Privacy Policy - Tap & Serve by Arrilan Automation and Tech Solutions

1. Introduction

Arrilan Automation and Tech Solutions ("we," "us," or "our") is the data controller responsible for your personal data when you use the Tap & Serve service.

1.1 Who We Are

Data Controller:
Arrilan Automation and Tech Solutions
Serenity, St. James
Barbados
Email:

1.3 Purpose of This Policy

This Privacy Policy explains:

What personal data we collect and why
How we use, store, and protect your data
Your rights regarding your personal data
How to contact us about privacy concerns

2. What Personal Data We Collect

2.1 Information You Provide Directly

When you sign up for Tap & Serve, we collect:

Data Category	Examples	Purpose
Business Information	Restaurant name, address, cuisine type	Service provision, billing
Contact Details	Name, email, phone number	Account management, support
Account Credentials	Username, password (encrypted)	Authentication, security
Payment Information	Billing address, payment method	Payment processing
Menu Data	Dishes, prices, descriptions, images	Service functionality

2.2 Customer Order Data

When your customers place orders through Tap & Serve, we process:

Customer name and phone number (for order fulfillment)
Delivery address (if applicable)
Order details (items, quantities, special instructions)
Order timestamp and status

Important: You (the restaurant) are responsible for obtaining proper consent from your customers to collect and process their data. We process this data on your behalf as a data processor.

2.3 Technical Data Automatically Collected

When you use our service, we automatically collect:

Device Information: IP address, browser type, operating system
Usage Data: Pages visited, features used, time spent
Log Data: Access times, error logs, system events
Cookies: See Section 10 for details

2.4 Data We Do NOT Collect

We do not collect:

Payment card numbers (handled by our payment processor)
Sensitive personal data (health, race, religion, political views) unless you voluntarily provide it
Data from children under 18

3. Legal Basis for Processing

Under the Data Protection Act, 2019, we must have a lawful basis to process your personal data. We rely on:

3.1 Contract Performance

We process your data to provide the Tap & Serve service you've subscribed to. This includes:

Creating and managing your account
Processing orders through your restaurant
Providing customer support
Billing and payment processing

3.2 Legitimate Interests

We process certain data based on our legitimate business interests:

Improving and optimizing our service
Preventing fraud and ensuring security
Analyzing usage patterns to enhance features
Marketing our services (with opt-out option)

3.3 Legal Obligation

We may process data to comply with legal requirements:

Tax and accounting records (7 years retention)
Responding to lawful requests from authorities
Preventing illegal activities

3.4 Consent

For certain processing activities, we obtain your explicit consent:

Marketing emails (you can opt out anytime)
Non-essential cookies
Sharing data with third parties beyond service provision

4. How We Use Your Personal Data

4.1 Service Provision

Create and manage your restaurant account
Process orders from your customers
Display your menu and business information
Send WhatsApp notifications about orders
Provide Kitchen Display System functionality
Generate reports and analytics for your business

4.2 Communication

Send service-related notifications (order confirmations, system updates)
Respond to your support requests
Send billing invoices and payment reminders
Notify you of changes to our Terms or Privacy Policy

4.3 Marketing (with your consent)

Send promotional emails about new features
Offer special pricing or upgrades
Share industry insights and best practices

You can opt out of marketing emails at any time by clicking "unsubscribe" or contacting us.

4.4 Service Improvement

Analyze usage patterns to improve features
Monitor system performance and uptime
Develop new features based on user behavior
Conduct user research and surveys

4.5 Security and Fraud Prevention

Detect and prevent unauthorized access
Monitor for suspicious activity
Investigate security incidents
Comply with legal obligations

5. Data Sharing and Third Parties

Important Disclosure

We share your data with third-party service providers to deliver our service. All third parties are contractually obligated to protect your data.

5.1 Service Providers

We share data with the following categories of third parties:

Provider Type	Purpose	Data Shared
Cloud Hosting	Store application and database	All account and order data
WhatsApp API	Send order notifications	Customer phone numbers, order details
Payment Processor	Process subscription payments	Billing information
Email Service	Send transactional emails	Email addresses, names
Analytics	Usage analytics (anonymized)	Anonymized usage patterns

5.2 International Data Transfers

International Data Transfer Notice

Some of our service providers are located outside of Barbados, including in the United States and European Union. When we transfer your data internationally, we ensure appropriate safeguards are in place.

We transfer data to the following regions:

United States: Protected by Standard Contractual Clauses

Safeguards we use:

Binding Corporate Rules where applicable
Encryption of data in transit and at rest
Regular security audits of data processors

5.3 We Do NOT Sell Your Data

We will never sell, rent, or trade your personal data to third parties for their marketing purposes.

5.4 Legal Disclosures

We may disclose your data if required by law or to:

Comply with legal obligations or court orders
Respond to lawful requests from government authorities
Protect our rights, property, or safety
Investigate fraud or security issues

6. Data Security

6.1 Technical Security Measures

We implement industry-standard security measures to protect your data:

Encryption: Data encrypted in transit (TLS/SSL) and at rest (AES-256)
Access Controls: Role-based access, two-factor authentication for staff
Network Security: Firewalls, intrusion detection systems
Secure Hosting: Data stored on secure, monitored servers
Regular Backups: Daily encrypted backups with secure storage

6.2 Organizational Security

Employee training on data protection
Confidentiality agreements with all staff
Limited access to personal data on need-to-know basis
Regular security audits and penetration testing

6.3 Your Responsibility

You are responsible for:

Keeping your password secure and confidential
Notifying us immediately of any unauthorized access
Logging out after using shared devices
Using strong, unique passwords

6.4 Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms:

