Legal

Privacy Policy

Last updated: 19 April 2026

This Privacy Policy explains what information OrderNotebook collects, how we use it, and the choices you have. By using OrderNotebook, you agree to the practices described here.

1. Who we are

OrderNotebook is an order-management application for individual shop owners. In this policy, "we", "us", and "our" refer to the OrderNotebook team. "You" refers to the registered shop owner using the app.

2. What we collect

Account information — your email address and a securely hashed version of your password. We never store your password in plain text.

Business data you enter — products (name, price, image), customers (name, phone numbers, address, notes), orders (line items, totals, status, delivery address, notes), and your store profile (name, mobile, address, opening hours, logo).

Images — product photos and your store logo, uploaded directly to our private object storage. Images are stored with private access and only ever served to you through short-lived, signed URLs that expire after one hour.

Technical data — request timestamps, error traces, and authentication-token activity, used only to keep the service running and secure. Personal data (phone numbers, customer notes, addresses) is never written to server logs.

3. What we do not collect

  • We do not collect your customers' email addresses.
  • We do not track your location.
  • We do not collect contacts, photos, or files outside the ones you explicitly upload.
  • We do not use third-party advertising or analytics SDKs that profile you.

4. How we use your data

  • To provide the service: storing your products, customers, orders, and store profile so they're available across your devices.
  • To authenticate you: short-lived access tokens (60 minutes) and refresh tokens (30 days) keep your sign-in secure.
  • To compute reports — sales totals, top products, outstanding payments — for you and only you.
  • To diagnose problems: limited technical logs, with personal data redacted.

We do not sell your data. We do not share it with advertisers. We do not use your business data to train AI models.

5. Who can see your data

Only you. Every API endpoint is scoped to the authenticated shop owner — your products, customers, and orders are invisible to other accounts. A small number of authorised engineers may access infrastructure for security and reliability work; they do not access individual account data except where required to investigate a specific reported issue.

6. Your customers' personal data

You are the controller of the customer information you enter into OrderNotebook. We act as a processor on your behalf. You are responsible for collecting that information lawfully and for honouring any requests your customers make about their own data. If a customer asks you to remove their record, use the Delete customer action — the record is hidden from the app immediately.

7. Retention and deletion

  • Soft delete — when you delete a product, customer, or order, it's hidden from the app immediately but kept in the database for a short recovery window.
  • Account deletion — calling Delete my account revokes all your active sessions, frees your email for reuse, and hides your account from the API. Underlying business records become inaccessible.
  • A future hard-delete process will permanently purge soft-deleted rows on a scheduled basis.

8. Security

  • Passwords are stored using a modern, salted hashing algorithm.
  • Access tokens are short-lived (60 minutes); refresh tokens rotate on every use, and re-using a token immediately invalidates the session.
  • Image uploads bypass our API entirely — your phone uploads directly to private object storage using a one-time, 15-minute signed URL.
  • All traffic is served over HTTPS.
  • Edge protection (rate limiting, basic abuse mitigation) is provided by Cloudflare.

No system is perfectly secure. If you suspect your account has been compromised, change your password immediately — doing so revokes every other active session.

9. Children

OrderNotebook is intended for adult shop owners. We do not knowingly collect data from anyone under 16.

10. Changes to this policy

We may update this policy as the product evolves. The "Last updated" date at the top will always reflect the current version. Material changes will be communicated in the app.