Skip to main content
Madras Bistro

Privacy & Cookie Notice

Last Updated: April 11, 2026
Policy Version: 2026-04-11

This notice explains how Madras Bistro and the current ShopHost example app handle personal data when you browse the site, create an account, place an order, request a reservation, or use authenticated storefront and admin features.

1. Controller Details

The data controller for the customer-facing website and the example deployment is:

MADRAS HOSPITALITY GROUP SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ

Tax ID / NIP: 6793219296
Plac Bohaterów Getta 2
30-547 Kraków, Poland
Email: contact@madrasbistro.pl
Phone: +48 500 193 738

2. What This Notice Covers

This notice covers:

  • Public website pages, localized content, and navigation preferences.
  • Customer accounts, sign-in, password reset, and optional Google social sign-in.
  • Online orders, delivery and invoice addresses, payment setup, and order status messages.
  • Reservation requests, reservation status updates, and related service communications.
  • Authenticated storefront and admin tools used by restaurant staff or collaborators.

3. Personal Data We Collect

Account and identity data
First name, last name, email address, password-based or social sign-in details, profile image if used, organization membership, and authentication/session data.

Order and fulfilment data
Ordered items, prices, fulfilment method, shipping method, delivery address, order timestamps and status, customer email, and related operational metadata.

Reservation data
First name, last name, phone number, reservation date and time, guest count, reservation status, and cancellation or update messages.

Payment and billing data
Payment method, provider, transaction or checkout reference identifiers, amounts, currency, invoice details, and business tax information when an invoice is requested. Full card details are processed by the payment provider and are not stored in our database.

Device, session, and preference data
Session cookies, IP address and user agent linked to sessions or operational logs, language preference, cookie-banner state, cart contents, and checkout draft data stored on your device.

Address lookup and uploaded media
If address autocomplete is used, address queries and place identifiers are sent to Google Places. If admin uploads are used, uploaded file metadata and URLs are processed for storage and delivery.

4. Why We Use Data and the Legal Bases

We use personal data for the following purposes:

Provide the website, customer accounts, checkout, order tracking, and reservations
We use account details, session data, cart state, order data, reservation details, contact details, and address data.
The legal basis is performance of a contract or steps taken at your request before entering into a contract.

Process payments, invoices, refunds, and bookkeeping
We use payment references, invoice details, tax data, order totals, and accounting records.
The legal basis is performance of a contract and compliance with legal obligations.

Send transactional messages such as password resets, order confirmations, and reservation updates
We use email address, order or reservation references, account data, and operational message history.
The legal basis is performance of a contract and our legitimate interests in running the service reliably.

Protect the service, authenticate users, prevent abuse, and troubleshoot incidents
We use session data, IP and user-agent data, organization membership, and operational logs.
The legal basis is our legitimate interests in security, fraud prevention, and service continuity, plus legal obligations where applicable.

Remember language, cart, and checkout state on your device
We use the locale cookie, browser storage for cart data, checkout drafts, and banner state.
The legal basis is our legitimate interests in providing requested functionality and preserving your chosen settings.

Measure traffic and improve the site when analytics is enabled
We use analytics identifiers, page views, device/browser data, and traffic-source information.
The legal basis is consent where analytics cookies or similar tracking require it.

5. Processors, Service Providers, and Other Recipients

Depending on the features enabled for this deployment and organization, personal data may be processed by the following recipients:

Stripe
Stripe processes online payments and returns payment-session or transaction reference data.
It is used when card, BLIK, or Stripe-based payment methods are enabled.

Resend
Resend delivers transactional emails such as password resets, order confirmations, and reservation notices.
It is used when transactional email sending is configured.

Google Analytics
Google Analytics provides aggregated traffic measurement and reporting.
It is used when NEXT_PUBLIC_GA_ID is configured for the deployment.

Google Places
Google Places provides address autocomplete and place details for shipping or invoice addresses.
It is used when address lookup is used in shipping or invoice flows.

Google Sign-In
Google Sign-In lets users authenticate with a Google account and share profile basics such as first and last name.
It is used when Google social sign-in is enabled and you choose to use it.

Vercel Blob
Vercel Blob stores uploaded image or file assets used in the admin/catalog experience.
It is used when staff or collaborators upload media through the admin area.

Professional advisers, payment institutions, and public authorities
These recipients may support legal compliance, disputes, audits, chargebacks, and mandatory disclosures.
They are involved only when required for compliance, claims, or regulatory reasons.

Authentication and session management in this example app are handled inside the ShopHost application using Better Auth and the primary application database. Better Auth is application software in our stack rather than a separate hosted processor.

