Privacy Policy
Last updated: 18 June 2026
1. Who we are
Foodix is a digital QR-menu, ordering, payments, reviews, reservations and loyalty platform for restaurants, cafés and hotels. Foodix.io is a product of Webcandy FZ, a company registered in the United Arab Emirates ("Webcandy FZ", "Foodix", "we", "us", "our"). This Privacy Policy explains how we collect, use, share and protect personal data, and the choices you have.
2. Who this policy applies to
- Business users — Venues and their staff who use the Foodix dashboard.
- Diners / end customers — people who view a Venue's menu, order, pay, book a table, or join a loyalty programme through Foodix.
- Website visitors — people who visit foodix.io.
For data that Diners provide while using a Venue's menu, the Venue is the controller and Foodix acts as a processor on the Venue's behalf. Foodix is the controller for its own business users, website visitors, and for service-operation and security analytics.
3. Information we collect
Information you provide
- Account & Venue data: name, business name, email, phone, address, login credentials, branch details, menu content, images, opening hours, tax/currency settings, payout/bank details.
- Diner data: where a Diner signs in, orders, pays or joins loyalty (e.g. Saha Pass): name, email or phone, allergy/dietary preferences, order and reservation details, loyalty activity, and messages.
- Support & communications: messages you send us.
Information we collect automatically
Device and usage data: IP address, browser/device type, pages and menus viewed, QR scans, timestamps, approximate location and similar analytics; cookies and similar technologies (see Section 12).
Information from third parties
The Payment Processor confirms transaction status and risk signals (we do not receive or store full card numbers); POS/PMS and connected social accounts (see Section 4).
4. Connected social accounts (Instagram / Meta)
A Venue may choose to connect its own Instagram professional account to Foodix from the dashboard. Connecting is optional and is initiated and authorised by the Venue through Instagram's official login. When connected, we access — strictly to provide the features the Venue enables — data made available by Meta's Instagram API (profile and username, follower/media counts, media and their metrics/insights, and, where enabled, comments and direct messages). We store access tokens encrypted and use them only for the connected Venue; we do not sell this data or use it for unrelated advertising; the Venue can disconnect at any time, which revokes our access and deletes the stored Instagram-derived data (see Data Deletion); and we handle this data in accordance with the Meta Platform Terms and Developer Policies.
5. Payments
Diner payments and Venue payouts are processed by regulated third-party Payment Processors (e.g. Stripe and its affiliates), and may use wallets such as Apple Pay and Google Pay. Card and banking details are collected and processed directly by the Payment Processor under the PCI-DSS and card-network rules; Foodix does not store full card numbers. The Payment Processor acts as an independent controller of the payment data it processes; see its own privacy policy. We receive limited transaction metadata (amount, status, last four digits, risk outcome) to operate the Service.
6. How we use information
To provide, operate, secure and improve the Foodix platform; to display menus, take orders and payments, manage reservations and run loyalty; to power connected-account features (Section 4); to provide support and communicate with you; to personalise and measure the Service; to prevent fraud; and to comply with legal obligations.
7. Legal bases (where GDPR / UK GDPR applies)
Performance of a contract; your consent (which you may withdraw); our legitimate interests in operating, improving and securing the Service; and compliance with legal obligations.
8. How we share information
- Service providers / sub-processors who process data on our behalf (cloud/hosting, payment processing, communications/SMS/email/WhatsApp, analytics, customer support, and Meta/Instagram for connected features), under contractual confidentiality and security obligations.
- Venues receive the Diner data generated through their own menus, orders, bookings and loyalty.
- Payment Processors as needed to complete and settle transactions.
- Legal & safety where required by law or to protect rights and safety.
- Business transfers in connection with a merger, acquisition or sale of assets.
We do not sell personal data. A current list of our sub-processors is available on our Sub-processors page, and Venues may ask to be notified of changes.
9. Aggregated & de-identified data
We may create and use aggregated and de-identified data that does not identify any individual to analyse, secure and improve the Service and develop new features. This data is not personal data.
10. International transfers
We operate globally and may transfer and process data in countries other than your own, including the UAE and the EU. Where required, we use appropriate safeguards (such as the EU Standard Contractual Clauses and the UK Addendum) for such transfers.
11. Data retention
We keep personal data for as long as needed to provide the Service and for legitimate business or legal purposes (such as tax and accounting records). When no longer required, we delete or irreversibly anonymise it. Instagram-derived data is deleted on disconnection or request.
12. Cookies & tracking
We use cookies and similar technologies to operate the site, remember preferences and measure performance. You can control cookies through your browser settings; some features may not function without them.
13. Security
We maintain administrative, technical and organisational measures appropriate to the risk, including encryption in transit and at rest, access controls and least-privilege, network protections, logging and monitoring, and regular review. No system is perfectly secure, but we work to protect personal data and we require our sub-processors to do the same.
14. Data-breach notification
If we become aware of a personal-data breach affecting your data, we will notify the affected Venue/user and, where required, the relevant supervisory authority without undue delay, and provide information to help you meet your own obligations.
15. Your rights
Subject to applicable law (UAE PDPL — Federal Decree-Law No. 45 of 2021, EU/UK GDPR, KSA PDPL where relevant, and CCPA/CPRA), you may have the right to access, correct, delete, restrict or object to processing of your personal data, to data portability, and to withdraw consent. To exercise these rights, contact letstalk@foodix.io; to delete your data, see our Data Deletion Instructions. Diners should usually contact the relevant Venue (the controller of their data); we will assist Venues in responding. You may also lodge a complaint with your local supervisory authority. We do not use solely automated decision-making that produces legal or similarly significant effects without a lawful basis.
16. Data Processing Addendum (for Venues)
Where Foodix processes Diner personal data on a Venue's behalf, our Data Processing Addendum (DPA) governs that processing, including our role as processor, sub-processor terms, security measures, breach notification, assistance with data-subject requests, and deletion/return on termination.
17. Children
Foodix is not directed to children and we do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.
18. Changes to this policy
We may update this Privacy Policy from time to time. We will update the "Last updated" date above and, where appropriate, provide additional notice.
19. Contact us
Webcandy FZ (operating Foodix) — ONE JLT, Office 124, Jumeirah Lake Towers, Dubai, United Arab Emirates · Privacy & data requests: letstalk@foodix.io