Privacy Policy

1. Introduction

Dream Beyond ("Company", "we", "us", or "our") operates the Restro Catering platform (the "Service"), a business management solution for catering and food-service operations. This Privacy Policy explains what information we collect, how we use it, and the choices you have in relation to that information.

By using Restro Catering you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of the Service.

2. Information We Collect

Account & Business Information

• Name, email address, phone number, and job title of users you invite to the platform.
• Business name, address, and operating locations you register under your tenant.
• Billing and payment details processed securely through our payment provider.

Operational Data You Enter

• Customer profiles, contact information, and order histories.
• Catering event details: dates, venues, guest counts, menus, and delivery instructions.
• Invoices, credits, and financial records associated with your business operations.
• Staff assignments, prep lists, and internal notes.

Google Account Data (OAuth)

• When you connect a Google account for Gmail invoice sending or Google Calendar integration, we request only the specific permissions required: gmail.send and/or calendar access.
• We store an encrypted OAuth refresh token to maintain the connection on your behalf. We do not access your inbox, read your emails, or access any data beyond the explicit scopes you authorize.

Usage & Technical Data

• Log data including IP addresses, browser type, pages visited, and timestamps.
• Device information and identifiers used to maintain your session.
• Performance and error telemetry used to improve reliability.

3. How We Use Your Information

• Provide the Service — process orders, generate invoices, manage events, and enable all platform features.
• Email delivery — send invoices, order confirmations, and operational notifications to your customers on your behalf via your connected Gmail account or our platform mailer.
• Calendar integration — create and sync catering events to your connected Google Calendar.
• Account management — authenticate users, manage roles and permissions, and enforce tenant-level access controls.
• Support — diagnose issues, respond to support requests, and audit activity logs you authorize us to review.
• Security & compliance — detect fraud, prevent unauthorized access, and meet legal obligations.
• Product improvement — analyse aggregated, anonymised usage patterns to improve features and performance.

4. Legal Basis for Processing (GDPR)

Where GDPR applies, we rely on the following legal bases:

• Contract — processing necessary to deliver the Service you subscribed to.
• Legitimate interests — security monitoring, fraud prevention, and service improvement.
• Legal obligation — compliance with applicable laws and regulations.
• Consent — for Google OAuth integrations, which you can revoke at any time.

5. How We Share Your Information

We do not sell your personal data. We share information only as described below:

• Infrastructure providers — Microsoft Azure hosts the platform and stores data in data centres within your selected region.
• Google APIs — when you connect a Google account, relevant data is exchanged with Google's APIs under Google's own Privacy Policy.
• Payment processors — billing data is handled by our PCI-compliant payment partner; we do not store raw card numbers.
• Legal requirements — we may disclose information if required by law, court order, or to protect the rights and safety of users or the public.
• Business transfers — in the event of a merger, acquisition, or asset sale, data may be transferred with advance notice to affected users.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Operational records (orders, invoices, events) are retained for a minimum of seven (7) years to satisfy standard accounting and legal requirements, unless a longer period is mandated by applicable law.

Upon account termination you may request deletion of personal data that is not subject to legal retention obligations. Google OAuth tokens are revoked and deleted immediately upon disconnecting an integration.

7. Data Security

We implement industry-standard security measures including TLS encryption in transit, AES-256 encryption at rest for sensitive credentials (such as OAuth refresh tokens), role-based access controls, and regular security assessments. No system is completely secure; we encourage you to use strong passwords and report any suspected breach immediately.

8. Your Rights

Depending on your jurisdiction you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Request deletion of your personal data (subject to legal retention requirements).
• Restrict or object to certain processing activities.
• Receive your data in a portable, machine-readable format.
• Withdraw consent (e.g., disconnect a Google integration) at any time without affecting the lawfulness of prior processing.
• Lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at the address in Section 11.

9. Cookies & Local Storage

Restro Catering uses browser local storage and session cookies strictly for authentication (JWT tokens) and user preferences. We do not use advertising cookies or third-party tracking pixels. You may clear local storage via your browser settings, which will log you out of the platform.

10. Third-Party Links

The Service may contain links to third-party websites or services (e.g., Google). We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing personal information.

11. Children's Privacy

Restro Catering is a business platform not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes we will update the "Last updated" date at the top of this page and, where appropriate, notify account administrators by email. Continued use of the Service after changes become effective constitutes acceptance of the revised policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy, please contact us: