Back to Home

Privacy Policy

How Servly collects, uses, stores, and protects your personal data in accordance with Indian law.

Version 1.0 · Effective April 30, 2026 · DPDP Act 2023 Compliant

1. Who We Are

Servly Pvt Ltd ("Servly", "we", "us", or "our") operates the Servly restaurant ordering platform, including the customer mobile application (Hermes), the restaurant staff dashboard (Apollo), and the super admin console (Olympus).

This Privacy Policy explains how we collect, use, store, and protect your personal data in accordance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

Servly is a Data Fiduciary under the DPDP Act, 2023. We determine the purpose and means of processing your personal data. The restaurants using the Servly platform are joint Data Fiduciaries for data generated within their restaurant operations.

By using Servly, you consent to the practices described in this policy. You may withdraw your consent at any time as described in Section 8 below.

2. Information We Collect

A. Customer Data (Hermes PWA Users)

Data When Collected Why
Phone number When you place your first order (OTP verification) Authentication, account identity, and order communication
Name When you create your account Display on orders and personalisation
Email address (optional) When you add it to your profile Communications and receipts (only if you provide it)
Dietary preferences (optional) When you set up your profile Filter restaurant menus to show relevant items; personalise your experience across Servly-powered restaurants
Allergen information (optional) When you set up your profile Display safety alerts on menu items containing your allergens
Order history Each time you place an order Enable repeat ordering, order tracking, and restaurant analytics
Table/visit data When you scan a QR code Route your order to the correct table and restaurant

B. Restaurant Staff Data (Apollo Dashboard Users)

Data Why
Phone number OTP-based authentication
Name and role Display and access control (e.g., Owner, Manager, Waiter, Chef)
4-digit PIN Quick authentication (stored in hashed form — never in plain text)

C. Automatically Collected Data

Data Why
IP address Platform security, rate limiting, and fraud prevention
Device and browser information Error monitoring and debugging (only with your consent, via Sentry)

What we do NOT collect

  • Your precise GPS location (unless you explicitly share it)
  • Your contacts, photos, or media files
  • Any biometric data (fingerprint, face scan)
  • Credit card, debit card, or bank account details (payments are in cash)
  • Browsing history outside of Servly

3. How We Use Your Information

Purpose Legal Basis (DPDP Act 2023)
Processing and fulfilling your food order Consent — Section 7(a): data voluntarily provided for a specified purpose
Sharing order details with the restaurant Consent — necessary for order fulfilment
Sending OTP codes and order status updates Consent — necessary for service delivery
Cross-restaurant dietary preference personalisation Explicit consent — obtained at profile creation
Platform security and fraud prevention Legitimate use — necessary for safe operation of the service
Error monitoring and debugging (Sentry) Consent — only with your opt-in via cookie preferences
Service improvement through anonymised analytics Anonymised data falls outside the scope of the DPDP Act

What we will NEVER do

  • Sell your personal data to any third party
  • Use your data for behavioural advertising or targeted ads
  • Train artificial intelligence models on your personal data
  • Share your data with data brokers
  • Share your phone number with restaurants for independent marketing
  • Send marketing messages without your explicit, separate consent

4. Cross-Restaurant Customer Profiles

Servly's unique feature is that your dietary preferences and profile travel with you across all Servly-powered restaurants. This means:

  • When you set dietary preferences (e.g., "Jain, No Onion") at Restaurant A, those preferences will automatically apply when you visit Restaurant B (if it also uses Servly).
  • Your order history at each restaurant is visible ONLY to that restaurant. Restaurants cannot see your orders at other restaurants.
  • Your phone number and name are shared with restaurants where you place orders, so they can serve you.

You can control this at any time:

  • Disable cross-restaurant preference sharing in your Profile Settings
  • Delete your profile entirely (see Section 8)

5. Data Sharing and Disclosure

We share your personal data only in the following circumstances:

Recipient Data Shared Purpose
Restaurant where you order Name, phone, dietary preferences, allergens, order details To prepare and serve your food
Oracle Cloud Infrastructure All platform data (stored securely) Backend hosting and database
Cloudflare Page requests, IP address Frontend hosting, CDN, DDoS protection
MSG91 (SMS provider) Phone number To send OTP codes for verification
Sentry (error monitoring) Device info, browser info, IP (anonymised) To fix bugs and improve service (only with your consent)
Law enforcement As legally required In response to valid legal process

Each restaurant using Servly is contractually required to: use your data only for order fulfilment, not share it with third parties, not use your phone number for marketing, and delete your data upon termination of their agreement with Servly.

We do NOT share your data with any other third parties, advertisers, or data brokers.

