OctoFood Privacy Policy

1. Introduction

OctoFood Inc. ("OctoFood", "we", "us", or "our") is committed to protecting the privacy and personal information of our users. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use the OctoFood mobile application, website, and related services (collectively, the "Platform").

This Privacy Policy is designed to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and British Columbia's Personal Information Protection Act (PIPA).

By using the Platform, you consent to the collection, use, and disclosure of your personal information as described in this Privacy Policy.

2. Definitions

"Personal Information" means information about an identifiable individual, as defined under PIPEDA, but does not include business contact information used for business purposes or aggregated/anonymized data that cannot be used to identify an individual.
"Merchant" means a restaurant or food service partner operating on the Platform.
"Customer" or "User" means an individual who uses the Platform to browse menus or place orders.

3. Information We Collect

3.1 Information You Provide Directly

| Category | Examples |

|---|---|

| Account Information | Name, email address, phone number, password (hashed) |

| Profile Information | Display name, profile photo (optional), dietary preferences |

| Order Information | Items ordered, order history, special instructions, selected Merchant |

| Payment Information | Payment method details (processed and stored by Stripe; OctoFood does not store full credit card numbers) |

| Communications | Messages sent through in-app support, feedback, reviews, and ratings |

| Merchant Onboarding (Merchants only) | Business name, business license, food safety certifications, tax registration numbers, bank account details (for payouts via Stripe) |

3.2 Information Collected Automatically

| Category | Examples |

|---|---|

| Device Information | Device type, operating system, unique device identifiers, app version |

| Usage Data | Pages and features accessed, time spent on the Platform, interactions with content, search queries |

| Location Data | Approximate location based on IP address; precise location only if you grant permission (used to show nearby restaurants) |

| Log Data | IP address, browser type, access times, referring URLs, error logs |

3.3 Information from Third Parties

| Source | Information |

|---|---|

| Stripe (Payment Processor) | Transaction status, payment confirmation, refund status |

| Analytics Providers | Aggregated usage patterns and performance metrics |

| Push Notification Services | Device tokens for delivering notifications |

4. How We Use Your Information

We use your personal information for the following purposes:

4.1 Providing and Operating the Platform

Creating and managing your account
Processing and fulfilling your orders
Facilitating communication between you and Merchants
Processing payments and refunds via Stripe
Sending order confirmations, status updates, and receipts

4.2 Improving the Platform

Analyzing usage patterns to improve features and user experience
Conducting internal research and analytics
Troubleshooting technical issues and bugs
Developing new features and services

4.3 Communications

Sending service-related notifications (order updates, account alerts)
Responding to your inquiries and support requests
Sending promotional communications (only with your express consent, in compliance with CASL)

4.4 Safety and Security

Detecting and preventing fraud, abuse, and unauthorized access
Enforcing our Terms of Service and other policies
Verifying Merchant identity and compliance during onboarding

4.5 Legal Compliance

Complying with applicable laws, regulations, and legal processes
Responding to lawful requests from government authorities
Establishing, exercising, or defending legal claims

5. Consent

5.1 Express Consent

We obtain your express consent before:

Collecting sensitive personal information
Sending commercial electronic messages (in compliance with CASL)
Using your precise location data
Sharing your personal information with third parties for purposes not described in this Privacy Policy

5.2 Implied Consent

Your consent may be implied when:

You voluntarily provide personal information for an obvious purpose (e.g., providing your name and email to create an account)
You place an order, which requires sharing order details with the applicable Merchant

5.3 Withdrawing Consent

You may withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice. To withdraw consent, contact us at [privacy email]. Please note that withdrawing consent may limit your ability to use certain features of the Platform.

6. Third-Party Sharing and Disclosure

We do not sell your personal information. We may share your personal information with the following categories of third parties:

6.1 Merchants

When you place an order, we share the information necessary for the Merchant to fulfill your order, including your name, order details, and special instructions. Merchants are contractually required to use this information only for order fulfillment purposes.

6.2 Payment Processor (Stripe)

We use Stripe to process payments. When you make a payment, your payment information is transmitted directly to Stripe. Stripe's collection and use of your information is governed by Stripe's privacy policy. OctoFood does not store full credit card numbers on our servers.

6.3 Analytics and Performance

We may use third-party analytics services to help us understand how the Platform is used. These services collect information sent by your device, including usage data and device information. Analytics data is aggregated and does not personally identify you.

6.4 Push Notification Services

We use push notification services (e.g., Apple Push Notification Service, Firebase Cloud Messaging) to send you order updates and other notifications. Device tokens are shared with these services solely for the purpose of delivering notifications.

6.5 Service Providers

We may share personal information with trusted service providers who assist us in operating the Platform, including hosting providers, customer support tools, and email service providers. These providers are contractually bound to use your information only as directed by us and in accordance with this Privacy Policy.

6.6 Legal and Safety Disclosures

We may disclose your personal information if required to do so by law or if we believe in good faith that such disclosure is necessary to:

Comply with a legal obligation, court order, or legal process
Protect the rights, property, or safety of OctoFood, our users, or the public
Detect, prevent, or address fraud, security, or technical issues

6.7 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or other similar event, your personal information may be transferred to the successor entity. We will notify you of any such change in ownership or control of your personal information.

7. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. For detailed retention periods by data category, please refer to our Data Retention Policy.

General retention guidelines:

| Data Category | Retention Period |

|---|---|

| Account Information | Duration of account + 2 years after deletion |

| Order History | 7 years (tax and financial record-keeping) |

| Payment Transaction Records | 7 years (financial compliance) |

| Support Communications | 3 years after resolution |

| Analytics Data (aggregated) | Indefinite (non-identifiable) |

| Location Data (precise) | 90 days (then aggregated) |

| Device Tokens | Until consent is withdrawn or account is deleted |

8. Your Rights Under PIPEDA

Under PIPEDA and applicable provincial privacy legislation, you have the following rights regarding your personal information:

8.1 Right of Access

You have the right to request access to the personal information we hold about you. We will respond to your access request within 30 days, as required by PIPEDA.

8.2 Right of Correction

You have the right to request correction of any inaccurate or incomplete personal information we hold about you. You can update most account information directly through the Platform.

8.3 Right to Withdraw Consent

You have the right to withdraw your consent to the collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions.

8.4 Right to Deletion

You may request deletion of your personal information. We will delete or anonymize your information within a reasonable timeframe, subject to legal retention obligations (e.g., financial records required for tax purposes).

8.5 Right to Complain

If you are not satisfied with our handling of your personal information, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada:

Office of the Privacy Commissioner of Canada

30 Victoria Street

Gatineau, Quebec K1A 1H3

Toll-free: 1-800-282-1376

Website: www.priv.gc.ca

9. Cookies and Tracking Technologies

9.1 What We Use

We may use the following tracking technologies:

| Technology | Purpose |

|---|---|

| Session Cookies | Maintaining your login session and preferences |

| Analytics Cookies | Understanding how the Platform is used (aggregated) |

| Device Identifiers | Delivering push notifications and preventing fraud |

9.2 Mobile App

Our mobile application may use device identifiers, analytics SDKs, and crash reporting tools to improve performance and user experience.

9.3 Your Choices

You can manage cookie preferences through your browser or device settings. Disabling certain cookies or identifiers may affect the functionality of the Platform.

9.4 Do Not Track

We currently do not respond to "Do Not Track" browser signals, as there is no industry-wide standard for this technology.

10. Data Security

10.1 Security Measures

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

Encryption of data in transit (TLS/SSL) and at rest
Secure authentication and access controls
Regular security assessments and monitoring
Employee access limited to those with a legitimate business need

10.2 Payment Security

Payment information is processed by Stripe, which is PCI-DSS Level 1 certified. OctoFood does not store, process, or transmit full credit card numbers on our servers.

10.3 No Guarantee

While we strive to protect your personal information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

10.4 Breach Notification

In the event of a data breach involving your personal information that creates a real risk of significant harm, we will notify you and the Office of the Privacy Commissioner of Canada as required by PIPEDA's breach notification provisions.

11. International Data Transfers

Your personal information may be processed and stored in Canada and, in some cases, in the United States (e.g., through Stripe's infrastructure or cloud hosting providers). Where your information is transferred outside of Canada, we ensure that appropriate safeguards are in place, including contractual protections that require the recipient to protect your information to a standard comparable to that required under Canadian law.

12. Children's Privacy

12.1 Age Restrictions

The Platform is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [privacy email], and we will take steps to delete such information.

12.2 Minors

Users between the ages of 13 and 18 (or the age of majority in their province or territory) must have parental or guardian consent to use the Platform.

13. Commercial Electronic Messages (CASL Compliance)

13.1 Consent

In compliance with Canada's Anti-Spam Legislation (CASL), we will only send you commercial electronic messages (CEMs) with your express consent. Transactional and service-related messages (e.g., order confirmations, account alerts) are not considered CEMs and may be sent without express consent.

13.2 Unsubscribe

Every commercial electronic message we send will include a clear and simple unsubscribe mechanism. You can opt out of marketing communications at any time. We will process your unsubscribe request within 10 business days, as required by CASL.

13.3 Identification

All commercial electronic messages will clearly identify OctoFood as the sender and include our contact information.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Platform and, where practicable, by sending you a notification. We encourage you to review this Privacy Policy periodically.

15. Privacy Officer

OctoFood has designated a Privacy Officer responsible for overseeing compliance with this Privacy Policy and applicable privacy laws. You may contact our Privacy Officer with any questions, concerns, or requests related to your personal information:

Privacy Officer

OctoFood Inc.

[Address]

🇨🇦 Canada

Email: [privacy email]

Phone: [phone number]

We will acknowledge receipt of your inquiry and respond within 30 days.

16. Contact Us

For general inquiries about this Privacy Policy, please contact us at:

OctoFood Inc.

Email: [privacy email]

Address: [Address], 🇨🇦 Canada

Phone: [phone number]

*Last updated: 2026-02-18*