pt en
pt en
pt en

Privacy Policy – IndiaEats

The General Data Protection Regulation of the European Union (GDPR) – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 – sets out the rules on the protection of personal data of natural persons and applies directly in all Member States.

In Portugal, Law no. 58/2019 of 8 August is also in force, implementing the GDPR at national level.

INDIAEATS, LDA. (“IndiaEats”) has procedures and mechanisms in place that comply with and respect the rules on the protection of natural persons, in particular with regard to the protection of personal data and the free movement of such data.

This Privacy Policy explains how we process personal data and sets out our commitment to data protection and compliance with the GDPR, in particular the principle of accountability (Article 5(2) GDPR) and the other principles set out in Article 5 GDPR.

2. Definitions

This Privacy Policy uses terms defined by the GDPR. It is intended to be clear and understandable to users, customers and partners.

For the purposes of this Policy:

  • Personal data – any information which, alone or in combination with other information, allows a living individual to be identified or made identifiable. This includes data that has been pseudonymised, encrypted or anonymised when it can still be linked to an individual by using additional information. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or one or more factors specific to that person’s physical, physiological, genetic, mental, economic, cultural or social identity.

  • Data subject – the identified or identifiable natural person to whom the personal data relates and whose data are processed by the controller.

  • Processing – any operation or set of operations performed on personal data, whether or not by automated means. This includes collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, in any format (digital and/or paper).

  • Restriction of processing – the marking of stored personal data with the aim of limiting their processing in the future.

  • Pseudonymisation – the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, where such additional information is kept separately and subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

  • Controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are laid down by Union or Member State law, the controller or the criteria for its nomination may be provided for by such law.

  • Processor – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

  • Cross‑border processing – processing of personal data which takes place in more than one Member State or which is likely to substantially affect data subjects in more than one Member State.

  • Consent – any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.

  • Personal data breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

For the proper understanding of this Policy, we also use the following definitions:

  • Contract – acceptance by the user of the IndiaEats Terms and Conditions of Use of the Service (“IndiaEats Terms and Conditions”), becoming a registered user.

  • Service – the home‑delivery service of food and beverages (“Service”) that allows customers to receive meals from partner restaurants (“Partner Restaurants”) at their home, workplace or any other location within the covered areas.

  • Platform – the website and/or mobile application that provide access to the Service.

  • Registered User – a natural or legal person who accepts the IndiaEats Terms and Conditions in order to access the website or mobile application and use the Service.

3. Data Controller

INDIAEATS, LDA., a private limited company with tax ID number 518 013 146, share capital of €5,000.00, with registered office at Rua Maria Andrade, n.º 43, R/C, 1150‑213 Lisboa, Portugal, is the controller of personal data.

As controller, IndiaEats determines the purposes of processing and applies the technical and organisational measures required to protect personal data in accordance with Article 24 GDPR and other applicable provisions.

For any request relating to your rights as a data subject, or any question about this Privacy Policy, please contact us via our website at www.indiaeats.com (Contact page).

4. Personal Data We Collect

Our website uses cookies to improve the user experience. For more information on cookies and how they are used, please refer to our Cookie Policy.

If you are a Registered User, in addition to cookies we will process the following personal data as part of your registration and use of the Platform:

  • Full name, date of birth, email address, phone number, address, payment details (credit card number, cardholder name, expiry date and security code), login name and password, and profile photo.

We may also process:

  • Current location (using GPS technology), food intolerances or preferences, billing data (tax ID and billing address), and any other information you provide to IndiaEats, such as communications with IndiaEats, information relating to incidents or complaints, communications with couriers, and data resulting from your use of the Platform (for example, preferences and ratings shared about the service).

5. Purposes of Processing

If you are a User or a Delivery Partner, your data may be used for the following purposes:

a) Contractual purposes
By accepting the IndiaEats Terms and Conditions, you enter into a contract with IndiaEats as a user of the Platform. We process the personal data that are strictly necessary to manage the contractual relationship between you and IndiaEats, so that you can access the Platform and the Service.

If you do not provide the data necessary to conclude and perform the contract, we may not be able to provide the Service or allow you to use the Platform.

