Privacy Policy

1. Who we are

Foodix is a digital QR-menu, ordering, payments, reviews, reservations and loyalty platform for restaurants, cafés and hotels. Foodix.io is a product of Webcandy FZ, a company registered in the United Arab Emirates ("Webcandy FZ", "Foodix", "we", "us", "our"). This Privacy Policy explains how we collect, use, share and protect personal data, and the choices you have.

2. Who this policy applies to

For data that Diners provide while using a Venue's menu, the Venue is the controller and Foodix acts as a processor on the Venue's behalf. Foodix is the controller for its own business users, website visitors, and for service-operation and security analytics.

3. Information we collect

Information you provide

Information we collect automatically

Device and usage data: IP address, browser/device type, pages and menus viewed, QR scans, timestamps, approximate location and similar analytics; cookies and similar technologies (see Section 12).

Information from third parties

The Payment Processor confirms transaction status and risk signals (we do not receive or store full card numbers); POS/PMS and connected social accounts (see Section 4).

4. Connected social accounts (Instagram / Meta)

A Venue may choose to connect its own Instagram professional account to Foodix from the dashboard. Connecting is optional and is initiated and authorised by the Venue through Instagram's official login. When connected, we access — strictly to provide the features the Venue enables — data made available by Meta's Instagram API (profile and username, follower/media counts, media and their metrics/insights, and, where enabled, comments and direct messages). We store access tokens encrypted and use them only for the connected Venue; we do not sell this data or use it for unrelated advertising; the Venue can disconnect at any time, which revokes our access and deletes the stored Instagram-derived data (see Data Deletion); and we handle this data in accordance with the Meta Platform Terms and Developer Policies.

5. Payments

Diner payments and Venue payouts are processed by regulated third-party Payment Processors (e.g. Stripe and its affiliates), and may use wallets such as Apple Pay and Google Pay. Card and banking details are collected and processed directly by the Payment Processor under the PCI-DSS and card-network rules; Foodix does not store full card numbers. The Payment Processor acts as an independent controller of the payment data it processes; see its own privacy policy. We receive limited transaction metadata (amount, status, last four digits, risk outcome) to operate the Service.

6. How we use information

To provide, operate, secure and improve the Foodix platform; to display menus, take orders and payments, manage reservations and run loyalty; to power connected-account features (Section 4); to provide support and communicate with you; to personalise and measure the Service; to prevent fraud; and to comply with legal obligations.

7. Legal bases (where GDPR / UK GDPR applies)

Performance of a contract; your consent (which you may withdraw); our legitimate interests in operating, improving and securing the Service; and compliance with legal obligations.

8. How we share information

We do not sell personal data. A current list of our sub-processors is available on our Sub-processors page, and Venues may ask to be notified of changes.

9. Aggregated & de-identified data

We may create and use aggregated and de-identified data that does not identify any individual to analyse, secure and improve the Service and develop new features. This data is not personal data.

10. International transfers

We operate globally and may transfer and process data in countries other than your own, including the UAE and the EU. Where required, we use appropriate safeguards (such as the EU Standard Contractual Clauses and the UK Addendum) for such transfers.

11. Data retention

We keep personal data for as long as needed to provide the Service and for legitimate business or legal purposes (such as tax and accounting records). When no longer required, we delete or irreversibly anonymise it. Instagram-derived data is deleted on disconnection or request.

12. Cookies & tracking

We use cookies and similar technologies to operate the site, remember preferences and measure performance. You can control cookies through your browser settings; some features may not function without them.

13. Security

We maintain administrative, technical and organisational measures appropriate to the risk, including encryption in transit and at rest, access controls and least-privilege, network protections, logging and monitoring, and regular review. No system is perfectly secure, but we work to protect personal data and we require our sub-processors to do the same.

14. Data-breach notification

If we become aware of a personal-data breach affecting your data, we will notify the affected Venue/user and, where required, the relevant supervisory authority without undue delay, and provide information to help you meet your own obligations.

15. Your rights

Subject to applicable law (UAE PDPL — Federal Decree-Law No. 45 of 2021, EU/UK GDPR, KSA PDPL where relevant, and CCPA/CPRA), you may have the right to access, correct, delete, restrict or object to processing of your personal data, to data portability, and to withdraw consent. To exercise these rights, contact letstalk@foodix.io; to delete your data, see our Data Deletion Instructions. Diners should usually contact the relevant Venue (the controller of their data); we will assist Venues in responding. You may also lodge a complaint with your local supervisory authority. We do not use solely automated decision-making that produces legal or similarly significant effects without a lawful basis.

16. Data Processing Addendum (for Venues)

Where Foodix processes Diner personal data on a Venue's behalf, our Data Processing Addendum (DPA) governs that processing, including our role as processor, sub-processor terms, security measures, breach notification, assistance with data-subject requests, and deletion/return on termination.

17. Children

Foodix is not directed to children and we do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

18. Changes to this policy

We may update this Privacy Policy from time to time. We will update the "Last updated" date above and, where appropriate, provide additional notice.

19. Contact us

Webcandy FZ (operating Foodix) — ONE JLT, Office 124, Jumeirah Lake Towers, Dubai, United Arab Emirates · Privacy & data requests: letstalk@foodix.io