GUSTOSFERA

RESTAURANT PRIVACY POLICY

Version: 1.0.0

1. Introduction and Legal Scope

1.1.This Privacy Policy ('Policy') is an addendum to and forms an integral part of the Terms of Service between Gustosfera ('Company,' 'we,' 'us,' 'our') and the Merchant ('Merchant,' 'you,' 'your'). It governs the collection, processing, use, storage, and disclosure of data in relation to your use of Gustosfera's platform, services, applications, and related technologies ('Services') worldwide, in compliance with applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR) (EU), the California Consumer Privacy Act (CCPA) (USA), and other relevant regulations.

1.2.In the event of any inconsistency or conflict between this Policy and the Terms of Service, the provisions of this Privacy Policy shall take precedence and be binding with respect to all matters related to data privacy, security, and confidentiality. By using the Services, the Merchant acknowledges and agrees to this Policy in its entirety, regardless of their jurisdiction. If the Merchant does not agree, they must immediately cease use of the Services.

2. Collection and Processing of Data

2.1.Gustosfera collects, stores, and processes the necessary information to facilitate and enhance the Merchant's use of the Services. The data collected falls into two primary categories:

2.1.1.Merchant Data

2.1.1.1.Merchant Data includes, but is not limited to:

2.1.1.1.1.Business and Identifying Information: Merchant name, registered business details, tax identification numbers, government-issued business licenses, and other regulatory compliance data.

2.1.1.1.2.Operational and Financial Data: Payment information, invoices, transaction details, and records of service usage.

2.1.1.1.3.Technical and Usage Data: System logs, API access records, analytics generated through platform interactions, IP addresses, device identifiers, and cookies or similar tracking technologies.

2.1.1.1.4.Communication Data: Customer support inquiries, service-related messages, and feedback submitted through the platform.

2.1.2.Customer Data

2.1.2.1.Customer Data is any information collected by the Merchant from its customers through the use of the Services. This may include but is not limited to:

2.1.2.1.1.Personally Identifiable Information (PII): Customer names, contact details, delivery addresses, communication history, and, where applicable, biometric or sensitive personal data.

2.1.2.1.2.Transaction Records: Order details, payment history, refunds, and customer complaints related to Merchant services.

2.1.2.1.3. The Merchant acknowledges that it is the sole data controller of Customer Data under applicable data protection laws (e.g., GDPR, CCPA) and is fully responsible for compliance, including obtaining necessary consents, securing data, and handling customer requests. Gustosfera acts strictly as a data processor for Customer Data, processing it only as necessary to provide the Services and in accordance with the Merchant's instructions, unless required otherwise by law.

3. Purpose of Data Processing

3.1.Gustosfera processes Merchant and Customer Data strictly for the following purposes:

3.1.1.Facilitating Business Operations: Verifying Merchant credentials, processing payments, managing service access, and enabling the core functionalities of the platform.

3.1.2.Regulatory Compliance: Complying with tax laws, government regulations, anti-fraud measures, and other legal obligations.

3.1.3.Service Improvement & Security: Diagnosing technical issues, enhancing platform security, monitoring performance, and conducting analytics to improve the user experience.

3.1.4.Enforcement of Terms: Investigating violations of the Terms of Service, preventing unauthorized access, and mitigating risks related to fraudulent activity.

3.2.Gustosfera shall not sell (i.e., exchange for monetary consideration per CCPA), rent, lease, disclose, or otherwise share Merchant Data or Customer Data with third parties except: (a) as required by law; (b) as necessary to provide the Services; (c) as expressly authorized by the Merchant; (d) to pursue legitimate interests (e.g., fraud prevention, service improvement) where permitted by law; or (e) for marketing purposes, provided the Merchant has opted in via the platform settings.

4. Responsibilities of the Merchant Regarding Customer Data

4.1.The Merchant shall ensure that:

4.1.1.All data collection and processing activities comply with applicable privacy and data protection laws in the Merchant's jurisdiction and any jurisdiction where their customers reside, including but not limited to GDPR, CCPA, and LGPD.

4.1.2.Customers are informed about data collection practices and provided with appropriate privacy notices, including details on cross-border data transfers where legally required.

4.1.3.Adequate security measures are in place to protect Customer Data from unauthorized access, loss, alteration, or disclosure, consistent with international standards.

4.1.4.Customer Data is not exploited, transferred, or sold for purposes beyond fulfilling transactions, customer support, and regulatory compliance, unless explicit customer consent is obtained.

4.2.Gustosfera shall bear no liability for the Merchant's misuse, mismanagement, or failure to properly secure Customer Data, including violations of international data protection laws. The Merchant agrees to indemnify and hold harmless Gustosfera from any claims, damages, regulatory penalties, or legal costs arising from the Merchant's handling of Customer Data or failure to comply with applicable laws.

5. Data Retention and Security Measures

5.1.Merchant Data shall be retained only for the duration necessary to provide the Services or as required by applicable tax, regulatory, or legal obligations.

5.2.Customer Data shall be retained solely for transactional purposes and subject to the Merchant's retention policies, except where legal requirements dictate otherwise.

