Privacy Policy

HaloHelm is a software-as-a-service (SaaS) product operated by Prabu Sekar, a sole proprietorship registered as a Micro Enterprise under India’s Ministry of Micro, Small and Medium Enterprises:

For the purposes of the DPDP Act, HaloHelm acts as the Data Fiduciary for personal data of restaurant owners and staff who hold accounts on our platform, and as a Data Processor for personal data of restaurant customers (diners) which we process on behalf of those restaurants.

The information we collect depends on how you interact with HaloHelm.

2.1 From Restaurant Owners and Staff (Account Holders)

When you sign up for HaloHelm or use the admin dashboard, we collect:

• Account details: name, email address, password (stored hashed by Firebase Authentication; we never see it in plain text), phone number (optional).
• Restaurant details: restaurant name, subdomain, address, city, GSTIN, FSSAI number, UPI ID, business logo, opening hours.
• Menu and operational data: menu items, prices, descriptions, photos, categories, combos, offers, coupons, staff roster, table layout.
• Order and bill data: incoming orders, payment status, customer-provided notes, totals, refunds.
• Payment-gateway configuration: if you connect a payment gateway (Razorpay / Paytm / PhonePe), we store the merchant credentials you paste, in a private Firestore collection restricted to your account only. We never store credit-card or bank-account numbers.
• Login activity: sign-in timestamps, IP address, device/browser type. Used for fraud prevention and account security.
• Communications: emails you send to hello@halohelm.com, support requests, feedback.

2.2 From Restaurant Customers (Diners)

When a diner scans your restaurant’s QR code and uses the customer-facing menu, we process the following on your behalf:

• Anonymous session data: table number scanned, cart contents, language preference, dark/light mode preference. Stored in the browser’s sessionStorage and localStorage — not on our servers.
• Order data: items ordered, special instructions, total amount, payment method selected, payment status.
• Optional contact information: name and phone number, only if the diner enters them for takeaway orders or payment confirmation. Diners can choose not to provide these.
• Optional feedback: star rating and comments after an order, if the diner chooses to leave them.
• Technical data: approximate location (city only, derived from IP address), device type, browser, time of visit — used for performance monitoring and analytics.

We do not collect diners’ bank-account, debit-card, or credit-card numbers. All payment processing is handled directly by the payment gateway (Razorpay / Paytm / PhonePe / direct UPI app) chosen by the restaurant or the diner. HaloHelm never sees or stores payment instrument data.

We use the information we collect for the following purposes:

• To provide the HaloHelm service — authenticate your sign-in, display your menu to your diners, accept and route their orders, generate bills, send daily summary emails.
• To process payments — when a diner pays online, we pass the necessary data (amount, order reference) to your chosen payment gateway. We confirm successful payments via the gateway’s webhook and mark the order as paid.
• To improve and maintain the platform — debug errors, monitor performance, plan new features based on aggregate usage patterns.
• To communicate with you — send transactional emails (sign-up confirmation, password reset, payment receipts, daily summaries), respond to support requests, notify you about important changes to the service.
• To protect against fraud and abuse — detect suspicious sign-in patterns, prevent unauthorised access, enforce our Terms of Service.
• To comply with the law — respond to lawful requests from Indian government authorities, retain financial records as required under the Income Tax Act, GST law, and other applicable regulations.

We do not sell your personal data to advertisers or use it for marketing unrelated to the HaloHelm service.

HaloHelm is built on top of trusted third-party services. We share the minimum data necessary for these services to function:

We may also disclose your information:

• To comply with a legal obligation — court order, valid government request under the IT Act, GST/Income-Tax demand, or a directive issued under the DPDP Act.
• To protect our rights or property — if we reasonably believe disclosure is necessary to prevent fraud, abuse, or harm to HaloHelm, our users, or the public.
• In the event of a business transfer — if HaloHelm is sold, merged, or acquired, your information may be transferred to the successor entity. We will notify you in advance and you will retain the rights described in Section 7.

We do not share your personal data with advertisers, data brokers, or any third party for marketing purposes.

Your data is stored in Google Firebase Firestore in the asia-south1 (Mumbai) region. This means your data physically resides in India and is subject to Indian data-protection laws. We rely on Google’s industry-standard security practices, including encryption at rest and encryption in transit (TLS 1.2 or higher).

