Legal

Privacy Policy

What we collect, why we collect it, how long we keep it, and how you can get it out. Plain language, no dark patterns.

Last updated: April 23, 2026

Summary

1. Who this applies to

This policy covers two kinds of users:

Where practices differ, we call it out below.

2. What we collect

Restaurant operators

Diners

3. Why we collect it

We do not run behavioral ad networks and do not share your data with ad platforms.

4. Who we share it with

We use a small set of service providers, each bound by a data-processing agreement:

We share data with these providers only as needed to deliver the service. We do not sell your data.

5. How long we keep it

6. Your rights

Depending on where you live, you have the right to:

Restaurant operators can export and delete most data directly from the dashboard. For anything else — or for diner data requests — contact us and we will respond within 30 days.

7. Diner requests

Diner data (orders, contact info, saved payment methods) is stored on behalf of the restaurant that took the order. If you are a diner requesting access or deletion, contact the restaurant directly — they control the data. We will assist the restaurant in fulfilling the request.

8. Security

See our security page for the technical controls we apply. In short: TLS in transit, encryption at rest, principle-of-least-privilege access, audit logging on admin actions.

9. International transfers

Nordkestrel is operated from Canada. Data may be processed in Canada, the United States, and the European Union depending on which region a given provider serves your request from. We rely on the contractual protections offered by our providers (Cloudflare, Stripe, Clerk, Resend) for cross-border transfers.

10. Children

Nordkestrel is not intended for children under 13. We do not knowingly collect data from children. If you believe we have, contact us and we will remove it.

11. Changes to this policy

We may update this policy. Material changes will be communicated by email and through a notice on this page at least 14 days before taking effect.

12. Contact

Privacy questions or data requests: contact us.