We will notify the Data Protection Commission within 72 hours of discovery
We will notify you without undue delay if the breach is high-risk
We will provide details of the breach and steps we're taking to address it

7. Data Retention

7.1 How Long We Keep Your Data

Data Type	Retention Period	Reason
Account Information	Duration of account + 30 days	Service provision
Order Data	2 years after order date	Business records, support
Financial Records	7 years	Legal/tax obligation
Support Tickets	3 years	Service improvement
Marketing Consent	Until withdrawn + 30 days	Compliance verification
Usage Analytics	26 months (anonymized)	Service improvement

7.2 Deletion After Retention Period

After the retention period expires, we will:

Permanently delete your personal data
Anonymize data used for analytics or research
Archive data required for legal compliance in secure offline storage

7.3 Account Closure

When you close your account:

You have 30 days to export your data
After 30 days, we permanently delete all account data except financial records
Financial records are retained for 7 years as required by law

8. Your Privacy Rights

Your Rights Under Barbados Law

The Data Protection Act, 2019 gives you specific rights regarding your personal data. These rights are legally enforceable.

8.1 Right to Access

You have the right to request a copy of all personal data we hold about you. We will provide this information:

In a commonly used electronic format (PDF or CSV)
Free of charge for the first request
Within 30 days of your request

How to request: Email with subject "Data Access Request"

8.2 Right to Rectification

You have the right to correct inaccurate or incomplete personal data. You can:

Update most information directly in your account dashboard
Contact us to correct data you cannot edit yourself

We will make corrections within 10 business days.

8.3 Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data when:

The data is no longer necessary for the purpose collected
You withdraw consent (where consent was the basis for processing)
You object to processing and there are no overriding legitimate grounds
The data was processed unlawfully

Exceptions: We may refuse deletion if we need the data for:

Compliance with legal obligations (e.g., tax records)
Establishment, exercise, or defense of legal claims

8.4 Right to Restriction of Processing

You can request we limit how we process your data when:

You contest the accuracy of the data (while we verify)
Processing is unlawful but you prefer restriction over deletion
We no longer need the data but you need it for legal claims

8.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used format and transmit it to another service provider. We provide data in:

CSV format (for menu and order data)
JSON format (for complete data export)

8.6 Right to Object

You have the right to object to processing based on legitimate interests or for marketing purposes. We will stop processing unless we have compelling legitimate grounds.

8.7 Right to Withdraw Consent

Where we process data based on your consent, you can withdraw consent at any time:

Marketing emails: Click "unsubscribe" in any email
Other consent: Email

Withdrawing consent does not affect the lawfulness of processing before withdrawal.

8.8 How to Exercise Your Rights

To exercise any of these rights:

Email us at:
Include "Privacy Rights Request" in the subject line
Specify which right you wish to exercise
Provide sufficient information to verify your identity

We will respond within 30 days of receiving your request.

8.9 No Fee (Usually)

We do not charge a fee for exercising your rights unless your request is:

Manifestly unfounded or excessive
Repetitive (e.g., multiple data access requests within a short period)

9. Your Right to Complain

9.1 Contact Us First

If you have concerns about how we handle your data, please contact us first:

Email:
Subject: Privacy Concern

9.2 Data Protection Commission

You have the right to lodge a complaint with the Data Protection Commission of Barbados:

Data Protection Commission
Ministry of Industry, Innovation, Science & Technology
5th Floor, SSA Building
Vaucluse, St. Thomas
Barbados

The Commission investigates complaints about data protection violations and can:

Issue enforcement notices
Impose fines for non-compliance
Order data controllers to cease unlawful processing

10. Cookies and Tracking Technologies

10.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our website. We use cookies to:

Keep you logged in
Remember your preferences
Understand how you use our service
Improve performance and security

10.2 Types of Cookies We Use

Cookie Type	Purpose	Duration	Consent Required
Essential	Authentication, security	Session	No (necessary for service)
Functional	Preferences, language	1 year	No (legitimate interest)
Analytics	Usage statistics	2 years	Yes (consent)
Marketing	Advertising, remarketing	1 year	Yes (consent)

10.3 Managing Cookies

You can control cookies through:

Browser Settings: Most browsers allow you to refuse or delete cookies
Opt-Out Links: Google Analytics opt-out: tools.google.com/dlpage/gaoptout

Note: Disabling essential cookies may prevent you from using certain features of our service.

10.4 Third-Party Cookies

Some cookies are set by third-party services we use:

Google Analytics - Usage analytics

11. Children's Privacy

Our service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children.

If we become aware that we have collected data from a child without parental consent, we will:

Delete the information immediately
Notify the Data Protection Commission if required

If you believe we have collected data from a child, contact us immediately at .

12. Changes to This Privacy Policy

12.1 Updates

We may update this Privacy Policy from time to time to reflect:

Changes in our data processing practices
New legal requirements
New features or services
Feedback from users or regulators

12.2 Notice of Changes

When we make material changes, we will notify you by:

Email to your registered email address
Prominent notice in your account dashboard
Updating the "Last Updated" date at the top of this policy

12.3 Your Rights

If you do not agree with the updated Privacy Policy, you may:

Close your account before the changes take effect
Exercise your right to erasure

Continued use of the service after the effective date constitutes acceptance of the updated policy.

13. Contact Us

13.1 Privacy Questions

For any questions about this Privacy Policy or our data practices:

Arrilan Automation and Tech Solutions
Serenity, St. James
Barbados
Email:

13.2 Data Protection Officer

If appointed:
Email:

13.3 Data Protection Commission

To report a data protection violation or lodge a complaint:

Data Protection Commission of Barbados
Website: https://www.gov.bb/General/data-protection-commissioner

Acknowledgment

By using Tap & Serve, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and disclosure of your personal data as described.