Privacy Policy

Effective date: 20 May 2026

This Privacy Policy explains how DeliveryBook ("we", "us", "our") collects, uses, and protects information when you use our web dashboard at deliverybook.pk and our companion mobile scanner app (collectively, the "Service"). DeliveryBook is operated from Pakistan. By using the Service, you agree to the practices described in this policy.

1. Who this policy applies to

The Service is a B2B platform for restaurants to manage delivery riders. We distinguish two categories of individuals whose data we process:

  • Restaurant users — owners, managers, and operators who sign up and log in.
  • Riders — delivery staff added to the system by their employer (the restaurant). Riders do not directly create accounts; their data is provided by the restaurant.

2. Information we collect

Account information (restaurant users)

  • Name, email address, phone number, password (stored as a salted bcrypt hash — never in plain text)
  • Restaurant name, branch names, branch addresses
  • Subscription plan and billing history

Rider information (provided by the restaurant)

  • Name, phone number, optional CNIC number, optional home address
  • Payment model and rate (salary, hourly, per-order, etc.)
  • Attendance check-in / check-out timestamps
  • Order assignments, delivery times, and earnings calculations
  • Odometer readings (only if the rider is on a per-kilometer pay model)

Order information

  • Order numbers, amounts, custom fields configured by the restaurant
  • Payment status (paid, partial, pending, settled)

Mobile scanner app

  • Camera — used solely to read rider QR codes. Camera frames are processed locally on the device; we do not record video or upload images.
  • Network status — used to support offline scanning. Scans made while offline are stored on the device and synced to the server when connectivity returns.

Technical data

  • IP address, device type, browser/app version, timestamps of requests
  • Audit log entries for sensitive actions (logins, settlements, khata entries, role changes)
  • Rate-limiting counters used to prevent abuse

We do not collect geolocation, contacts, photos, advertising identifiers, or third-party analytics fingerprints.

3. How we use information

  • To operate the Service: run the QR attendance and order queue system, calculate earnings, produce reports, send invoices, and process subscriptions.
  • To authenticate users, verify email addresses, and send password-reset links.
  • To maintain security, prevent fraud, and enforce rate limits.
  • To improve the product based on aggregate usage patterns.
  • To respond to support requests.

We do not sell or rent personal data. We do not use your data for advertising or third-party marketing.

4. Who we share information with

  • Within your organization — restaurant owners, managers, and operators in the same restaurant can see rider and order data, subject to their role permissions.
  • Service providers we rely on to run the platform:
    • Zepto by Zoho — to send transactional emails (verification, password reset, invoices).
    • Hosting and CDN — our servers and Cloudflare for delivery; data stays within their secure infrastructure.
    • Payment processing — if/when we add online payments, the processor will receive only what is required to charge your subscription.
  • Legal requests — we may disclose information when required by law, court order, or to protect our rights and the safety of our users.
  • Business transfers — if DeliveryBook is acquired or merged, your data may be transferred under equivalent privacy commitments.

5. Data retention

We keep your data for as long as your account is active. When you delete your restaurant account, we delete personal data within 30 days, except where retention is required by Pakistan tax law or to resolve a billing dispute. Audit logs may be retained for up to 12 months for security and compliance.

See Delete your account for instructions.

6. Security

  • Passwords are stored as salted bcrypt hashes.
  • All traffic is encrypted with HTTPS (TLS).
  • Sessions use signed JWTs; tokens are invalidated on password change.
  • API endpoints are rate-limited to prevent brute-force attacks.
  • Sensitive mutations (settlements, advances, role changes) are recorded in an audit log.
  • Tenants are strictly isolated — one restaurant cannot read another restaurant's data.

7. Your rights

You can:

  • Access your data — visible in the dashboard.
  • Correct your data — edit profile, riders, branches at any time.
  • Export reports as CSV.
  • Delete your account — see Delete your account.
  • Withdraw consent by closing your account.

Riders who want a copy of their information should contact their restaurant (the data controller). We will assist the restaurant in fulfilling those requests.

8. Children

The Service is not intended for individuals under the age of 18. We do not knowingly collect data from minors.

9. International data transfers

Our servers are located in Germany. By using the Service, you consent to your data being processed in that location. We take steps to ensure your information receives a level of protection equivalent to that under Pakistani law.

10. Cookies

We use only essential, first-party cookies required to keep you signed in (HTTP-only secure cookie). We do not use third-party tracking cookies or advertising pixels.

11. Changes to this policy

We may update this policy from time to time. Material changes will be announced via email or an in-app banner at least 14 days before they take effect. The current effective date is shown at the top of this page.

12. Contact us

For questions about this policy or your data, contact us at support@deliverybook.pk.