Privacy Policy
Last updated: June 14, 2026
This Privacy Policy is prepared in accordance with the Data Privacy Act of 2012 (Republic Act No. 10173), its Implementing Rules and Regulations, and the issuances of the National Privacy Commission (NPC).
In accordance with Section 34 of the Implementing Rules and Regulations of the Data Privacy Act of 2012, OrderEase (the "Company") hereby informs you, prior to or as soon as practicable after collection, of: (a) the personal data collected; (b) the purposes of processing, including whether the data will be used for direct marketing, profiling, or automated decision-making; (c) the lawful basis for processing; (d) the scope and method of processing; (e) the categories of recipients to whom the data may be disclosed; (f) the methods used for automated access by recipients, where applicable, and the extent to which such access is authorized; (g) the identity and contact details of the personal information controller or its representative; (h) the retention period; and (i) the existence of your rights as a data subject, including the right to access, correct, and lodge a complaint before the NPC.
1. About the Company and Our Role
OrderEase is a SaaS platform that provides restaurant merchants with QR code ordering and point-of-sale services, with servers deployed in Tokyo, Japan. The Data Privacy Act of 2012 adopts an accountability principle: the Company remains responsible for personal data under its control or custody, including data that has been transferred to or processed by third parties or located abroad.
2. Our Dual Role: Controller and Processor
Your relationship with OrderEase, and the party responsible for your personal data, depends on whether you are a merchant or a customer:
- Merchants (restaurant operators): For the account, billing, and service data of restaurant operators who subscribe to OrderEase, the Company acts as the Personal Information Controller (PIC). We determine the purposes and means of processing this data, and you may exercise your data subject rights directly with us.
- Customers (diners): For the personal data of diners who place orders through a restaurant using OrderEase, the Company acts only as the Personal Information Processor (PIP). The restaurant is the Personal Information Controller and determines why and how that data is used. If you are a diner and wish to exercise your data subject rights, please contact the relevant restaurant directly; OrderEase will assist the restaurant in responding to such requests.
3. Personal Data We Collect and Purposes of Processing
Merchants (Restaurant Operators) — OrderEase as Controller
| Data Item | Purpose of Collection |
|---|---|
| Email address | Account identification, login authentication, system notifications |
| Name | Account display, service identification |
| Store name, address, and business details | Service setup, customer-facing display, tax and regulatory compliance |
| Password (bcrypt encrypted) | Account security; plaintext is never stored |
| Subscription payment records | Service fee calculation, invoicing, accounting records |
| Operation logs (IP, timestamp) | Security audit, fraud prevention, troubleshooting |
Customers (Diners) — OrderEase as Processor for the Restaurant
| Data Item | Purpose of Collection |
|---|---|
| Name (optional) | Order identification, order calling |
| Mobile number (required for takeout/delivery) | Contact confirmation for takeout/delivery orders |
| Order contents and amount | Order processing, kitchen display, the restaurant's analytics |
| IP address and browser information | Security protection, service quality analysis |
*Customer personal data is controlled by the respective restaurant merchant as the Personal Information Controller; OrderEase acts only as the Personal Information Processor on the restaurant's instructions. To exercise your data subject rights as a customer, please contact the relevant restaurant directly.
4. Lawful Basis, Scope, and Method of Processing
Under the Data Privacy Act of 2012, the Company processes personal data only where a lawful basis exists. Depending on the data and purpose, our lawful bases include:
- Contract: processing necessary to provide the Service under our agreement with the merchant.
- Legal obligation: processing required to comply with Philippine law, including tax and accounting record-keeping.
- Legitimate interests: processing for security, fraud prevention, and service improvement, balanced against your rights and freedoms.
- Consent: where required, including for any direct marketing communications, which you may withdraw at any time.
Personal data is collected directly through the Service when you register, configure a store, or place an order, and is processed by automated means on our cloud infrastructure. We do not use customer order data for automated decision-making or profiling that produces legal or similarly significant effects. The Company does not sell personal data and does not use merchant or customer data for direct marketing without a lawful basis.
5. Duration, Jurisdiction, and Recipients
| Duration | For the duration of the account; after closure, data is retained only as required by Philippine law (see Section 8) and then securely disposed of |
| Jurisdiction | The Philippines, the location of our servers (Japan), and the countries where the third-party processors used by this Service are located (see Section 6) |
| Recipients | Authorized personnel of the Company, third-party processors engaged by the Company (see Section 6), the restaurant merchant (for customer order data), and public authorities entitled to access the data by law |
The servers for this Service are located in Tokyo, Japan, and your personal data is transferred cross-border to Japan for storage and processing. Consistent with the accountability principle under the Data Privacy Act of 2012, the Company remains responsible for personal data transferred abroad and uses contractual and technical safeguards to ensure a comparable level of protection.
