Privacy Policy
Last updated: 20 March 2026
1. Who We Are
Bunchi ("we", "us", "our") operates the Bunchi OS platform, a restaurant and hospitality management service. We are the data controller for information collected through our Service.
Contact: hello@bunchi.app
2. What Data We Collect
Account Information
- Name, email address, phone number
- Business name, address, and logo
- Staff member details (name, role, contact)
Operational Data
- Menu items, prices, categories, and recipes
- Orders, transactions, and payment records
- Customer records (names, contact details, order history, loyalty data)
- Reservations and catering event details
- Inventory levels and supplier information
Technical Data
- IP address, browser type, device information
- Usage patterns and feature interactions
- Error logs and performance data
3. How We Use Your Data
- To provide the Service — processing orders, managing menus, handling payments, running your restaurant operations.
- To process payments — securely via Stripe. We never store your full card details.
- To communicate with you — service updates, billing notifications, support responses.
- To improve the Service — analysing usage patterns to make the platform better.
- To send notifications — order updates, reservation confirmations, and loyalty communications to your customers on your behalf.
4. Legal Basis for Processing
We process your data under the following legal bases (UK GDPR):
- Contract — processing necessary to provide the Service you subscribed to.
- Legitimate interest — improving the Service, preventing fraud, ensuring security.
- Consent — where you opt in to marketing communications.
- Legal obligation — where we are required to retain data (e.g. financial records).
5. Third-Party Services
We share data with the following third parties, only as necessary to provide the Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Transaction amounts, payment method tokens |
| Supabase | Database hosting | All operational data (encrypted at rest) |
| Vercel | Application hosting | Request logs, IP addresses |
| Resend | Email delivery | Email addresses, message content |
| Twilio | SMS and WhatsApp messaging | Phone numbers, message content |
| PostHog | Product analytics | Anonymised usage events |
We do not sell your data to any third party. We do not use your data for advertising.
6. Data Retention
- Account data — retained while your account is active and for 30 days after deletion.
- Transaction records — retained for 7 years as required by UK financial regulations (HMRC).
- Technical logs — retained for up to 90 days.
- Backups — retained for up to 30 days after data deletion.
7. Your Rights
Under the UK GDPR, you have the right to:
- Access — request a copy of the data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure — request deletion of your data (subject to legal retention requirements).
- Portability — receive your data in a structured, machine-readable format.
- Restriction — limit how we process your data.
- Objection — object to processing based on legitimate interest.
To exercise any of these rights, email us at hello@bunchi.app. We will respond within 30 days.
8. Data Security
We take the security of your data seriously:
- All data is encrypted in transit (TLS/HTTPS) and at rest.
- Database access is restricted and monitored.
- Passwords are hashed using bcrypt — we cannot see your password.
- Payment processing is handled by Stripe (PCI DSS Level 1 certified).
- Access to production systems is restricted to authorised personnel.
9. Cookies
We use the following cookies:
- Essential cookies — session management, authentication. Required for the Service to function.
- Analytics cookies — PostHog for understanding how the Service is used. These are anonymised.
We do not use advertising or tracking cookies. You can disable non-essential cookies in your browser settings.
10. International Transfers
Your data is primarily stored in the EU (AWS eu-west-1 via Supabase). Some third-party processors may process data in the US under appropriate safeguards (Standard Contractual Clauses or UK adequacy decisions).
11. Children
The Service is not intended for individuals under 18. We do not knowingly collect data from children. If you believe we have collected data from a minor, please contact us immediately.
12. Your Customers' Data
When you use the Service to manage your restaurant customers' data (names, phone numbers, order history, loyalty points), you are the data controller for that data. We act as a data processor on your behalf.
You are responsible for ensuring you have the appropriate legal basis to collect and process your customers' data. We process it only as instructed by you through your use of the Service.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. The date at the top of this page indicates when the policy was last updated.
14. Complaints
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk
15. Contact
For any questions about this Privacy Policy or your data, contact us at: hello@bunchi.app