqMenu is a product and venture of INTHUB Solutions Pty Ltd (ABN 93 603 890 893), which owns the Platform; in this policy, "CliqMenu", "we", "us" and "our" mean INTHUB Solutions Pty Ltd and any related, affiliated, or successor entity that operates the CliqMenu platform.
It applies to three groups: business owners and their staff ("Merchants"), customers who place orders, and visitors to our website. It should be read with our Terms of Service.
Plain-language summary. We collect the minimum we need to run ordering: a Customer's call-name, and — only when needed — a phone number or email for order updates and receipts; and a Merchant's business and contact details. We store everything in Australia (Sydney). We don't sell your data. We don't store card numbers. None of what we collect is "sensitive information" (no health, biometric, or similar special-category data).
1. Who is responsible for your data
CliqMenu operates a marketplace model:
- For a Customer's order data, the Merchant the Customer orders from is generally the controller (it receives the order to fulfil it), and CliqMenu processes that data to run the Platform. CliqMenu also uses certain Customer data for its own purposes — sending receipts, fraud prevention, push notifications, and support — and is a controller for those purposes.
- For a Merchant's own account data (business profile, staff, billing), CliqMenu is the controller.
Where required, we make a Data Processing Addendum available to Merchants.
2. What we collect, why, and how long we keep it
| Information | From whom | When / required | Why | Retention |
|---|---|---|---|---|
| Name (call-name) | Customer | Always, to order | Identify and call out the order | With the order (5 years) |
| Mobile number | Customer | Optional; required for pre-orders | Pickup contact / status updates | With the order (5 years) |
| Customer | Optional; required for pre-orders and for online payment & receipts | Receipt / tax invoice / status | With the order (5 years) | |
| Google sign-in identity (name, email) | Customer | Optional (if you sign in) | Identify you and show your order history | Held by our sign-in provider until removed; name/email also saved with your orders |
| Device identifier | Customer | Automatic | Order ownership and fraud prevention | With the order (5 years) |
| Push-notification subscription (browser push token) | Customer | Optional — if you turn on order notifications | Send order-status notifications to your device | Until you unsubscribe or the subscription expires |
| Contact & access-request details (name, email, business name, message) | Website visitor / prospective Merchant | When you submit the contact form | Answer your question, or review your request for platform access | Until actioned, then a reasonable administration period |
| Owner name | Merchant | Required | Account identity | Life of account + retention |
| Login email | Merchant | Required | Login and notices | Life of account |
| Business & contact phone / email / address | Merchant | Required | Listing, contact, tax | Life of account |
| Business registration number (ABN / NZBN / CIN) | Merchant | Required | Tax and compliance | Life of account |
| Food licence number and document | Merchant | Optional | Compliance | Life of account |
| Staff name / email / phone | Merchant | Required (name/email) | Staff access to the OMS | Life of account |
| Payment account identifiers | Merchant | On payment setup | Routing payouts | Life of account |
| Card / bank numbers | — | — | — | Not stored by CliqMenu |
We collect this information directly from you, from your use of the Platform, and (for sign-in) from Google. We do not collect special-category / sensitive information.
When you sign in with Google, we receive your name and email address (and a profile-photo URL) into our sign-in provider (Amazon Cognito) as your sign-in identity. We use your name and email to identify you and link your order history, and we save them with the orders you place. We do not store your Google profile photo in our systems — it is only shown in the app while you are signed in — and Google does not give us your phone number. Our use of information received from Google sign-in complies with the Google API Services User Data Policy, including its Limited Use requirements.
3. How we use your information
- To operate ordering: publish menus, take and route orders, and process payments through the Merchant's provider.
- To communicate: order status, receipts and tax invoices, one-time login passcodes, and service notices.
- To keep the Platform safe: authentication, fraud prevention, and abuse detection.
- To support you: responding to help requests, and (with consent) accessing a Merchant account to assist.
- To improve and run the business: reporting and analytics on aggregated or Merchant-scoped data, and to meet our legal and tax obligations.
We do not sell your personal information, and we do not use it for cross-context behavioural advertising.
Marketing communications. The messages we send — order status, receipts and tax invoices, login passcodes, and service notices — are transactional and necessary to provide the service. We do not send marketing or promotional messages without your consent, and where we are permitted to send them you can opt out at any time using the unsubscribe option or by contacting us. Opting out does not stop transactional messages about your account or orders. (Australia: Spam Act 2003; New Zealand: Unsolicited Electronic Messages Act 2007.)
Automated decisions. We do not use automated decision-making or profiling to make decisions that produce legal or similarly significant effects about you. The only automated processing we apply is for security and fraud prevention (for example, rate-limiting and basic order-fraud checks).
4. When we share information
- With the Merchant you order from — the details needed to prepare and hand over your order.
- With service providers (sub-processors) who help us run the Platform, listed in section 5.
- For legal reasons — to comply with the law, a lawful request, or to protect rights, safety, and the integrity of the Platform. Where we are legally required to disclose a Merchant's data (for example, to a regulator or law enforcement), we notify the Merchant unless legally prohibited from doing so.
