Privacy Policy
Last updated: March 8, 2026
This policy is prepared in accordance with Articles 8 and 9 of the Personal Data Protection Act
In accordance with Article 8 of the Personal Data Protection Act, OrderEase (hereinafter "the Company") hereby notifies you of the following matters before collecting your personal data: Collecting entity: OrderEase system / Specific purposes: 040 (Marketing), 063 (Collection, processing, and use of personal data by non-government agencies in accordance with statutory obligations), 090 (Consumer and customer management and services), 152 (Business and technical information) / Categories of personal data: identification data, contact information, financial data (subscription payments only), and transaction records.
1. About the Company
OrderEase is a SaaS platform that provides restaurant merchants with QR code ordering services, with servers deployed in Tokyo, Japan. The Company is a "non-government agency" as defined by the Personal Data Protection Act and is obligated to protect all personal data collected.
2. Categories and Purposes of Personal Data Collected
Merchants (Restaurant Operators)
| Data Item | Purpose of Collection |
|---|---|
| Email address | Account identification, login authentication, system notifications |
| Name | Account display, service identification |
| Store name and address | Service setup, customer-facing display |
| Password (bcrypt encrypted) | Account security; plaintext is never stored |
| Subscription payment records | Service fee calculation, invoice issuance |
| Operation logs (IP, timestamp) | Security audit, troubleshooting |
Customers (Consumers)
| Data Item | Purpose of Collection |
|---|---|
| Name (optional) | Order identification, order calling |
| Mobile number (required for takeout) | Contact confirmation for takeout/delivery orders |
| Order contents and amount | Order processing, kitchen display, statistical analysis |
| E-invoice carrier (optional) | Taiwan e-invoice issuance (retained for 7 years per tax law) |
| IP address and browser information | Security protection, service quality analysis |
*Customer personal data is managed by the respective restaurant merchant as the data controller; OrderEase acts as the data processor. To exercise your data rights as a customer, please contact the relevant restaurant directly.
3. Duration, Jurisdiction, and Recipients of Data Use
| Duration | For the duration of the account; after account closure, necessary data is retained as required by law (subscription payment records up to 7 years) |
| Jurisdiction | Taiwan, as well as the countries where third parties used by this service are located (Cloudinary – United States, ECPay – Taiwan, LINE Pay – Japan) |
| Recipients | Authorized personnel of the Company, third parties commissioned by the Company to provide services (see Section 4), and competent authorities entitled to inquire by law |
The servers for this service are located in Tokyo, Japan, and your personal data will be transferred cross-border to Japan for storage. Japan has data protection laws (Act on the Protection of Personal Information) comparable to Taiwan's standards, and the Company implements corresponding safeguards accordingly.
4. Third-Party Services and Outsourced Processing
Cloudinary (Image Storage)
Country: United StatesPurpose: Menu images uploaded by merchants
ECPay (Payment Processing)
Country: TaiwanPurpose: Merchant subscription billing and e-invoice issuance
LINE Pay (Payment Option)
Country: JapanPurpose: Customer order payments (optional, at merchant's discretion)
The Company requires the above third parties to process personal data in accordance with the Company's instructions, and they are bound by confidentiality agreements or equivalent protections under the laws of their jurisdictions. The Company will not sell your personal data to any third party for commercial purposes.
5. Cookies and Local Storage
This service uses the following technologies to store data on your device:
| Type | Contents | Can Disable |
|---|---|---|
| Essential Cookies | JWT login token (httpOnly), language preference | No (login will be unavailable if disabled) |
| Functional LocalStorage | Shopping cart contents, customer preferences | Yes (clear browser data) |
| Session SessionStorage | Table QR code validation data (cleared when page closes) | Cleared automatically |
6. Data Security Measures
- All data transmissions are encrypted with HTTPS/TLS to prevent man-in-the-middle attacks.
- Passwords are hashed using bcrypt (cost factor 12); plaintext is never stored in the database.
- Payment keys are encrypted with AES-256-GCM before storage.
- JWT tokens are stored in httpOnly cookies to prevent XSS theft.
- Login attempts are protected by rate limiting to prevent brute-force attacks.
- Database access follows the principle of least privilege; employees do not have direct access to the production database.
- Regular security reviews are conducted and OWASP Top 10 protections are enforced.
7. Data Retention Periods
| Data Type | Retention Period | Basis |
|---|---|---|
| Merchant account data | For the duration of the account; deleted 30 days after closure | Business necessity |
| Subscription payment records | Up to 7 years | Business Accounting Act, Tax Collection Act |
| E-invoice data | Up to 7 years | Regulations Governing the Use of Uniform Invoices |
| Customer order data | For the duration of the merchant's account | Service provision necessity |
| System logs | 90 days | Security audit requirements |
8. Your Data Rights
Pursuant to Article 3 of the Personal Data Protection Act, you have the following rights regarding the personal data held by the Company:
► Inquiry or Review
Review the personal data we hold about you
► Request a Copy
Obtain an electronic or physical copy of your personal data
► Supplement or Correction
Correct inaccurate or incomplete personal data
► Cease Collection, Processing, or Use
Request cessation of use beyond the specified purposes
► Deletion
Request deletion of personal data outside the legally required retention period
To exercise the rights above, please submit a written request via the contact information below. The Company will respond within 15 business days. Pursuant to Article 14 of the Personal Data Protection Act, the Company may charge reasonable fees for exercising these rights where costs are incurred.
9. Consequences of Not Providing Personal Data
Pursuant to Article 8, Paragraph 2 of the Personal Data Protection Act, we inform you of the consequences of not providing personal data:
- Merchants: Without an email address or password, you cannot create an account or use this service.
- Customers: Without a mobile number, you cannot place takeout or delivery orders (dine-in QR code ordering is not affected).
- Customers: Without an e-invoice carrier, a standard two-copy uniform invoice will be issued instead; ordering functionality is not affected.
10. Children's Privacy Protection
The merchant backend of this service is intended solely for adults aged 18 or older. The Company does not knowingly collect personal data from children under 13. If you become aware that such data has been collected inadvertently, please contact us immediately, and the Company will delete it promptly.
11. Policy Amendments
The Company reserves the right to amend this policy. In the event of material changes, merchants will be notified by email or through a prominent in-service notice at least 30 days prior to the effective date. Material changes affecting customers will be posted on the relevant pages. Continued use of the service constitutes acceptance of the amended policy.
12. Contact and Complaints
Data Protection Officer Contact Information
Email: support@orderease.com.tw
Service hours: Monday to Friday, 09:00–18:00 (Taiwan time, excluding public holidays)
You may also file a complaint with the Personal Data Protection Commission (forthcoming) or the Ministry of Justice. The competent authorities at this time are the relevant industry regulators.
Policy last updated: March 8, 2026 | Terms of Service