Bitezor Privacy Policy

Last Updated: June 3, 2026

This Privacy Policy applies to the Bitezor customer app and the related services that support it, including our backend systems, vendor app, and delivery partner app. We collect and use customer information to help you create an account, discover nearby shops, place orders, make payments, receive delivery updates, contact support, and complete food deliveries.

Because Bitezor operates as a food-ordering and delivery platform, some information you provide in the customer app is processed through our backend and shared with vendors and delivery partners only where needed to fulfil your order. Bitezor acts as the primary operator and controller of your data.

1. Key Regulatory Frameworks We Follow

1.1 Digital Personal Data Protection Act, 2023 (India)

Our customer app is designed primarily for users in India. We use Indian phone numbers for OTP login, process payments in INR, and use customer addresses and location information to support local food ordering and delivery. For this reason, we align this Privacy Policy with the Digital Personal Data Protection Act, 2023.

For customer personal data processed through the Bitezor customer app and backend, Bitezor acts as the Data Fiduciary. This means we decide why and how your personal data is processed, and we are responsible for handling it in accordance with applicable law. As a customer using our services, you are the Data Principal under the DPDP Act, and you hold specific rights regarding your personal data.

We collect and process your personal data for clear and specific purposes, including:

verifying your phone number through OTP login;
creating and managing your customer account;
saving your name, phone number, email address, and profile picture;
requesting and using location access to show nearby shops and support delivery;
saving delivery addresses, receiver names, receiver phone numbers, and address details;
managing your cart, bookmarks, orders, order status, delivery OTPs, refunds, and support requests;
sending transactional notifications related to OTPs, orders, payments, delivery, and support;
processing online payments;
preventing fraud, misuse, unauthorized access, and platform abuse;
meeting tax, accounting, dispute-resolution, refund, security, and legal obligations.

We ask for your consent where required, including for phone verification, location access, notifications, saved addresses, profile information, payment-related processing, and support communications. You may withdraw consent where the processing is based on consent, but this may affect your ability to use features that require that information, such as nearby shop discovery, delivery, or notifications.

We share limited order-related information with vendors so they can prepare your order. We share delivery-related information with delivery partners so they can pick up and deliver your order. This includes your order details, delivery address, receiver details, delivery OTP or handover status, and order status information. We do not share more customer information than is reasonably needed for the relevant order or service.

We also use trusted service providers to operate the app and services. These include:

Twilio: For sending OTPs to verify phone numbers for account creation and login.
Razorpay: For processing online payments.
Google Maps: For providing mapping, location search, and geocoding services.
Expo: For push notification infrastructure and delivery of notifications.
Cloud hosting, storage, security, and operational service providers.

These providers process information only for the services they provide to us or to you through Bitezor.

As a Data Principal, you have the following rights under the DPDP Act, which you may request to exercise:

Right to Access: Request information about what personal data we process, a summary of processing activities, and the identities of other Data Fiduciaries or Processors with whom your data has been shared.
Right to Correction and Erasure (Deletion): Request the correction of inaccurate, misleading, or incomplete data, or the deletion/anonymization of your account data.
Right to Grievance Redressal: File a complaint regarding any act or omission of Bitezor in respect of its obligations or your rights under the DPDP Act.
Right to Nominate: Nominate any other individual to exercise your rights in the event of your death or incapacity.
Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent, though this may affect your ability to use features that require that information.

When a user requests account deletion, Bitezor implements a secure, OTP-verified account anonymization and erasure flow to remove personally identifiable information (PII) while preserving historical business records:

1. Customer Account Deletion

When you request customer account deletion, we verify the request using OTP. After successful verification, we delete your saved addresses, cart data, bookmarks, push notification devices (Expo push tokens), and profile picture; and anonymize your customer record with the following values:

Name: overwritten with "Former Customer"
Phone & Email: set to null
Ratings & Reviews: The ratings remain, but the review feedback text is updated to: "This has been removed during anonymization and user delete request."
Support Queries: Support tickets are retained, but their details are scrubbed, subject changed to "Removed" and query text changed to "This has been removed during anonymization and user delete request".
Order Linkage: All order history is preserved, but the customer record is unlinked from the orders.