5.3.Gustosfera shall implement appropriate technical and organizational measures to protect Merchant and Customer Data, including encryption (e.g., AES-256), access controls, secure data transmission protocols (e.g., TLS), and regular security audits, consistent with industry standards and applicable laws.

5.4.In the event of a data breach affecting Merchant or Customer Data, Gustosfera shall notify the Merchant within 72 hours of becoming aware, where feasible, unless the breach is unlikely to result in a risk to individuals' rights (per GDPR). The Merchant is responsible for notifying affected customers and regulators as required by law.

5.5.The Merchant acknowledges that no system is entirely immune to security breaches and agrees to take reasonable precautions, including securing login credentials and maintaining internal data security policies. Gustosfera shall not be liable for breaches resulting from the Merchant's negligence, mismanagement, or failure to implement adequate security measures.

5.6.Gustosfera may anonymize Merchant and Customer Data, ensuring it cannot be linked to individuals, for analytics, service improvement, or marketing purposes without further notice or consent, in compliance with applicable laws.

6. Disclosure of Data

6.1.Gustosfera shall not disclose Merchant Data or Customer Data except under the following circumstances:

6.1.1.Legal Compliance: When required by court orders, law enforcement authorities, regulatory agencies, or other legal obligations in any jurisdiction.

6.1.2.Service Provision: When necessary to facilitate transactions, process payments, or integrate third-party service providers essential to platform operations, including sub-processors located outside India, subject to appropriate safeguards (e.g., Standard Contractual Clauses under GDPR, encryption, pseudonymization).

6.1.3.Fraud Prevention & Security: When required to investigate fraud, security threats, unauthorized access, or violations of the Terms of Service.

6.1.4.Corporate Transactions: In the event of a merger, acquisition, sale of assets, or corporate restructuring, provided that confidentiality safeguards are maintained.

6.2.In all such cases, Gustosfera shall take reasonable steps to ensure that any third-party recipient, including international sub-processors, adheres to equivalent privacy and security standards, such as through contractual agreements or certifications.

7. Merchant and Customer Rights

7.1.The Merchant shall have the right to:

7.1.1.Access, review, and update their own data via the platform dashboard;

7.1.2.Request deletion of Merchant Data, subject to regulatory retention requirements, by contacting support@gustosfera.com;

7.1.3.Request data portability in a structured, machine-readable format where required by law (e.g., GDPR Article 20); and

7.1.4.Be notified of any material changes to this Privacy Policy via email or platform notifications.

7.2.Customers seeking to exercise their privacy rights (e.g., access, correction, deletion, portability, or opt-out of data sale under GDPR, CCPA, or other laws) must direct such requests to the Merchant, as the data controller. Gustosfera shall assist the Merchant in fulfilling these requests only as required by law or under a Data Processing Agreement (DPA), available upon request at support@gustosfera.com.

7.3.Gustosfera does not sell Customer Data under CCPA definitions but shall support Merchants in responding to opt-out requests if applicable.

7.4.If customers contact Gustosfera directly with privacy complaints or rights requests, Gustosfera shall redirect them to the Merchant within seven (7) business days, unless legally obligated to respond directly. The Merchant remains responsible for addressing such complaints.

8. Amendments to this Privacy Policy

8.1.Gustosfera reserves the right to modify this Privacy Policy at its sole discretion. Any material changes shall be communicated to the Merchant with at least thirty (30) days' notice via platform notifications or email, unless immediate changes are required by law. Continued use of the Services after the effective date of such modifications shall constitute acceptance of the revised Policy. If the Merchant does not agree with the updated terms, they must immediately cease using the Services.

9. Contact Information

9.1.For any inquiries regarding this Privacy Policy, Merchants may contact Gustosfera at Email: support@gustosfera.com

10. Cross-Border Data Transfers

10.1.Merchant and Customer Data may be processed or stored in India or other countries where Gustosfera or its sub-processors maintain facilities.

10.2.Gustosfera shall ensure such transfers comply with applicable laws, using safeguards like Standard Contractual Clauses (SCCs), binding corporate rules, or adequacy decisions where required (e.g., GDPR Chapter V).

10.3.The Merchant consents to these transfers as necessary for Service provision and shall inform customers accordingly in their privacy notices.

11. Data Protection Officer

11.1.Where required by law (e.g., GDPR Article 37), Gustosfera shall appoint a Data Protection Officer (DPO) to oversee compliance. Merchants may contact the DPO at dpo@gustosfera.com for privacy-related inquiries beyond standard support.

12. Cookies and Tracking Technologies

12.1.Gustosfera uses cookies, web beacons, and similar technologies to enhance functionality, monitor usage, and improve Services. Essential cookies are required for operation; non-essential cookies (e.g., analytics) require Merchant consent via platform settings.

12.2.The Merchant shall inform customers of any tracking technologies used in their storefront and obtain consent where required by law (e.g., GDPR, e-Privacy Directive).

13. Children's Data Policy

13.1.The Merchant shall not collect, process, or store personal data from children under 13 (or the applicable age per local law, e.g., 16 under GDPR Article 8) without obtaining verifiable parental consent as required by law (e.g., COPPA, GDPR).

13.2.Gustosfera shall not be liable for any violations of children's data protection laws by the Merchant, and the Merchant shall indemnify Gustosfera against related claims or penalties.