Legal · Privacy Policy
Privacy Policy
ChatChef, operated by DMG ITS (dmgits.com), is committed to protecting your personal data. This Privacy Policy explains what data we collect, how we use it, with whom we share it, and how you can exercise your rights — including the right to request deletion of your data.
Table of Contents
1. Controller & Contact
The data controller responsible for processing your personal data is:
For all privacy-related inquiries, including requests to access, correct, or delete your data, please contact us at the email address above.
2. Data We Collect
2.1 Restaurant Account Data
When you register as a restaurant operator on ChatChef, we collect:
- Business name, address, and contact details
- Email address and administrative credentials
- Restaurant logo and menu information
- Preferred language and regional settings
2.2 WhatsApp Business Account Data
When you connect your WhatsApp Business Account via Meta's Embedded Signup, we collect and store:
- WhatsApp Business Account ID (WABA ID)
- WhatsApp Phone Number ID and verified phone number
- Meta App access tokens (stored securely, never exposed publicly)
- Webhook subscription data from Meta's WhatsApp Business API
2.3 Order Data
When customers place orders through your WhatsApp menu, we process:
- Order contents (items, quantities, customisations)
- Order timestamps and status updates
- WhatsApp phone number of the customer (used only to route the order — not stored long-term)
2.4 Usage & Technical Data
We may collect technical data to operate and improve the service:
- IP address and browser/device type
- Pages visited and features used within the ChatChef dashboard
- Error logs and performance metrics
3. How We Use Your Data
We process your data for the following purposes. For each purpose, we identify the legal basis under the EU General Data Protection Regulation (GDPR) where applicable:
| Purpose | Description | Legal Basis (GDPR Art. 6) |
|---|---|---|
| Service delivery | Providing the ChatChef platform, connecting your restaurant to WhatsApp Business, and routing customer orders. | Art. 6(1)(b) — Performance of contract |
| WhatsApp messaging | Sending and receiving order notifications via the WhatsApp Business API on your behalf. | Art. 6(1)(b) — Performance of contract |
| Account management | Creating and managing your restaurant account, authentication, and settings. | Art. 6(1)(b) — Performance of contract |
| Support & communication | Responding to support requests and sending service-related notices. | Art. 6(1)(b) — Performance of contract |
| Security & compliance | Detecting and preventing fraud, unauthorised access, and ensuring compliance with Meta Platform Terms and applicable law. | Art. 6(1)(c) — Legal obligation & Art. 6(1)(f) — Legitimate interest |
| Service improvement | Analysing usage patterns (in aggregate) to improve features and fix issues. | Art. 6(1)(f) — Legitimate interest |
4. Meta Platform Data
ChatChef integrates with Meta's WhatsApp Business Platform. Data received from Meta through this integration ("Meta Platform Data") is subject to Meta's Platform Terms in addition to this Privacy Policy.
Specifically:
- We only request Meta Platform Data that is necessary to provide the ChatChef service.
- We process Meta Platform Data solely for the purposes described in this policy and as permitted under Meta's Platform Terms.
- We do not sell, transfer, or use Meta Platform Data for purposes beyond operating ChatChef.
- We do not use Meta Platform Data to discriminate, build profiles for advertising, or for surveillance purposes.
- We do not use Meta Platform Data for surveillance, eligibility determinations (including for housing, employment, insurance, education, credit, or government benefits), or any form of discrimination based on personal attributes.
- We promptly delete Meta Platform Data when it is no longer required or when requested by you or Meta.
- You may request deletion of your Meta Platform Data at any time using the process described in Section 10.
5. Data Sharing & Third Parties
We share data only with the following categories of service providers, strictly to operate ChatChef:
5.1 Meta (WhatsApp Business Platform)
We use Meta's WhatsApp Business API to send and receive messages on behalf of restaurant operators. Data shared includes WABA credentials and message content required to route orders. Meta's use of data is governed by Meta's Data Policy.