6. Cookies and Similar Browser Storage

We use cookies and similar browser storage technologies, including localStorage, to keep the site working, remember language choices, preserve cart state, and, if enabled, measure usage.

The current example app uses the following cookies and browser storage:

NEXT_LOCALE cookie
Category: Necessary / preference
Purpose: Remembers your preferred language across the website, account, checkout, and admin flows.
Retention: 12 months.

Authentication and session cookies
Category: Strictly necessary
Purpose: Keep signed-in customer and admin sessions working.
Retention: Until logout or session expiry configured by the authentication system.

cookiesAccepted localStorage key
Category: Preference notice state
Purpose: Remembers whether the current cookie banner has already been accepted or dismissed.
Retention: Until you clear browser storage.

shophost-cart localStorage key
Category: Necessary for requested feature
Purpose: Stores cart contents on your device so checkout can continue later.
Retention: Until checkout is completed, the cart is replaced, or browser storage is cleared.

shophost-checkout localStorage key
Category: Necessary for requested feature / convenience
Purpose: Stores checkout draft data, including invoice details if entered, on your device.
Retention: Until checkout is completed, the draft is replaced, or browser storage is cleared.

Google Analytics cookies
Category: Analytics
Purpose: Measure visits, pages, devices, and traffic sources when analytics is enabled.
Retention: Until provider-configured expiry or manual deletion.

You can manage cookies and browser storage through your browser settings. Blocking necessary cookies or clearing browser storage may affect sign-in, cart, checkout, and language-preference features.

The example app does not currently use advertising cookies and does not sell personal data.

7. International Transfers

Some providers listed above may process data outside Poland or the EEA, including in the United States.

Where cross-border transfers occur, we rely on contractual and statutory safeguards offered by the relevant provider, such as standard contractual clauses, adequacy decisions, or equivalent protections available for the service.

We aim to send only the minimum data needed for the specific feature being used, such as payment processing, address lookup, analytics, or email delivery.

8. How Long We Keep Data

We apply the following retention rules to the current example app unless a longer period is required by law, a dispute, or a regulatory request:

Account and membership data
Kept while the account remains active and afterward only as needed for security, backups, dispute handling, or legal compliance.

Orders, invoices, and payment records
Kept for the current tax/accounting period and then for 5 additional years where required for tax, accounting, or audit purposes.

Reservations
Kept for the booking lifecycle and normally for up to 12 months after the scheduled reservation date unless a longer retention period is needed for complaints, claims, or compliance.

Authentication sessions and operational security data
Kept for the life of the session and for a limited operational period afterward to detect abuse, investigate incidents, or restore service continuity.

Support and privacy-request correspondence
Kept for as long as the request remains active and then for up to 3 years to document follow-up and compliance handling.

Analytics data
Kept according to the configured Google Analytics retention settings when analytics is enabled.

Browser-side cart, checkout, and preference storage
Remains on your device until checkout is completed, data is overwritten, or you clear browser storage manually.

9. Your Rights

Under the GDPR and applicable local law, you may have the right to:

  • Request access to the personal data we hold about you.
  • Correct inaccurate or incomplete personal data.
  • Request deletion of personal data where no overriding retention duty applies.
  • Restrict or object to certain processing activities.
  • Receive personal data in a portable format where the right applies.
  • Withdraw consent at any time for consent-based processing, such as analytics where applicable.
  • Lodge a complaint with the Polish supervisory authority, Urząd Ochrony Danych Osobowych, or UODO.

10. How to Exercise Your Rights

To submit a privacy request, please contact us using the details above and include enough information for us to understand the request and locate the relevant records.

You can:

  • Email us at contact@madrasbistro.pl with a subject such as “Privacy Request” or “GDPR Request”.
  • Tell us which right you want to exercise and what account, order, or reservation the request concerns.
  • Provide reasonable proof of identity if we ask for it before disclosing, exporting, changing, or deleting data.

If you believe our response does not resolve the issue, you may also contact UODO, the Polish data protection authority.

11. Security

We use technical and organizational safeguards such as authentication controls, role-based access, and protected communication channels where available.

Even so, no internet service can guarantee absolute security, so please avoid sharing unnecessary personal data and keep your account credentials confidential.

12. Automated Decisions

We do not currently use fully automated decision-making that produces legal or similarly significant effects for customers in this example app. Third-party payment or identity providers may perform their own security or fraud checks under their own notices.

13. Children’s Privacy

This example app is not directed to children under 16, and we do not knowingly seek to collect personal data from children through the service.

14. Changes to This Notice

We may update this notice as the ShopHost example app changes. When we do, we will publish an updated version number and effective date on this page.