Privacy Policy

Effective Date: January 1, 2026

Also see: Terms of Service · Data Deletion

This Privacy Policy describes how Tula Web Design LLC ("we," "our," or "us"), operating the TogoPlato restaurant ordering platform (togoplato.com), collects, uses, and protects your personal information. By using TogoPlato — whether as a restaurant owner, staff member, or customer — you agree to the practices described here.

1. Who This Policy Applies To

This policy applies to all users of the TogoPlato platform, including:

  • Restaurant owners and staff who create and manage a restaurant account.
  • Customers who browse menus, place orders, or create a customer account on any restaurant subdomain powered by TogoPlato.
  • Visitors who browse togoplato.com without creating an account.

2. Information We Collect

Account information
  • Name and email address (used to create and manage your account).
  • Password (stored as a one-way hash — we never store your plain-text password).
  • Restaurant details provided during onboarding: business name, address, cuisine type, logo, and contact information.
Order information
  • Items ordered, quantity, special instructions, and order totals.
  • Pickup or delivery preferences and scheduled order times.
  • Order history associated with your customer account.
Payment information
  • Payments are processed securely by Stripe. We do not store full credit card numbers on our servers.
  • For restaurant owners using Stripe Connect, we collect and transmit the information required by Stripe to set up a connected merchant account.
Point-of-sale (POS) integration data
  • If you connect a POS provider (Square, Toast, or Clover), we receive menu items, categories, modifiers, and sales data from that provider to sync with your TogoPlato menu.
  • OAuth access tokens for POS providers are stored encrypted and are used only to sync and manage your menu.
Usage and technical data
  • IP address, browser type, and device information collected automatically when you use the platform.
  • Pages visited, actions taken, and session duration — used to improve the platform experience.
  • Cookies and session data (see Section 7).

3. How We Use Your Information

  • To operate the platform and fulfill the services you request (order processing, menu management, payments).
  • To authenticate your identity and secure your account.
  • To send transactional communications: order confirmations, order status updates, and receipts.
  • To send service-related announcements: billing alerts, platform updates, or security notices.
  • To send marketing communications only if you have explicitly opted in — you can unsubscribe at any time.
  • To generate aggregated, anonymized usage statistics that help us improve the platform.
  • To comply with applicable law and respond to lawful requests from authorities.

4. How We Share Your Information

We do not sell your personal data. We share information only as described below:

  • Stripe — to process payments and manage merchant accounts. Stripe's own Privacy Policy governs its use of your data.
  • POS providers (Square, Toast, Clover) — only the data required to perform the menu sync you initiated. These providers operate under their own privacy policies.
  • Email service providers — we use a transactional email provider (e.g., Amazon SES) to deliver order confirmations and notifications. These providers do not use your data for any other purpose.
  • Hosting and infrastructure providers — servers and cloud services that host the platform. These providers act as data processors under our instructions.
  • Legal compliance — when required by law, court order, or to protect the rights, property, or safety of TogoPlato, its users, or the public.
  • Business transfers — if TogoPlato or Tula Web Design LLC is acquired or merged, your data may be transferred as part of that transaction. We will notify you before your data is subject to a different privacy policy.

5. Restaurant Owner Data Responsibilities

Restaurant owners who use TogoPlato to collect customer orders act as independent data controllers for the order data their customers generate on their subdomain. Owners are responsible for:

  • Maintaining their own privacy disclosures for their customers.
  • Not using customer order data for purposes outside of order fulfillment and their own restaurant communications.
  • Complying with applicable laws regarding customer data in their jurisdiction.

6. Data Retention

  • Account data is retained for as long as your account exists. If you delete your account, your personal data is removed within 30 days except where we are legally required to retain it (e.g., financial records for tax purposes, typically 7 years).
  • Order records may be retained in anonymized form for analytics and fraud prevention after your account is deleted.
  • POS OAuth tokens are deleted immediately when you disconnect a POS provider or delete your account.

7. Cookies and Session Data

  • Session cookies — required for login and cart functionality. These are host-scoped per restaurant subdomain.
  • CSRF tokens — required to protect form submissions from cross-site request forgery.
  • We do not use third-party advertising or tracking cookies.
  • Embedded third-party components (e.g., Square payment iframe) may set their own cookies subject to their privacy policies.

8. Email Practices

  • All transactional emails (order confirmations, account notifications) are sent from verified TogoPlato domains.
  • Marketing emails are only sent to users who have explicitly opted in.
  • Every marketing email includes a one-click unsubscribe link.
  • We manage bounces and spam complaints in accordance with industry best practices.

9. Data Security

  • All data is transmitted over HTTPS (TLS 1.2+).
  • Passwords are stored using a strong one-way hashing algorithm (PBKDF2 with SHA-256).
  • POS OAuth tokens are stored with encryption at rest.
  • Access to production data is restricted to authorized personnel only.
  • We regularly review and update our security practices. However, no system can be guaranteed 100% secure. If you suspect unauthorized access to your account, contact us immediately.

10. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Correction — update inaccurate or incomplete information via your account settings or by contacting us.
  • Deletion — request deletion of your personal data. See our Data Deletion page for details.
  • Portability — request a machine-readable export of your data.
  • Opt-out of marketing — unsubscribe at any time using the link in any marketing email or by contacting support.
  • Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@togoplato.com.

11. Children's Privacy

TogoPlato is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us immediately and we will delete it.

12. Third-Party Links

Restaurant subdomains may contain links to restaurant websites or social media pages. We are not responsible for the privacy practices of those third-party sites and encourage you to review their policies.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the Effective Date at the top of this page. If we make material changes, we will notify registered account holders by email at least 14 days before the changes take effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

14. Contact Us

For privacy-related questions, requests, or concerns, please contact us:

Tula Web Design LLC
Operating TogoPlato
Email: privacy@togoplato.com
Website: togoplato.com

For the full Terms governing your use of the platform, see our Terms of Service. To request deletion of your data, see our Data Deletion page.