The data collected are used for the subscription and proper provision of the services offered by IndiaEats through the Platform.

b) Legal purposes
We may process data to comply with legal obligations, in particular to:

  • Prevent, detect and respond to fraud and possible criminal offences against our Platform and all users.
  • Comply with legal obligations that require certain data to be retained for a defined period.
  • Manage and respond to requests to exercise data protection rights under the GDPR and local regulations.
  • Use data obtained from you or resulting from your use of the Platform to bring or defend legal claims and manage incidents related to user requests.

c) Security purposes
We may process:

  • Device usage data, location data (including geolocation data, where you have consented), profile, usage and other data to prevent and detect malicious or unsafe activities (e.g. payment fraud, identity fraud, account hacking, interface manipulation, abuse).
  • Data to monitor actions likely to involve fraud or criminal offences related to the payment method you use. If irregularities are detected, IndiaEats reserves the right to retain the relevant data and share them with competent authorities for investigation.
  • Data to verify that you meet the legal requirements relating to specific products ordered via the Platform (for example, minimum legal age for alcoholic beverages).

d) Statistical and research purposes
We may process data to:

  • Analyse trends, behaviour and purchasing patterns.
  • Understand how you use our Platform.
  • Manage and improve the services offered, including the possible addition of new features and services.

e) Marketing and commercial purposes
We may also process data to:

  • Carry out marketing activities, communications, and research and development.
  • Analyse and investigate how to improve our services (online and offline), using data you provide (such as participation in focus groups, comments, service reviews, satisfaction surveys and other feedback).
  • Provide you with personalised offers, promotions, discounts, suggestions and options in the App, by email or by other communication channels, including the use of cookies or similar technologies for advertising on third‑party websites or apps, in accordance with our Cookie Policy and only where you have provided consent.
  • Run promotional activities, such as giveaways, contests, quizzes or competitions between users, where you have subscribed or provided your data for such campaigns.
  • Create custom audiences with Facebook or other providers to reach you and other people with similar profiles who may be interested in IndiaEats services. You can manage your privacy settings in your Facebook account or on other third‑party platforms.
  • Use marketing material published by you on your social media profiles where you have explicitly mentioned IndiaEats (for example via hashtag or @ mention).

6. Legal Basis for Processing

For the general contact form or optional marketing activities, the legal basis is your consent (Article 6(1)(a) GDPR).

In line with the principle of transparency (Article 5(1)(a) GDPR), you are informed at the time of data collection (for example when accessing the site or consenting to cookies) of any operation that requires your consent as a legal basis. You may withdraw your consent at any time by contacting us via www.indiaeats.com.

For the use of the Platform and provision of the Service, the main legal basis is performance of a contract or pre‑contractual steps at your request (Article 6(1)(b) GDPR), since by using the Platform you clearly express your intention to receive our services.

In some cases, processing may also be based on:

  • Compliance with legal obligations (Article 6(1)(c) GDPR);
  • Legitimate interests pursued by IndiaEats (Article 6(1)(f) GDPR), such as improving the Service, preventing fraud and protecting our rights.

7. With Whom We Share Your Data

To provide the Service (especially when mediating between you and Partner Restaurants), IndiaEats may need to share some of your personal data with:

  • Partner Restaurants – for example, billing information, food intolerances or preferences, special requests connected to your order.
  • Service providers and business partners – such as accounting firms, software and platform providers, event management and promotion companies, financial consultants, lawyers and other professional advisers.

We require our service providers to implement appropriate technical and organisational measures to protect personal data.

We may also share personal data with potential buyers or investors in IndiaEats. In such cases, we apply the principle of data minimisation and require any third party with access to personal data to be bound by confidentiality obligations.

All personal and commercial data shared with us are treated confidentially, in line with the principle of integrity and confidentiality (Article 5(1)(f) GDPR).

8. Where We Process Your Data

Data are stored on IndiaEats’ servers and on the devices used by authorised staff (for example, personnel responsible for communication), with appropriate technical and organisational measures in place to protect confidentiality, integrity and availability.

IndiaEats applies security controls and information security measures to protect information assets.

9. Are Your Data Secure With Us?

Yes. IndiaEats understands the importance of data security.