5.2 Railway (Cloud Hosting)
Our application and database are hosted on Railway (railway.app). Operational data (including encrypted credentials) resides on Railway's infrastructure. Railway processes data on our behalf under a Data Processing Agreement consistent with GDPR and Meta Platform Terms requirements. Railway's privacy policy is available at railway.app/legal/privacy.
5.3 Legal Obligations
We may disclose data if required by law, court order, or governmental authority, or to protect the rights and safety of our users or the public.
We do not share your data with any other third parties for commercial purposes.
6. Data Retention
We retain your data for as long as necessary to provide the ChatChef service and comply with legal obligations:
- Account data: Retained for the duration of your account. Deleted within 30 days of account closure unless legally required otherwise.
- Order data: Retained for up to 12 months for operational and support purposes, then deleted or anonymised.
- Meta Platform Data (WABA credentials, tokens): Deleted within 30 days of disconnecting your WhatsApp account or closing your ChatChef account.
- Technical logs: Retained for up to 90 days for security and debugging purposes.
You may request earlier deletion of your data at any time. See Section 10 for the deletion request process.
7. International Data Transfers
ChatChef is operated by DMG ITS and our application infrastructure is hosted on Railway (railway.app), whose servers may be located in the United States or other countries outside the European Economic Area (EEA).
When personal data originating from the EEA is transferred to and processed in a country that does not have an EU adequacy decision, we rely on appropriate safeguards to ensure your data remains protected. These safeguards include the Standard Contractual Clauses (SCCs) adopted by the European Commission (EU) 2021/914, as incorporated by reference in Meta's Platform Terms (Section 10A) for Meta Platform Data, and equivalent mechanisms for our hosting infrastructure.
If you have questions about the specific safeguards in place for your data, please contact us at socialmedia@dmgits.com.
8. Data Security
We implement industry-standard technical and organisational measures to protect your data:
- All data in transit is encrypted using TLS (HTTPS).
- Access tokens and sensitive credentials are stored encrypted and never exposed in public URLs or logs.
- Access to production systems is restricted to authorised personnel only.
- We monitor for unauthorised access and promptly address security vulnerabilities.
If you discover a security vulnerability, please report it to socialmedia@dmgits.com immediately.
9. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete data.
- Deletion: Request deletion of your personal data (see Section 10).
- Restriction: Request that we limit how we process your data.
- Portability: Request your data in a structured, machine-readable format.
- Objection: Object to certain types of processing, including direct marketing.
- Withdrawal of consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.
To exercise any of these rights, please contact us at socialmedia@dmgits.com. We will respond within 30 days.
If you are located in the EU/EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority.
10. How to Request Data Deletion
To request deletion of your data:
- Send an email to socialmedia@dmgits.com with the subject line: "Data Deletion Request".
- Include your registered email address and, if applicable, your restaurant name or account identifier.
- Specify whether you want full account deletion or deletion of specific data (e.g., WhatsApp Business Account data only).
We will confirm receipt within 5 business days and complete the deletion within 30 days. We will notify you once deletion is complete. Certain data may be retained where required by applicable law or regulation, in which case we will inform you of the basis for retention.
For requests specifically related to Meta Platform Data, you may also contact Meta directly via Meta's data deletion request form.
11. Cookies & Analytics
ChatChef uses only essential session cookies required for authentication and to maintain your logged-in state in the dashboard. We do not use third-party advertising cookies or cross-site tracking technologies.
Our website may use basic analytics to measure page visits and performance. This data is collected in aggregate form and does not identify individual users.
12. Children
ChatChef is a business tool intended for restaurant operators and is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at socialmedia@dmgits.com.
13. Policy Updates
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will update the "Last updated" date at the top of this page.
For significant changes, we will notify registered account holders via email. Continued use of ChatChef after changes take effect constitutes acceptance of the updated policy.
14. Contact Us
For any privacy-related questions, requests, or concerns, please reach us at: