Grabit← Back to home
Legal

Privacy Policy

We believe privacy is a right, not a feature. Here's exactly what we collect, why, and how we protect it.

Last updated: 1 April 2025

Information We CollectHow We Use ItData SharingSecurityYour RightsCookiesContact Us

Information We Collect

When you use Grabit, we collect only what's needed to provide the service.

  • Phone number — Used to create your account and send OTP verification codes via MSG91.
  • Order data — Items ordered, pickup times, customisations, and payment method chosen (Online or Pay at Counter).
  • Device information — Browser type, OS version, and IP address for security and fraud prevention.
  • Cafe interactions — Which cafes you've visited, your order frequency, and favourite items — used to personalise your home screen.

We do not collect your full name, email, or home address unless you voluntarily provide them in your profile.

How We Use It

  • Authentication — Your phone number is your identity on Grabit. OTP codes confirm it's you.
  • Order processing — We share your order with the specific cafe you're ordering from so they can prepare it.
  • WhatsApp notifications — We send order status updates (Confirmed, Ready, Done) via Meta's WhatsApp Business API using your phone number. You can opt out at any time from your profile.
  • Product improvement — Aggregate, anonymised usage data helps us improve slot availability, reduce wait times, and fix bugs. We never sell individual data.

Data Sharing

We share your data with a limited set of trusted partners, only as needed to operate the service:

  • Cafe partners — Receive your name (if provided), phone (last 4 digits masked), and order details to prepare and hand over your order.
  • Cashfree Payments — Processes card, UPI, and netbanking transactions. We never store your card details — Cashfree's PCI-DSS compliant vault handles all payment data.
  • MSG91 — Delivers OTP SMS and voice calls to your number. They do not receive any order or payment data.
  • Meta (WhatsApp) — Receives your phone number and order status messages. Subject to Meta's own privacy policy.
  • Supabase — Our database provider. Data is stored in Singapore (AWS ap-southeast-1) with row-level security.

We never sell your data to advertisers, data brokers, or any third party not listed above.

Security

  • All data is transmitted over HTTPS/TLS 1.3.
  • Auth tokens are stored in httpOnly cookies — inaccessible to JavaScript, preventing XSS attacks.
  • Database access is protected by Supabase Row-Level Security — each cafe can only read its own orders.
  • OTP codes expire after 10 minutes and are single-use.
  • Sessions expire after 7 days of inactivity.

Your Rights

You have the right to:

  • Access — Request a copy of all data we hold about you.
  • Correction — Ask us to correct inaccurate information.
  • Deletion — Request deletion of your account and associated data. We will comply within 30 days, except where data must be retained for legal or tax purposes (e.g., payment records for 7 years under Indian financial regulation).
  • Opt out of WhatsApp notifications — Go to Profile → Notifications and toggle off WhatsApp alerts.

To exercise any of these rights, email privacy@grabit.in.

Cookies

Grabit uses exactly two cookies:

  • grabit_customer_token — httpOnly, Lax SameSite. Contains your encrypted session JWT. Required to use the app.
  • grabit_staff_token — httpOnly, Lax SameSite. Set only when you log in as cafe staff. Required for the manage dashboard.

We use no advertising cookies, no tracking pixels, and no third-party analytics cookies.

Contact Us

For privacy concerns, data requests, or anything in this policy:

  • Email: privacy@grabit.in
  • Response time: within 5 business days
  • Company: KineticTechno Solutions Pvt. Ltd., India

If you believe your privacy rights have been violated and we have not resolved your concern, you may lodge a complaint with the relevant data protection authority in your jurisdiction.