Legal

Privacy Policy

Effective: 1 January 2025 · Last updated: 19 May 2026

1. Who we are

XFlash ("we", "us", "our") is a holding company that operates vertical SaaS products including SmartRestro. Our registered contact email is [email protected].

2. What we collect

We collect only what's necessary to run our products:

  • Account data: name, email, phone, password (bcrypt-hashed).
  • Business data: restaurant name, menu, orders, customer phone numbers (your customers' data, processed on your behalf).
  • Technical data: IP address, browser, device type, pages visited, captured in standard server logs.
  • Communications: support tickets, emails to us, WhatsApp conversations.

3. How we use it

  • Provide the services you signed up for
  • Send transactional emails (receipts, password reset, billing reminders)
  • Customer support and troubleshooting
  • Improve product (aggregated, never identifying individual users)
  • Comply with legal requests (tax authorities, court orders)

We do NOT sell your data. We do NOT share it with advertisers. We do NOT use it to train AI models.

4. Who we share data with

Strictly limited:

  • MongoDB Atlas — our database provider. Data is encrypted at rest.
  • Resend — sends our transactional emails.
  • UltraMsg — sends WhatsApp messages on your behalf if you enable that feature.
  • Stripe — processes international card payments (where applicable).
  • Hostinger — our VPS provider.

Each is a contracted data processor under standard data-processing agreements.

5. Data retention

Account data is kept while your subscription is active and for 90 days after cancellation (so you can reactivate). Then it's permanently deleted. Order history is kept for 7 years to comply with tax record-keeping requirements.

You can request earlier deletion by emailing [email protected]. We process erasure requests within 30 days.

6. Your rights

You have the right to:

  • Access your data (export available in the dashboard)
  • Correct inaccurate data
  • Delete your account and associated data
  • Object to specific processing
  • Lodge a complaint with a regulator

Email [email protected] to exercise any of these.

7. Cookies

We use essential cookies for login session + CSRF protection only. No third-party tracking, no analytics cookies, no advertising cookies. You don't need to consent because no non-essential cookies are set.

8. Children

Our products are not directed at children under 13. If you become aware that a child has registered, contact us and we'll delete the account.

9. Regional compliance

EU (GDPR): we comply with GDPR principles. The lawful basis for processing is contract performance + legitimate interest.

California (CCPA): California residents have the right to know, delete, and opt out. We don't sell data, so opt-out is automatic.

Pakistan (PDPB): we follow draft PDPB principles. Once enacted, we'll publish a Pakistan-specific addendum.

10. Breaches

If we discover a data breach affecting your data, we'll notify you by email within 72 hours, describe the scope, and tell you what we're doing about it.

11. Changes

We'll update this policy when our practices change. Material changes are emailed to active users 30 days before they take effect.

12. Contact

Questions, complaints, or data requests: [email protected] or +92 322 9040368.