Privacy Policy

1. Who we are

Nom404 is a software-as-a-service ordering and POS platform operated by Caraig Software Development Services (DTI registered, reference DAPZ931819024479), with registered address at Axis Residences, Pioneer St., Brgy Barangka Ilaya, Mandaluyong City, 1550, Philippines ("Nom404", "we", "us"). We are the personal information controller responsible for the personal data described in this Policy. This Policy explains what we collect, why, who we share it with, how long we keep it, and your rights under the Philippine Data Privacy Act of 2012 (Republic Act No. 10173, "DPA") and its implementing rules and regulations.

2. Scope

This Policy covers personal data we process across the entire Nom404 platform:

• The customer-facing web app at nom404.com and mobile app for end customers
• The business dashboard at business.nom404.com used by paying business owners and managers
• The staff app used by kitchen and front-of-house employees of participating businesses
• The admin portal used internally by Nom404 personnel for platform operations and support
• Backend services (Cloud Functions, databases, file storage) supporting the above

3. Data subjects we collect from

We collect personal data from four categories of users, each with a different scope:

• Business owners — the legal owner or signatory of a subscribing business. Includes contact information, billing identity, subscription history.
• Staff users — employees or contractors granted access by a business owner. Includes work email, role, work-shift activity.
• Customer users — end customers with a registered Nom404 account. Includes email, name, optional phone, order history, dietary preferences, favorites, loyalty points.
• Guest users — end customers ordering without an account. Identified by a randomly generated device ID; no name, email, or phone collected unless voluntarily provided at checkout for order updates.

4. Personal data we collect

What we collect varies by data subject category. The full inventory:

• Identity: full name, business name, display name
• Contact: email address, mobile number (where required for SMS/push notifications or billing receipts)
• Authentication: hashed password (we never store plain-text passwords), Google or Apple sign-in tokens, Firebase Authentication IDs
• Business information (Business owners): trading name, business address, contact number, tax registration details where required for invoicing
• Subscription billing (Business owners): subscription tier, billing date, payment method type and last four digits of card (HitPay tokenizes the full card number; we never see or store it — HitPay retains the token to enable recurring auto-charges), invoice history
• Order data (Customers and Guests): items ordered, business visited, order total, payment method declared, order status, allergens declared
• Allergen and dietary preferences (Customers): voluntarily provided to surface to staff during food preparation
• Reviews and ratings (Customers): textual review and star rating attributed to the user
• Photos and uploads: payment proof screenshots, business logo, menu photos, profile photos (where uploaded)
• Device and technical data: device identifier (random UUID for Guests), Firebase Cloud Messaging push token, app version, operating system version, IP address (transient — used for rate-limiting and abuse detection, not stored long-term)
• Usage telemetry: page views, feature usage, session duration, in aggregate or pseudonymized form for product analytics
• Crash and error reports: stack traces, device model, OS version, app version (no personally identifying content)
• Camera permission: requested only for QR code scanning. We do not capture, store, or transmit images from the camera; only the decoded QR string is read.
• Location: only requested when you opt in to location-based business discovery; never collected silently.

5. Why we process your data (lawful basis)

Under the DPA, every processing activity must rest on a lawful basis. Ours:

• Performance of contract — to provide the Service you signed up for, including processing orders, billing subscriptions, sending order updates, and providing customer support
• Consent — for optional features like push notifications, location-based discovery, marketing emails, or sharing dietary preferences. You can withdraw consent at any time.
• Legitimate interests — for fraud detection, abuse prevention, security, basic product analytics, and operating the platform. These interests are balanced against your privacy rights.
• Legal obligation — to comply with tax, accounting, regulatory, or law enforcement requirements (e.g. BIR receipt retention, lawful court orders)

6. How we use your data

• Operate the platform: process orders, route them to kitchens, update statuses, manage menus, run point-of-sale workflows
• Bill subscriptions: charge business accounts via our payment processor, generate and email invoices
• Communicate: send transactional notifications (order updates, invoice receipts, security alerts), and only with your consent send product or marketing emails
• Improve the Service: diagnose bugs, measure feature usage in aggregate, prioritize roadmap
• Protect users: detect fraud, abuse, and unauthorized access; enforce our Terms of Service
• Comply with law: respond to lawful requests, retain records required by tax and consumer protection laws