5. Sub-processors
We use the following providers to deliver the Platform. Each handles personal information only as needed to provide its service.
| Provider | Purpose | Region |
|---|---|---|
| Amazon Web Services (AWS) | Hosting, database, file storage, email (SES), authentication (Cognito) | Sydney (ap-southeast-2) |
| Stripe | Online payments (Australia / New Zealand) | Per Stripe |
| Cashfree | Online payments (India) | Per Cashfree |
| Sign-in (OAuth) and web push notifications (FCM) | Per Google | |
| Cloudflare | Bot protection (Turnstile) on forms | Per Cloudflare |
6. Where we store your data
All Platform data is stored in AWS's Sydney region (ap-southeast-2), Australia. Some payment, sign-in, bot-protection, and push-notification processing occurs with the providers above, which may process data outside Australia — principally in the United States (Stripe, Google, Cloudflare) and India (Cashfree) — under their own safeguards. We do not currently operate infrastructure in India; see the India section below regarding data-localisation under the DPDP Act.
7. Security
We protect your data with encryption in transit (TLS, plus an application-layer encryption envelope between our apps and our servers) and encryption at rest (AES-256). Access is controlled and authenticated. Administrative "support access" (staff acting within a Merchant account, sometimes called impersonation or "Login As") is consent-gated — the Merchant grants time-boxed access (currently 1, 5, 15, or 30 days) through an in-app control and can revoke it at any time, with limited access during onboarding or while an account is not yet active. Such sessions are audited, and Customer name, email, and phone are masked from staff during them. More detail is in our Security Policy.
8. Retention and deletion
- Order records are retained for 5 years by default to meet tax and record-keeping obligations.
- When a Merchant closes its account, deletion is staged: a roughly 30-day undo window in which the account can be restored, followed by a tax-retention window for order records (Australia 5 years / New Zealand 7 years / India 8 years), after which records are purged. A legal hold pauses purging where required.
Requesting deletion. You can ask us to delete your personal information, and we honour deletion requests except where we must keep certain records by law (for example, tax records), in which case we restrict and minimise what is retained. On a verified request we delete or anonymise your personal data within 90 days, subject to the tax-retention windows above.
- Business owners (account holders). Email privacy@cliqmenu.com to request deletion of your business account and its associated data.
- Staff (Order Managers and Kitchen Staff). Your login for the staff ordering app (OMS) is created and managed by the business owner who added you. To have your email address and staff profile removed, ask that owner to remove you from their team in the business dashboard (BMS) — removal takes effect immediately. If more than one business has added you, ask each of those owners separately, because each business independently controls its own staff list. You can also email privacy@cliqmenu.com and we will action or help coordinate your request.
9. Your rights
Depending on where you are, you may have rights to access, correct, delete, or restrict the use of your personal information, to object to certain processing, and to complain to a regulator. To exercise a right, contact privacy@cliqmenu.com. We may need to verify your identity. We respond within the timeframes required by applicable law.
The mechanisms that support these rights already exist on the Platform — Merchants can export their business and transaction data from BMS Reports, and we operate a data-export and staged-deletion process for legal and compliance requests.
10. Cookies and tracking
We use a small number of strictly-necessary cookies and similar technologies, and the Cloudflare Turnstile bot-check on forms. We do not load third-party analytics or advertising trackers. See the Cookie & Tracking Notice.
11. Children
The Platform is not directed at children. We do not knowingly collect personal information from children under the age set by local law. If you believe a child has provided personal information, contact us and we will delete it.
12. Changes to this policy
We may update this policy. Each version carries a version identifier and effective date. For material changes affecting Merchant acceptance, we ask Merchants to re-acknowledge the updated policy in the BMS.
Country-specific information
The sections below supplement the policy above for each country we operate in. Where a country-specific rule conflicts with the general policy, the country-specific rule applies for residents of that country.
Australia
We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). You may complain to us at privacy@cliqmenu.com; if unsatisfied, you may contact the Office of the Australian Information Commissioner (OAIC). We will notify you and the OAIC of eligible data breaches as required by the Notifiable Data Breaches scheme.
New Zealand
We handle personal information in accordance with the Privacy Act 2020 and the Information Privacy Principles (IPPs). You may complain to us or to the Office of the Privacy Commissioner. We will notify affected individuals and the Commissioner of notifiable privacy breaches as required.
India
For individuals in India we handle personal data in accordance with the Digital Personal Data Protection Act, 2023 (DPDP Act) once in force, including notice and consent requirements and your rights as a Data Principal. You may contact our grievance channel at privacy@cliqmenu.com.
Data localisation (under review). Platform data currently resides in Australia. If the DPDP Act or its rules require India-resident storage or impose cross-border-transfer conditions, we will adjust our infrastructure accordingly.
13. Contact
Privacy questions, requests, or complaints: privacy@cliqmenu.com. Entity: INTHUB Solutions Pty Ltd (ABN 93 603 890 893), which owns and operates the CliqMenu platform.