2. Vendor Account Deletion

When a vendor requests account deletion, we verify the request using OTP. To protect ongoing platform operations, the deletion request is blocked if there are active customer orders. After successful verification and approval, we delete all shop products and their images, delete physical banner images and verification documents (such as Aadhaar card photos) from cloud storage, delete the vendor's profile picture, delete push notification devices (GCM devices/Expo push tokens), and anonymize the vendor record with the following values:

Name: overwritten with "Former Vendor"
Phone & Email: set to null
Shop Profile: The shop status is set to deactivated and unverified, its name is updated to "Former Shop", its description is changed to "This shop has been deactivated and removed.", and its geolocations, pincode, street, city, state, country, and text address are cleared (set to null or blank).
Earnings Ledger & Payouts: The vendor's UPI ID is set to null, and all past vendor payouts are updated to set UPI id to "Removed".
Support Queries: Support tickets are retained, but their details are scrubbed, subject changed to "Removed" and query text changed to "This has been removed during anonymization and user delete request".

3. Delivery Partner Account Deletion

When a delivery partner requests account deletion, we verify the request using OTP. To protect platform and customer integrity, the deletion request is blocked if there are active delivery assignments or an outstanding negative balance (unsettled COD collections). After successful verification and approval, we delete the delivery partner's profile and vehicle/license verification documents (such as driving license and vehicle photos) from cloud storage, delete the partner's profile picture, delete push notification devices (GCM devices/Expo push tokens), and anonymize the delivery partner record with the following values:

Name: overwritten with "Former Delivery Partner"
Phone & Email: set to null
Orders Relationship: The partner is unlinked from all previous orders (the delivery partner reference on all orders is set to null).
Earnings Ledger & Payouts: The partner's UPI ID is set to null, and all past payouts are updated to set upi_id to "Removed".
Support Queries: Support tickets are retained, but their details are scrubbed, subject changed to "Removed" and query text changed to "This has been removed during anonymization and user delete request".

For all user roles, all transactional logs, order histories, payment data, tax information, and dispute resolution records are retained securely for a period of up to 8 financial years in an anonymized state, as permitted and required under applicable Indian laws.

1.2 Children's Privacy

Bitezor is not directed at children under the age of 18. Under the DPDP Act, we do not knowingly process personal data of children (minors under 18) without verifiable parental consent. We do not engage in tracking, behavioral monitoring, or targeted advertising directed at children. If we discover that we have inadvertently collected personal data of a minor without parental consent, we will delete or anonymize it immediately.

1.3 Grievance Redressal Mechanism

If you have any questions, concerns, or grievances regarding the processing of your personal data or to exercise your rights as a Data Principal, please contact our Grievance Officer:

Name/Designation: Deep Narayan (Grievance Redressal Officer)
Primary Support Email: support@bitezor.com
Direct Grievance Email: deep@bitezor.com

We will respond to and address your concerns or grievances within the timelines prescribed under the DPDP Act, 2023. If you are not satisfied with the resolution provided by our Grievance Officer, you may file a complaint with the Data Protection Board of India (DPBI) in the manner prescribed under the Act.

1.4 Google Play Store Privacy Requirements

Because the Bitezor customer app is distributed through Google Play store, we follow its privacy requirements.

We provide a public privacy policy link for app store listings and make the policy available in or through the customer app. We aim to keep this Privacy Policy, app permission prompts, Google Play Data safety disclosures, and actual app behavior consistent with each other.

The customer app may collect or process the following categories of information:

account information, such as name, phone number, optional email address, and profile image if added;
authentication information, such as OTP verification metadata and secure session tokens;
location information, such as latitude, longitude, searched locations, selected map locations, and formatted addresses;
delivery information, such as saved addresses, receiver names, receiver phone numbers, address labels, and address details;
order information, such as cart items, ordered products, quantities, prices, promo codes, order totals, taxes, delivery charges, order status, and delivery OTP status;
payment information, such as payment method, Razorpay order or payment references, payment status, refund status, and transaction verification information;
device and notification information, such as Expo push tokens, device identifiers used for notification delivery, notification logs, and order-status notification payloads;
support information, such as support category, subject, message, metadata, and support status;
technical and diagnostic information needed to maintain app security, performance, and reliability.

We request location permission to show nearby shops, help you select delivery locations, calculate delivery availability or charges, and support accurate delivery. We request notification permission to send OTP, order, payment, delivery, support, and other service-related alerts.

Because the applications in the Bitezor ecosystem (Customer, Vendor, and Partner apps) allow account creation, we provide a unified account deletion and anonymization process for all user roles. We disclose how data deletion works, including what files are deleted, how identity databases are scrubbed, and what transactional logs are retained for lawful business, tax, payment, refund, fraud-prevention, dispute, or legal reasons.

If we add new third-party SDKs, analytics tools, advertising tools, or tracking technologies in the future, we will update our app store disclosures and this Privacy Policy as required.