7. Third-party processors and recipients

We share personal data with the following processors who act on our instructions and are bound by data protection terms. Each is itself responsible for safeguarding the data we share with them:

• HitPay Payment Solutions Pte Ltd (Singapore) — payment processor for subscription billing. Receives business owner contact info, subscription details, and tokenized card data. Privacy policy: https://www.hitpayapp.com/privacy
• Google LLC / Firebase (United States) — authentication, real-time database (Firestore), file storage, Cloud Functions, push notifications (FCM), analytics. Receives all platform data necessary for the Service to operate. Privacy policy: https://firebase.google.com/support/privacy
• Resend Inc. (United States, with Tokyo region for our domain) — transactional email delivery (invoice emails, order updates, security notifications). Receives recipient email and message content. Privacy policy: https://resend.com/legal/privacy-policy
• Vercel Inc. (United States) — hosts our web applications. Receives request metadata, IP addresses, and any data submitted through web forms. Privacy policy: https://vercel.com/legal/privacy-policy
• Cloudflare Inc. (United States, with global edge presence) — DNS, CDN, and security in front of our web apps. Receives request metadata and IP addresses. Privacy policy: https://www.cloudflare.com/privacypolicy/
• Apple Inc. and Google LLC (app stores) — distribute our mobile apps. Receive standard app store install and crash data per their respective policies.
• Sentry (Functional Software Inc., United States) — crash reporting and error tracking. Receives stack traces and device metadata; configured to scrub personally identifying content where possible.
• Participating Businesses — when you place an order, the business you ordered from receives the order details, declared allergens, payment proof (if uploaded), and any voluntary contact info you provided for the order. The business processes this data as a separate controller for their fulfillment, customer service, and tax compliance.
• Government and law enforcement — only when compelled by lawful order or in response to a credible threat to life or safety.

8. International data transfers

Several of our processors store data outside the Philippines (primarily the United States, with Singapore for HitPay and Tokyo for our Resend domain region). When we transfer your data internationally, we rely on the standard contractual terms offered by each processor and their compliance with international privacy frameworks. Where you have rights as a Philippine data subject, you may exercise them with us regardless of where the data is physically stored.

9. Data retention

We keep personal data only as long as necessary for the purpose collected, or as required by law. Specifics:

• Account data — kept while the account is active. On account deletion, we remove or anonymize within 30 days unless retention is required by law (e.g. tax records).
• Subscription billing records and invoices — retained for 10 years from issue, per BIR record-keeping requirements
• Order data — retained for 12 months for order history, dispute resolution, and analytics; aggregated thereafter
• Payment proof images — retained for 90 days, then automatically deleted
• Crash reports and telemetry — retained for 90 days
• Marketing consent records — retained for the duration of consent plus 2 years for audit purposes
• Backups — periodic encrypted backups may retain data for up to 30 days after primary deletion

10. Your rights as a data subject

Under the DPA, you have the following rights regarding your personal data. To exercise any of these, contact our Data Protection Officer at legal@nom404.com. We respond within 30 days.

• Right to be informed — about how your personal data is processed (this Policy)
• Right to access — request a copy of personal data we hold about you
• Right to object — to processing based on legitimate interests, including direct marketing
• Right to erasure or blocking — request deletion or suspension of processing where the data is incomplete, outdated, false, unlawfully obtained, or no longer needed
• Right to rectification — correct inaccurate personal data
• Right to data portability — receive your data in a structured, commonly used, machine-readable format
• Right to file a complaint with the National Privacy Commission (NPC) — if you believe your rights have been violated. NPC contact: complaints@privacy.gov.ph or https://privacy.gov.ph
• Right to damages — claim compensation through the courts for inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal data

10a. Marketing communications and consent

Marketing email and marketing SMS are treated as separate channels. Opting in to one does NOT cover the other. We will only send you marketing communications on a channel after you have explicitly ticked the relevant opt-in box (default: unchecked). Each marketing email contains a one-click unsubscribe link; each marketing SMS supports replying STOP to unsubscribe. When you unsubscribe, we add your address or number to a suppression list and will not contact you on that channel again unless you re-opt-in.