We commit to implementing appropriate technical and organisational measures to protect information assets, especially personal data. These may include, for example:

  • The principle of least privilege for access rights
  • Access control matrices (CRUD)
  • Antivirus and firewall on devices accessing the information
  • Encryption technologies (such as SSL) to protect certain sensitive information (for example, location data)

These examples are not exhaustive; we implement other security controls as appropriate.

10. Data Retention

Personal data are kept for as long as necessary to fulfil the purposes described above and to comply with legal obligations or protect IndiaEats’ legal rights.

Cookies are retained for the following periods:

  • Essential cookies: up to 12 months
  • Functionality cookies: up to 12 months
  • Session cookies: up to 12 months
  • Analytics cookies: up to 12 months
  • Remarketing cookies: up to 12 months after collection or until you withdraw consent, whichever occurs first.

Registration data and other data you provide, including ratings, may be retained while your contract with IndiaEats is active.

IndiaEats is not under an obligation to retain your data beyond legal requirements, nor to maintain backups indefinitely.

User accounts with no access to the Platform for more than 12 months may be deleted, unless IndiaEats considers that the data are necessary to exercise or defend legal claims.

Ratings data may be stored during the contract and, after termination, for up to 48 months or until you request deletion, where legally permitted.

11. Data Subject Rights

In accordance with the GDPR, you may, depending on the circumstances, have the following rights:

  • Right to be informed and to access your personal data (Article 15 GDPR)
  • Right to rectification (Article 16 GDPR)
  • Right to erasure (“right to be forgotten”) (Article 17 GDPR)
  • Right to restriction of processing (Article 18 GDPR)
  • Right to data portability (where technically feasible) (Article 20 GDPR)
  • Right to object to processing for reasons related to your particular situation, and to withdraw consent at any time (Article 21 GDPR)

In certain cases, especially where data must be kept to comply with legal obligations or for public interest, the exercise of these rights may be limited.

You can exercise your rights by contacting IndiaEats in writing via the contact information available on www.indiaeats.com. We will review your request and aim to respond within one month.

12. Personal Data Breaches

Despite our commitment to data security, incidents may occur.

A personal data breach occurs when there is loss, unauthorised modification, destruction, access or disclosure of personal data.

If we become aware of a breach likely to result in a high risk to your rights and freedoms, IndiaEats will implement appropriate measures and, where required by law, notify the affected data subjects and the relevant supervisory authority.

If you become aware of or suspect any personal data breach related to IndiaEats, please report it via www.indiaeats.com so that we can take appropriate action.

13. Trade Secrets and Confidentiality

IndiaEats respects the confidentiality of its customers, partners and their projects, and is bound by professional secrecy and commercial confidentiality.

Any ideas, projects, work materials or commercial data shared with us are treated as confidential and protected as trade secrets, alongside personal data.

14. Contact Details of the Data Controller

INDIAEATS, LDA., tax ID 518 013 146, share capital €5,000.00, registered office at Rua Maria Andrade, n.º 43, R/C, 1150‑213 Lisboa, Portugal, is the controller of your personal data.

For any request regarding your data protection rights or this Privacy Policy, please contact us via our website www.indiaeats.com (Contact page).

15. Review and Changes to this Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time, without prior notice, to reflect legal, technical or business changes.

We encourage you to review this Policy regularly. By continuing to use our website and services, you are deemed to be aware of the current version of this Policy.

16. Applicable Law and Jurisdiction

This Privacy Policy and any collection, processing or transmission of personal data are governed by Regulation (EU) 2016/679 (GDPR) and by applicable Portuguese law, in particular Law no. 58/2019 of 8 August.

Any disputes regarding the validity, interpretation or enforcement of this Policy, or related to the collection, processing or transmission of personal data, shall be submitted exclusively to the competent courts of the Judicial District of Lisbon, without prejudice to any mandatory legal provisions.

17. Complaints

If you are dissatisfied with the way IndiaEats uses your personal data or how we handle your rights, you have the right to lodge a complaint with the competent Data Protection Authority:

Comissão Nacional de Proteção de Dados (CNPD)
Av. D. Carlos I, 134 – 1.º
1200‑651 Lisboa – Portugal
Tel: +351 213 928 400
Fax: +351 213 976 832
E-mail: geral@cnpd.pt

You may also contact your local supervisory authority if you are located in another EU Member State.