2. Information We Collect

We collect different categories of information depending on how you use Bitezor: as a customer, vendor, or delivery partner.

2.1 Customer Data

When you use the Bitezor customer app, we may collect and process the following information:

Identity and contact information: your name, mobile phone number, optional email address, and profile photo if added. We use your mobile number for OTP-based authentication through Twilio Verify.
Location and address information: precise GPS coordinates, coarse location coordinates, searched locations, selected map locations, formatted addresses, saved delivery addresses, address labels, receiver names, receiver phone numbers, and address details such as floor, house number, or landmark. We collect location through expo-location and related map services to show nearby shops, help you select delivery locations, calculate delivery availability, and support delivery routing/status where available.
Transaction and order information: cart items, bookmarked products, selected products, quantities, product options, promo codes, order history, order status, delivery OTP status, taxes, delivery charges, platform charges shown to you, discounts, refund status, and support requests related to orders.
Payment information: payment method, Razorpay order IDs, Razorpay payment IDs, payment status, refund references, and transaction verification information. We do not store your raw credit card number, debit card number, CVV, UPI PIN, UPI password, net banking password, or other payment credentials. These are processed by Razorpay.
Device and notification information: Expo push notification tokens, device identifiers used for notification delivery, notification logs, order-status notification payloads, and app/session data needed to send transactional updates such as OTPs, order accepted, preparing, out for delivery, delivered, payment, refund, or support updates.
Support and communication information: support categories, subjects, messages, metadata, callback preferences, ticket status, and any information you choose to provide when contacting us.

2.2 Vendor Data

When a vendor uses Bitezor to register, operate, and receive payouts for a shop, we may collect and process the following information:

Identity and contact information: vendor name, mobile phone number, optional email address, profile photo, account status, OTP verification metadata, and authentication/session tokens.
Shop information: shop name, description, shop type, operating address, street, city, state, country, pincode, latitude, longitude, banner image, shop verification status, availability status, platform fee configuration, and other shop operating details.
Menu and catalog information: product names, descriptions, categories, sub-categories, prices, discounts, quantities, availability status, related product data, product options, and product images.
Verification information: identity or verification documents, including Aadhaar-related shop verification images where provided, and other documents or images required to verify vendor authenticity and prevent fraud. These files are stored through our configured media storage provider, currently Cloudinary, or another storage provider such as AWS S3 if configured in the future.
Order and fulfilment information: orders assigned to the vendor, ordered items, preparation status, pickup OTP status, customer delivery details needed for fulfilment, rejected/cancelled order information where applicable, and order history.
Financial and payout information: earnings balance, UPI ID or payout destination information where supported, payout requests, payout status, RazorpayX payout IDs, ledger transactions, commissions/platform fees, vendor payout calculations, and payout history. The current backend stores UPI IDs and RazorpayX payout references for payouts.
Device and notification information: push notification tokens or device identifiers where notifications are enabled, and notification logs used to send new order and fulfilment updates.

2.3 Delivery Partner Data

When a delivery partner uses Bitezor to register, go online, accept deliveries, and receive payouts, we may collect and process the following information:

Identity and contact information: delivery partner name, mobile phone number, optional email address, profile photo, account status, OTP verification metadata, and authentication/session tokens.
Verification and vehicle information: driving license number, driving license image, vehicle type, vehicle number, vehicle image, city, state, verification status, and other details needed to verify eligibility and reduce fraud.
Location information: precise GPS coordinates and coarse location coordinates collected through the delivery partner app. When a delivery partner is online or the delivery heartbeat service is active, the app may collect location in the foreground and background at recurring intervals to maintain availability, find nearby ready orders, assign deliveries, support pickup and drop-off, and calculate proximity using Redis geospatial indexes. This location processing is essential to delivery operations, and we provide a prominent location notice in the delivery partner app.
Order and delivery information: assigned orders, ready orders near the partner, accepted/rejected orders, pickup OTP verification, delivery OTP verification, shop pickup details, customer delivery address, receiver details needed for delivery, delivery status, payout per order, COD-related settlement information, and delivery history.
Financial information: earnings balance, UPI ID or payout destination information where supported, payout requests, payout status, RazorpayX payout IDs, ledger transactions, delivery charges/payouts, incentive history, outstanding dues balance or settlement information for COD collections, and payout history.
Device and notification information: Expo push notification tokens, device identifiers used for notification delivery, foreground/background service status, notification logs, and order-status notification payloads.
Support and communication information: support categories, subjects, messages, metadata, callback preferences, ticket status, and any information provided while contacting Bitezor support.