6. Data Retention

Data Type How Long We Keep It
Account data (name, phone number, email) Until you request deletion
Dietary preferences and allergen information Until you withdraw consent or delete your account
Order history 3 years from the date of each order (required for GST compliance)
Staff data Until removed by restaurant owner or account deletion
Server logs (IP, access logs) 90 days
Sentry error data 30 days
OTP codes Automatically deleted after 10 minutes or successful verification
Consent records 3 years after your last interaction with Servly

When your account is deleted, we will: delete your profile, dietary preferences, and allergen data immediately; anonymise your order history (retain for GST compliance but remove identifying information); and remove your phone number from all active records. Financial records (GST/tax) may be retained for up to 8 years as legally required.

7. Data Security

  • Encryption in transit (HTTPS/TLS) and at rest
  • Authentication tokens stored in HttpOnly cookies (inaccessible to JavaScript)
  • CSRF protection using double-submit cookie pattern
  • Database-level tenant isolation using PostgreSQL Row Level Security (RLS)
  • Staff PINs hashed before storage (never stored in plain text)
  • Rate limiting on all public-facing API endpoints
  • Immutable audit logging for all administrative actions

In the event of a personal data breach, we will notify the Data Protection Board of India and all affected users as required under Section 8(6) of the DPDP Act, 2023.

8. Your Rights Under the DPDP Act 2023

Right to Access
Request a summary of the personal data we hold about you (Section 11)
Right to Correction
Update or correct your personal data at any time through the app or by contacting us (Section 12)
Right to Erasure
Request deletion of your personal data within 30 days, subject to legal retention requirements such as GST records (Section 12)
Right to Withdraw Consent
Withdraw your consent at any time without affecting prior lawful processing (Section 6(4)). Toggle off cross-restaurant sharing in Profile Settings, update cookie preferences via the consent banner, or use "Delete My Account".
Right to Grievance Redressal
File a complaint if you believe your data rights have been violated (Section 13). Contact our Grievance Officer below.
Right to Nominate
Nominate another person to exercise your rights on your behalf in case of death or incapacity (Section 14)

To exercise any of these rights, contact our Grievance Officer or email [email protected]. We will respond within 30 days.

9. Cookies and Similar Technologies

We use cookies and similar browser storage technologies (localStorage, sessionStorage, IndexedDB) to operate the platform.

A. Essential Cookies (no consent required)

These cookies are required for authentication, security, and core functionality. You cannot opt out of these cookies as the platform will not function without them.

Cookie / Storage Purpose Duration
servly_customer_access Secure login token (HttpOnly, inaccessible to JavaScript) 15 minutes (auto-refreshes)
servly_customer_refresh Keeps you logged in between visits (HttpOnly) 30 days
servly_customer_authed Client-side login indicator Session
csrftoken Protects against cross-site request forgery Session
Cart (IndexedDB) Stores your cart items locally on your device Until cleared
Order tracking (localStorage) Remembers your recent order for the "Track Order" feature Until cleared

B. Optional Cookies (consent required)

We will only set these if you give us consent via the cookie banner.

Cookie / Storage Purpose Provider
Sentry session Tracks errors and performance to help us fix bugs Sentry.io
Sentry device ID Helps group related errors Sentry.io

No tracking cookies

  • We do not use advertising cookies or trackers
  • We do not build behavioural profiles for advertising
  • We do not participate in real-time bidding or ad exchanges
  • We do not use cross-site tracking

10. Children's Data

Servly does not knowingly collect personal data from children under 18 years of age. If you are under 18, you must use Servly only with the consent and supervision of a parent or legal guardian.

If we discover that we have collected personal data from a child without verifiable parental consent, we will delete that data promptly, as required under Section 9 of the DPDP Act, 2023.

Restaurant owners using Servly are responsible for ensuring that their use of the platform complies with applicable laws regarding service to minors.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

  • We will update the "Last Updated" date at the top of this page
  • We will notify you via in-app notification or SMS for significant changes
  • If changes materially affect how we process your data, we will seek fresh consent where required by law

Continued use of Servly after changes constitutes acceptance of the updated policy.

12. Grievance Officer

As required under Section 8(10) of the Digital Personal Data Protection Act, 2023:

Name
Ankit Kundariya
Designation
Grievance Officer, Servly Pvt Ltd
Email
[email protected]
Response Time
Acknowledgment within 48 hours; resolution within 15 business days

If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India (once constituted and operational).

13. Governing Law

This Privacy Policy is governed by the laws of India, including the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and the Indian Contract Act, 1872. Any disputes shall be resolved through arbitration in Ahmedabad, Gujarat, under the Arbitration and Conciliation Act, 1996, and shall be subject to the exclusive jurisdiction of the courts in Ahmedabad, Gujarat.

Last updated: April 30, 2026
By using Servly, you confirm that you have read, understood, and agree to this Privacy Policy (Version 1.0).