Backups, request logs, and operational telemetry may be processed by Google Firebase and Vercel in other regions (such as the United States or European Union) as part of their respective global service infrastructure. By using HaloHelm you consent to this limited cross-border processing.

• Restaurant accounts: for as long as your account is active, plus up to 90 days after deletion for backup recovery and dispute resolution.
• Order and bill records: for a minimum of 8 years from the date of the transaction, to comply with the Income Tax Act, 1961 (Rule 6F) and the GST Act, 2017.
• Diner contact information: retained for 90 days after the order is paid and closed, then anonymised. Order data itself remains in the restaurant’s account for the retention period above.
• Sign-in logs: 12 months, then deleted.
• Support emails: 24 months from the last reply.

You may request deletion of your data earlier than these periods (see Section 7) — we will comply except where retention is required by law.

India’s Digital Personal Data Protection Act, 2023 gives you the following rights over your personal data held by HaloHelm:

• Right to access — request a summary of personal data we hold about you.
• Right to correction — ask us to correct inaccurate or incomplete data.
• Right to erasure — ask us to delete personal data we no longer need (subject to legal retention requirements above).
• Right to grievance redressal — raise a complaint about how we handle your data.
• Right to nominate — nominate another person to exercise these rights on your behalf in the event of your death or incapacity.
• Right to withdraw consent — withdraw consent for any processing based on consent at any time. Withdrawal does not affect the lawfulness of past processing.

To exercise any of these rights, email hello@halohelm.com with the subject line “DPDP Request” and include enough information for us to verify your identity. We aim to respond within 30 days.

If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India.

HaloHelm uses minimal client-side storage:

• sessionStorage — remembers your cart, the table you scanned, and the current bill while your browser tab is open. Cleared when you close the tab.
• localStorage — remembers your dark/light mode preference, your last-used UPI app (for the customer payment picker), and similar UI settings. Persists across visits.
• Firebase Authentication cookies — keeps you signed in to the admin dashboard. Cleared when you sign out.

We do not use third-party tracking cookies, advertising pixels, or cross-site analytics tools like Google Analytics or Facebook Pixel. We do not build profiles of you for advertising purposes.

You can clear all HaloHelm-related cookies and storage from your browser settings at any time. Doing so will sign you out and reset your preferences.

• Encryption in transit: all traffic to halohelm.com is served over HTTPS (TLS 1.2 or higher).
• Encryption at rest: Firestore encrypts all stored data using AES-256 by default.
• Access control: Firestore security rules restrict access so that one restaurant’s data cannot be read or modified by another restaurant’s account.
• Password security: passwords are hashed by Firebase Authentication using scrypt. We never see or store plain-text passwords.
• Payment-gateway credentials: stored in a private Firestore subcollection only accessible by the restaurant’s admin account.
• Webhook verification: payment-gateway webhooks are cryptographically verified (HMAC-SHA256 or provider-specific checksums) before being acted on, preventing forged “paid” notifications.

No system is perfectly secure. While we apply industry-standard practices, we cannot guarantee absolute security. If we become aware of a personal-data breach that is likely to result in significant harm to you, we will notify you and the Data Protection Board of India as required by the DPDP Act.

HaloHelm is intended for use by businesses and adult diners. We do not knowingly collect personal data from children under 18 years of age. If you are under 18, do not create an account or submit your personal information through HaloHelm. If we learn that we have collected personal data from a child under 18 without parental consent, we will delete it promptly.

HaloHelm is designed for restaurants operating in India and their diners. If you access HaloHelm from outside India, please be aware that your data will be transferred to and stored in India, which may have data-protection laws different from those of your country.

If you are an EU/UK resident accessing a HaloHelm-hosted menu page as a diner, the order data you submit is processed by HaloHelm on behalf of the restaurant. The restaurant is the data controller for that data; HaloHelm acts as the data processor. You may exercise your GDPR / UK GDPR rights by contacting the restaurant directly or by writing to us at hello@halohelm.com.

We may update this Privacy Policy from time to time to reflect changes in our service, applicable law, or data-handling practices. When we make a material change, we will:

• Update the “Last updated” date at the top of this page.
• Email registered restaurant accounts at least 14 days before the change takes effect.
• Post a banner on the admin dashboard so account holders see the notice on their next sign-in.

Your continued use of HaloHelm after the change date constitutes acceptance of the updated policy.

For any privacy-related question, request, or complaint, please contact our grievance officer:

Last updated: 16 May 2026