• Capture points for email marketing consent: customer checkout (web), business owner registration (web), and the newsletter signup form on nom404.com. The customer mobile app may add an in-app re-permission prompt in a future release.
• What we record at consent time: the normalized email address, a timestamp, the source (which form), an identifier and cryptographic hash of the consent text shown to you, and your IP address and User-Agent (where available). This audit trail is retained per the retention schedule in section 9.
• Where the data flows: opted-in addresses are synced into a single platform marketing audience held by our email service provider (Resend Inc.). Suppression events (unsubscribes, spam complaints, hard bounces) sync back into our database and remove you from future broadcasts across all of our marketing programs.
• Account deletion: when you delete your account, we mark your email address as suppressed and remove it from the marketing audience as part of the deletion routine.

11. Cookies and similar technologies

Our web apps use a small number of cookies and browser storage mechanisms:

• Essential cookies — required for authentication, session management, and CSRF protection. Cannot be disabled without breaking the Service.
• Local storage and IndexedDB — used by Firebase Authentication to persist your sign-in across visits, and by the customer app to cache menu data offline
• Functional cookies — remember your preferences (e.g. dark mode, selected branch when viewing a multi-branch business)
• We do not use third-party advertising cookies or cross-site tracking pixels.

12. Security

We apply organizational and technical safeguards proportionate to the sensitivity of the data:

• All data in transit is encrypted using TLS 1.2 or higher
• All data at rest in Firebase and Google Cloud Storage is encrypted using AES-256
• Passwords are never stored in plain text; we rely on Firebase Authentication's industry-standard hashing
• Card numbers are never seen or stored by us; HitPay tokenizes them at the point of capture
• Access to production systems is restricted, logged, and reviewed
• We perform security reviews on changes that affect authentication, payment, or personal data handling

13. Data breach notification

If we become aware of a personal data breach that is likely to cause serious harm to affected data subjects, we will notify the National Privacy Commission within 72 hours of discovery as required by the DPA, and notify affected data subjects without undue delay through email or in-app notice.

14. Children's privacy

The Service is not directed at children under 13. We do not knowingly collect personal data from children under 13. If we learn we have collected such data without verifiable parental consent, we will delete it promptly. Parents who believe their child has used the Service may contact legal@nom404.com.

15. Changes to this Policy

We may update this Policy from time to time. The "Last updated" date at the top of this page reflects the latest revision. Material changes (e.g. new categories of personal data, new processors, changed retention periods) will be communicated at least 30 days in advance via email or in-app notice. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

16. Nom Business iOS companion app

This section summarizes data practices specific to the Nom Business iOS companion app (App Store ID `com.nom404.businessApp`), used by restaurant and café owners to view live orders, browse their own menu, and toggle item availability on the go. It is supplementary to the platform-wide policy above — when there is any overlap, this section governs the iOS companion specifically.

• Eligibility — the app authenticates against existing Nom404 business owner accounts only. We do not create new consumer accounts through the iOS app.
• Sign-in methods — email/password, Sign in with Apple, and Google Sign-in. All three resolve to the same Firebase Authentication identity.
• Data collected (linked to your identity): email address, display name, Firebase Auth user ID, FCM device push token, and operational entries (menu availability changes; expense entries via Nom Admin).
• Data collected (not linked to identity): crash reports and performance metrics via Firebase, used to keep the app stable.
• What we do NOT collect from this app: location, camera, photos, microphone, contacts, health, financial data, browsing history, or the IDFA. We do not track you across other apps or websites.
• Push notifications — requested at first sign-in for new-order alerts. You can disable in iOS Settings → Notifications → Nom Business at any time without losing app functionality.
• Account deletion — Settings → Account → Delete Account. Deletion transfers ownership of any business you solely own to an active co-owner if one exists, otherwise soft-deletes the business with a 90-day grace period (BIR-required transaction history is retained 7 years per Section 235).
• In-app legal — the app bundles full Terms of Service and Privacy Policy as native pages so they're readable offline and verifiable by App Store reviewers without a network round-trip.

17. Contact us

Data Protection Officer Lex Caraig legal@nom404.com General inquiries support@nom404.com Mailing address Caraig Software Development Services Axis Residences, Pioneer St., Brgy Barangka Ilaya Mandaluyong City, 1550, Philippines If you are not satisfied with our response, you may file a complaint with the National Privacy Commission at complaints@privacy.gov.ph or via https://privacy.gov.ph.