Legal

Privacy Policy

How we handle personal data when you use the XDines website and platform, and the choices and rights available to you.

Last updated: 11 April 2026

PrivacyTermsCookies

This Privacy Policy describes how we (Fleebug Inc.) processes personal data in connection with XDines — including our marketing website and the restaurant management software and related services (together, the Services). We are committed to protecting privacy and to complying with applicable data protection laws, including where relevant the EU and UK General Data Protection Regulation (GDPR) and similar laws worldwide.

1. Data controller

The data controller responsible for personal data processed in relation to the Services is:

  • Fleebug Inc.
  • Operating the XDines brand
  • Address: Kathmandu, Nepal
  • Email: hello@xdines.com

If we appoint a data protection officer or EU/UK representative, we will publish updated contact details on this page.

2. Scope

This policy applies to personal data we process about visitors to our website, trial and paying customers, restaurant staff and administrators who use the platform, and individuals who contact us or otherwise interact with the Services. It does not apply to third-party websites or services linked from XDines; their own policies govern your data there.

3. Personal data we collect

Depending on how you use the Services, we may process:

  • Account and identity data: name, email address, phone number, job title, company or restaurant name, credentials, and profile settings.
  • Business and operational data: information you or your organisation enter into XDines (for example orders, bookings, menu items, table layouts, inventory, staff records, customer profiles where you choose to store them, and outlet details). Some of this may relate to identifiable individuals (your staff or your customers).
  • Transaction and billing data: subscription or payment information processed by us or payment providers (we do not store full payment card numbers where a processor tokenises them).
  • Communications: messages you send us (including support tickets, contact forms, and email).
  • Technical and usage data: IP address, device and browser type, approximate location derived from IP, log data, pages viewed, and in-product usage events, as described in our Cookie Policy.
  • Marketing preferences: your choices regarding newsletters or promotional communications, where applicable.

4. Purposes and legal bases (including GDPR)

We process personal data only where we have a valid legal basis under applicable law. For individuals in the EEA, UK, and Switzerland, the GDPR legal bases we rely on typically include:

  • Performance of a contract — to provide the Services, create and manage accounts, process orders and features you request, and communicate about the service.
  • Legitimate interests — to secure and improve the Services, prevent fraud and abuse, analyse aggregated usage, provide support, and operate our business, where not overridden by your rights.
  • Consent — where required for non-essential cookies and similar technologies, and for certain marketing communications; you may withdraw consent at any time.
  • Legal obligation — to comply with law, regulation, court orders, or lawful requests from authorities.

Where we process personal data on behalf of your organisation (for example data about your staff or diners that you upload), your organisation is typically the controller for that data and we act as a processor, following your instructions and our data processing terms.

5. Sharing and subprocessors

We may share personal data with:

  • Service providers who assist us (hosting, analytics where permitted, email delivery, payment processing, customer support tools), under contracts that require appropriate security and confidentiality.
  • Professional advisers where necessary (lawyers, accountants, insurers).
  • Authorities when required by law or to protect rights, safety, and security.
  • Business transfers in connection with a merger, acquisition, or sale of assets, subject to appropriate safeguards.

A current list of key categories of subprocessors may be provided on request or in your commercial agreement. We do not sell personal data as that term is commonly understood in privacy laws.

6. International transfers

We may process and store data in Nepal and in other countries where we or our providers operate. If we transfer personal data from the EEA, UK, or Switzerland to countries not recognised as providing an adequate level of protection, we implement appropriate safeguards such as the EU Standard Contractual Clauses (and UK Addendum where applicable) or other mechanisms approved under local law.

7. Retention

We retain personal data only as long as necessary for the purposes described in this policy, including to meet legal, accounting, and reporting requirements. Retention periods vary depending on the type of data and whether you have an active account; when data is no longer needed, we delete or anonymise it in line with our internal schedules.

8. Security

We implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, or destruction. No method of transmission over the internet is completely secure; we encourage you to use strong passwords and protect your account credentials.

9. Your rights

Depending on your location, you may have rights including, where applicable under the GDPR and similar laws:

  • Access to your personal data and a copy in a portable format;
  • Rectification of inaccurate data;
  • Erasure ("right to be forgotten") in certain cases;
  • Restriction of processing;
  • Objection to processing based on legitimate interests or for direct marketing;
  • Withdrawal of consent where processing is consent-based;
  • Not to be subject solely to automated decisions with legal or similarly significant effects, where applicable.

To exercise these rights, contact us at hello@xdines.com. You may also lodge a complaint with a supervisory authority in your country of residence or work; for example, EU users may contact their local data protection authority (a list is available on the European Data Protection Board website).

10. Children

The Services are not directed at children under 16 (or the minimum age required in your jurisdiction). We do not knowingly collect personal data from children for marketing. If you believe we have collected data from a child inappropriately, please contact us and we will take steps to delete it.

11. Automated decision-making

We do not use personal data for solely automated decision-making that produces legal or similarly significant effects concerning individuals, unless we notify you separately and provide a lawful basis and any required safeguards.

12. California and other US state privacy rights

If you are a resident of California or another US state with a comprehensive privacy law, you may have additional rights (such as to know, delete, or opt out of certain sharing). To submit a request, email hello@xdines.com. We will not discriminate against you for exercising these rights.

13. Changes

We may update this Privacy Policy from time to time. We will post the updated version on this page and adjust the "Last updated" date. Where changes are material, we will provide additional notice as required by law (for example by email or in-product notice).

14. Related documents

Please also read our Terms and Conditions and Cookie Policy, which form part of how we operate the Services.