6. Third-Party Services and Outsourced Processing
Cloudinary (Image Storage)
Country: United StatesPurpose: Menu images uploaded by merchants
PayMongo (Payment Aggregator)
Country: PhilippinesPurpose: Merchant subscription billing and customer payment processing
GCash (Payment Option)
Country: PhilippinesPurpose: Customer and subscription payments (optional, at merchant's discretion)
Maya (Payment Option)
Country: PhilippinesPurpose: Customer and subscription payments (optional, at merchant's discretion)
The Company requires the above third parties to process personal data in accordance with the Company's instructions and under confidentiality obligations or equivalent protections under applicable law. The Company will not sell your personal data to any third party for commercial purposes.
7. Cookies and Local Storage
This Service uses the following technologies to store data on your device:
| Type | Contents | Can Disable |
|---|---|---|
| Essential Cookies | JWT login token (httpOnly), language preference | No (login will be unavailable if disabled) |
| Functional LocalStorage | Shopping cart contents, customer preferences | Yes (clear browser data) |
| Session SessionStorage | Table QR code validation data (cleared when page closes) | Cleared automatically |
8. Organizational, Physical, and Technical Security Measures
- All data transmissions are encrypted with HTTPS/TLS to prevent man-in-the-middle attacks.
- Passwords are hashed using bcrypt (cost factor 12); plaintext is never stored in the database.
- Payment keys are encrypted with AES-256-GCM before storage.
- JWT tokens are stored in httpOnly cookies to prevent XSS theft.
- Login attempts are protected by rate limiting to prevent brute-force attacks.
- Database access follows the principle of least privilege; employees do not have direct access to the production database.
- Regular security reviews are conducted and OWASP Top 10 protections are enforced.
9. Data Retention Periods
| Data Type | Retention Period | Basis |
|---|---|---|
| Merchant account data | For the duration of the account; deleted within a reasonable period after closure | Business necessity |
| Subscription payment and accounting records | As required under Philippine law (e.g. BIR record-keeping requirements) | Tax and accounting laws |
| Customer order data | For the duration of the merchant's account, subject to the restaurant's instructions | Service provision necessity |
| System logs | A limited period necessary for security audit | Security audit requirements |
Where personal data is no longer needed for the declared purpose, it is securely disposed of in a manner that prevents further processing, unauthorized access, or disclosure.
10. Your Rights as a Data Subject
Under the Data Privacy Act of 2012, you have the following rights regarding personal data for which OrderEase is the controller. Where OrderEase is only the processor (customer data), please direct these requests to the relevant restaurant.
► Right to be Informed
Be informed whether your personal data is being processed, and of the details required under Section 34 of the DPA IRR
► Right to Access
Obtain a copy of your personal data and information about how it has been processed
► Right to Rectification
Correct any inaccurate or erroneous personal data
► Right to Erasure or Blocking
Suspend, withdraw, or order the blocking, removal, or destruction of your personal data on lawful grounds
► Right to Object
Object to the processing of your personal data, including processing for direct marketing or automated processing
► Right to Data Portability
Obtain and reuse your personal data in an electronic or structured, commonly used format
► Right to Damages
Be indemnified for damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal data
► Right to File a Complaint
Lodge a complaint with the National Privacy Commission (NPC)
To exercise the rights above, please submit a request via the contact information below. We will respond within the timeframes prescribed by the National Privacy Commission. If we are only the processor of the relevant data, we will direct you to the restaurant that controls it.
11. Children's Privacy Protection
The merchant backend of this Service is intended solely for adults with full legal capacity. The Company does not knowingly collect personal data from minors without the consent of a parent or guardian. If you become aware that such data has been collected inadvertently, please contact us immediately, and the Company will delete it promptly.
12. Policy Amendments
The Company reserves the right to amend this Policy. In the event of material changes, merchants will be notified by email or through a prominent in-service notice in advance of the effective date. Material changes affecting customers will be posted on the relevant pages. Continued use of the Service constitutes acceptance of the amended Policy.
13. Data Protection Officer, Contact, and Complaints
Data Protection Officer (DPO) Contact Information
Email: support@orderease.com.ph
Service hours: Monday to Friday, 09:00–18:00 (Philippine time, excluding public holidays)
If you believe your data privacy rights have been violated, you may also file a complaint with the National Privacy Commission (NPC) of the Philippines (https://privacy.gov.ph).
Policy last updated: June 14, 2026 | Terms of Service