Privacy Policy
Effective date: 1 June 2025
1. What We Collect
When you use Tray, we collect:
- Account data: Email address and display name (provided during sign-up or login via Supabase Auth)
- Order data: Items ordered, quantities, timestamps, and order status history
- Device/session data: IP address, browser type, and session token (used for security and rate limiting)
We do not collect or store any payment credentials — card numbers, UPI PINs, bank account details, or CVVs. All payment data is collected and processed exclusively by Razorpay under their Privacy Policy.
2. How We Use Your Data
- To process and fulfill your food orders
- To show you your order history and status
- To allow Canteen administrators to manage and fulfill orders
- To prevent fraud, abuse, and unauthorised access
- To send transactional emails (e.g., order confirmation) via Resend
We do not sell your data to third parties. We do not use your data for advertising.
3. Data Isolation
Each Canteen's data is strictly isolated from other Canteens using row-level security in our database. A student's order data at "Canteen A" is never visible to "Canteen B" or its administrators.
4. Third-Party Services
| Service | Purpose | Data Shared |
|---|---|---|
| Supabase | Database and authentication | Email, order data |
| Razorpay | Payment processing | Order amount, UPI/card details (direct, never stored by us) |
| Vercel | Hosting and CDN | Request logs, IP addresses |
| Resend | Transactional email | Email address, order details |
5. Data Retention
- Order history is retained for 90 days after order completion, then archived
- Account data is retained while your account is active
- Session logs are retained for 30 days for security purposes
6. Your Rights
You have the right to:
- Access: Request a copy of your personal data held by us
- Export: Download your order history (available in the student portal)
- Delete: Request deletion of your account and associated data
- Correct: Request correction of inaccurate personal data
To exercise any of these rights, email us at taum75448@gmail.com with the subject line "Data Request". We will respond within 30 days.
7. Security
We use industry-standard security measures including TLS encryption in transit, row-level security in the database, HMAC-SHA256 webhook signature verification, and bcrypt-hashed OTP secrets. However, no system is perfectly secure — please contact us immediately if you discover a vulnerability.
8. Children's Privacy
Tray is intended for use by college and university students (18 years and above). We do not knowingly collect data from users under 18.
9. Changes to This Policy
We may update this policy from time to time. The "Effective date" at the top will reflect the latest revision. Continued use of the platform constitutes acceptance.
10. Contact
Privacy questions? Email taum75448@gmail.com.