3. How We Use Your Information and Our Legal Basis

We use your information to operate, secure, improve, and support the Bitezor platform. Depending on the law that applies, we process information based on your consent, our need to provide the requested service, contractual necessity, legitimate business and security interests, and legal or regulatory obligations.

We use information for service delivery, including account creation, OTP login, shop discovery, location-based search, menu display, cart management, order placement, order acceptance, preparation, pickup, delivery, refund handling, support, earnings ledger management, and payout processing.

We use location and order information to match nearby delivery partners with ready orders. Our backend uses Redis geospatial indexes to identify delivery partners and ready orders within operational distance limits, calculate proximity, and reduce repeated assignment to partners who have already rejected an order.

We use order and OTP information for security and verification. Bitezor uses a dual-OTP handoff process for delivery: the vendor verifies pickup before handing the order to the delivery partner, and the delivery partner verifies delivery with the customer at drop-off. This helps reduce fraud, incorrect handovers, and delivery disputes.

We use payment and payout information to process customer payments, verify Razorpay payment signatures, process refunds, maintain transaction records, calculate vendor and delivery partner payouts, manage earnings balances, process RazorpayX payouts, track COD-related settlements, and maintain accounting records.

We use contact, device, and notification information to send transactional communications. These include SMS or OTP verification codes through Twilio, push notifications for order accepted, preparing, ready, out for delivery, delivered, cancelled, refund, payout, support, and other service-related updates.

We use verification documents, account status information, device information, location records, order records, and support records to prevent fraud, investigate misuse, verify users, protect customers/vendors/delivery partners, comply with legal obligations, enforce platform rules, and respond to disputes or support requests.

4. Third-Party Service Providers

We use trusted third-party service providers to operate Bitezor. These providers process information only as needed to provide services to us or to you through Bitezor.

Twilio: We use Twilio Verify to send OTP/SMS authentication codes and verify phone numbers for customers, vendors, and delivery partners.
Razorpay: We use Razorpay to process customer payments, create payment orders, verify payment signatures, and support refunds or payment status reconciliation. We do not store raw card, CVV, UPI PIN, or payment password details on Bitezor servers.
RazorpayX: We use RazorpayX for vendor and delivery partner payout workflows, payout processing, payout references, and related financial reconciliation.
Cloudinary: We currently use Cloudinary-backed media storage for uploaded images and documents, including profile photos, shop images, product images, vendor verification files, delivery partner driving license images, and vehicle images.
AWS S3 or compatible cloud storage: Our backend is designed so media storage can be switched to AWS S3 or another supported storage provider if configured. If we use such storage, uploaded images and documents may be stored there.
Google Maps APIs: We use Google Maps and geocoding services for maps, address search/autocomplete, reverse geocoding, location selection, shop discovery, and delivery-related distance or routing support.
Expo Notifications: We use Expo notification infrastructure to generate and deliver push notification tokens and transactional push notifications for app events such as OTP, order, delivery, support, and earnings updates.

We may also use hosting, database, cache, security, monitoring, email, analytics, and operational service providers where necessary to run the platform. If we add material new processors that affect how your data is handled, we will update this Privacy Policy as required.

5. Cookies and Local Storage

We use local storage, secure device storage (such as Secure Store), and similar technologies to authenticate your session, keep you logged in, save your app preferences (such as theme and language settings), and cache cart data. We do not use these technologies for third-party cross-app tracking.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, as outlined in this Privacy Policy, or as required by applicable laws and regulations.

Active Accounts: We retain your account profile data, saved preferences, and settings as long as your account remains active and registered on the platform.
Account Deletion and Erasure: When you request the deletion of your account (which is verified via OTP), we immediately delete or anonymize your personal information (such as your name, phone number, email address, profile picture, saved addresses, and active push notification tokens) in accordance with our deletion protocols.
Regulatory and Legal Obligations: We are required under tax, accounting, anti-fraud, and financial transaction laws in India to retain certain transactional logs (including order history, payment transactions, earnings ledger entries, refunds, and payout records) for a period of up to 8 financial years. During this period, these records are stored securely, unlinked from your personal identity, and processed only for compliance, audit, or legal dispute resolution purposes.

7. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by updating the "Last Updated" date at the top of this policy and, where appropriate, through in-app notifications, and email notifications to your registered email address if provided.

8. Reference Sources

India Code: Digital Personal Data Protection Act, 2023
Google Play Console Help: User Data policy and account deletion requirements