← Back to home

Privacy Policy

Last updated: 25 May 2026

Who this policy is for

This policy explains what data TableOS (operated by Kriyava AI) collects from restaurant owners and staff who sign up for the service, and from diners who scan a QR code at a TableOS restaurant.

Restaurant accounts — what we collect

  • Your name, email, phone number, restaurant name and address.
  • Hashed password (bcrypt; we never see the plaintext).
  • Menu details, table layout, theme color, logo.
  • Your Razorpay / UPI payment credentials, used only to route customer payments to your account.
  • Order history, payment status, revenue analytics.
  • Browser and IP information when you use the dashboard (for security forensics).

Diners — what we collect

  • The items you add to a cart and orders you place — linked to a table number, not to you personally.
  • If you opt in by entering an email, we use it once to send your order confirmation and payment receipt.
  • Your interactions with the AI waiter are sent to Google Gemini for processing and not stored long-term unless required for debugging.
  • We do not collect your name, phone, or precise location.

How we use data

We use the data above to:

  • operate the menu, ordering and payment flow you signed up for;
  • send transactional emails (welcome, order confirmation, password reset, payment receipt) via Resend;
  • send anonymous error reports to Sentry so we can fix bugs;
  • compute aggregate analytics for your dashboard (revenue, peak hours, top items);
  • improve the shared dish image library — names of common dishes (not your menu, not your customers) help us cache AI-generated images across the platform.

Third-party processors

We use these services to deliver TableOS. Each has its own privacy policy:

  • Supabase (database + storage) — hosted in Singapore.
  • Vercel (web hosting + CDN).
  • Google Gemini (menu OCR + AI waiter + image generation).
  • Razorpay (payment processing — you control your own keys).
  • Resend (transactional email from hello@kriyava.com / orders@kriyava.com).
  • Sentry (error tracking and performance monitoring).

Security

We protect data with:

  • HTTPS everywhere; HSTS on production domains.
  • bcrypt password hashing.
  • Signed JWT session cookies (httpOnly, secure, sameSite=lax).
  • Per-restaurant ownership checks on every API endpoint to prevent cross-tenant access.
  • Rate limiting on authentication endpoints to slow brute-force attempts.
  • Daily automated database backups via Supabase.

Data retention

We retain restaurant account data for as long as you have an active TableOS account, plus 30 days after termination. Diner order data is retained for up to 3 years for tax and reconciliation purposes, then deleted or anonymised.

Your rights

You have the right to:

  • access and download your data;
  • correct inaccuracies;
  • delete your account (email us at hello@kriyava.com — we delete within 30 days);
  • opt out of non-essential emails.

Children

TableOS is not directed at children under 18. If you believe a minor has given us data, please write to us and we will delete it.

Changes

We'll post any changes to this page and email restaurant accounts at least 14 days before a material change takes effect.

Contact

Privacy concerns? Reach our data team at hello@kriyava.com.