Skip to main content
Masarap Cafe - Filipino-West African Fusion
Legal

Privacy Policy

Last updated: April 30, 2026

Data Controller

Masarap Cafe (“we”, “us”) is the controller of personal data collected through this site, our mobile apps, and our restaurant operations. For privacy questions or to exercise the rights described below, contact our Data Protection Officer at dpo@masarapcafe.com. EU/UK customers may also contact us regarding GDPR matters at the same address.

Information We Collect

When you place an order or create an account with Masarap Cafe, we collect information such as your name, email address, phone number, and shipping address. Payment information is processed securely by Stripe and Square and is never stored on our servers.

Lawful Basis for Processing (GDPR Article 6)

  • Contract performance — order processing, fulfillment, account management, customer support.
  • Legal obligation — tax, accounting, anti-fraud, and food-safety record-keeping.
  • Legitimate interests — fraud prevention, security monitoring, service improvement, aggregate analytics. Balanced against your privacy interests and disclosed here so you can object at any time.
  • Consent — marketing emails / SMS, optional analytics & advertising cookies. Consent is opt-in and can be withdrawn at any time without affecting non-marketing services.

How We Use Your Information

We use your information to process orders, communicate order updates, prevent fraud, and improve our services. With your consent, we may send promotional communications about new menu items and sauce products.

Retention

  • Account data — kept until you request deletion. After deletion we retain a soft-deleted, anonymized record where required for fraud, dispute, or tax purposes.
  • Orders & receipts — 7 years (US tax / accounting law).
  • Audit logs — 2 years.
  • Sent transactional emails — 7 days in our outbox; deleted thereafter.
  • Webhook event records — 90 days.
  • Refresh-token sessions — 7 days; logout terminates immediately.

Sub-processors & International Transfers

We rely on the following service providers to operate the platform. These vendors process limited personal data on our behalf under written data-processing agreements (DPAs). All transfers to the United States are made under the EU-U.S. Data Privacy Framework where the vendor is certified, and otherwise under the European Commission’s Standard Contractual Clauses (2021/914) with supplementary technical measures (encryption in transit and at rest, pseudonymization where feasible).

  • Render (US, Oregon) — application hosting.
  • MongoDB Atlas (US) — primary data store.
  • Upstash / Render Redis (US) — session and cache layer.
  • Stripe (US, global) — payment processing for sauce orders. DPF-certified.
  • Square (US) — payment processing for food orders / KDS.
  • EasyPost (US) — shipping label generation.
  • Cloudinary (US, global CDN) — product images. DPF-certified.
  • Resend (US) — transactional email delivery. DPF-certified.
  • Sentry (US) — error monitoring with PII redaction enabled.
  • Google (US) — Sign-In, optional analytics (consent-gated).
  • Apple (US) — Sign-In.
  • Vercel (US) — frontend hosting / CDN.

A current sub-processor list is maintained at /legal/sub-processors and updated whenever a vendor is added or removed.

Data Protection

We implement industry-standard security measures to protect your personal information. All data is encrypted in transit (TLS 1.2+) and at rest. Sensitive fields (passwords, two-factor secrets) are hashed or encrypted; refresh-token sessions support reuse-detection so a stolen credential is invalidated as soon as the legitimate user signs in. We do not sell or share your personal information with third parties for marketing purposes.

Cookies & Tracking

We use strictly necessary cookies to keep you signed in and to remember your cart. With your consent, we also use Google Tag Manager / Google Analytics to measure how visitors use the site so we can improve it. You can accept, reject, or customize these categories at any time using the “Cookie Settings” link in the footer. For a full list of cookies and trackers, see our Cookie Policy. You may withdraw consent at any time without affecting the functionality of the site. We honor the Global Privacy Control (GPC) signal and Do-Not-Track headers as opt-outs of non-essential tracking.

Payment Card Data

Card details are collected and processed directly by our PCI-compliant payment providers — Square (food orders) and Stripe (sauce orders). Masarap Cafe never sees, transmits, or stores full card numbers, CVVs, or expiration dates on its own servers.

Children’s Privacy

Our services are not directed to children under 13, and we do not knowingly collect personal information from anyone under 13. Account creation requires a self-attestation of age. If you believe a child under 13 has provided us with personal information, please contact us at dpo@masarapcafe.com and we will delete it promptly.

Your Rights

Depending on your jurisdiction (GDPR for EU/UK, CCPA/CPRA for California, similar laws elsewhere) you have the right to:

  • Access the personal data we hold about you.
  • Receive a portable copy of that data.
  • Request correction of inaccurate data.
  • Request deletion (“right to be forgotten”), subject to legal retention obligations.
  • Restrict or object to certain processing, including direct marketing.
  • Withdraw consent at any time, where consent was the lawful basis.
  • Lodge a complaint with your local supervisory authority (e.g. ICO, CNIL, the California Privacy Protection Agency).

Account holders can self-serve data export and deletion from Account Settings or by contacting dpo@masarapcafe.com. We respond to verifiable requests within 30 days (45 days for CCPA, extendable once).

Contact Us

If you have questions about this Privacy Policy, please contact our DPO at dpo@masarapcafe.com or general support at hello@masarapcafe.com.