Skip to content

Legal

Privacy Policy

Last updated: June 2026

This Privacy Policy explains how Rosuii ("Rosuii", "we", "us" or "our") collects, uses, discloses and safeguards personal information when you visit rosuii.com, create an account, or use our restaurant management platform and related services (collectively, the "Service"). Rosuii is a multi-tenant Software-as-a-Service (SaaS) product operated from Bangladesh that gives each restaurant ("tenant") its own subdomain and isolated database.

Because Rosuii is multi-tenant, it is important to understand two different roles. For data about our own customers — the restaurant owners and staff who subscribe to Rosuii — we act as the data controller. For data that a restaurant collects about its own diners and processes inside its Rosuii workspace, the restaurant is the data controller and Rosuii acts only as a data processor on that restaurant's behalf. This policy primarily describes the information we control; Section 4 explains the processor relationship in more detail.

2. Information we collect

We collect information in several ways: information you provide directly, information generated as you use the Service, and information processed on behalf of a restaurant.

Account information

When you register a restaurant or create a user account, we collect your name, email address, phone number, business name, role, password (stored only as a salted hash), and your preferred subdomain. We may also collect a profile photo and notification preferences.

Restaurant & tenant data

As you operate your workspace you create business records — menus and items, categories, prices, inventory and stock levels, suppliers, tables, staff and payroll records, expenses, promotions and store settings. This content is stored in your tenant's isolated database.

Diners' order data processed on behalf of restaurants

When a diner places an order or reservation through a restaurant's storefront, the restaurant collects data such as the diner's name, contact number, delivery address, order contents and order history. Rosuii stores and processes this information strictly on the restaurant's instructions, as its processor (see Section 4).

Payment data

Subscription payments and, where enabled, diner payments are handled by third-party payment gateways (such as bKash, Nagad and licensed card processors). We receive limited transaction metadata — for example an amount, currency, status, a masked reference and a gateway transaction ID. Rosuii does not collect or store raw card numbers, CVV codes or full mobile-wallet credentials. See Section 5.

Usage & device data

We automatically collect technical information when you use the Service, including IP address, browser type and version, device and operating system, pages viewed, referring URLs, timestamps, and diagnostic or crash data. We use this to operate, secure and improve the Service.

Cookies and similar technologies

We use cookies and similar technologies to keep you signed in, remember preferences and understand how the Service is used. See Section 6 for details and your choices.

3. How we use information

We use the information we collect to:

  • Provide, operate, maintain and secure the Service and your account;
  • Provision your subdomain and isolated database and authenticate your users;
  • Process subscription billing, invoices and payment confirmations;
  • Provide customer support and respond to your requests;
  • Send service, security and transactional communications;
  • Monitor performance, detect, prevent and investigate fraud or abuse;
  • Analyse usage to improve features, reliability and user experience;
  • Comply with legal obligations and enforce our Terms of Service.

We rely on the legal bases of performing our contract with you, our legitimate interests in operating and improving the Service, your consent (where required, for example certain cookies), and compliance with legal obligations.

4. Tenant data isolation & ownership

Each restaurant on Rosuii is provisioned with a logically isolated database. Tenant data is segregated so that one restaurant cannot access another restaurant's records through the Service.

A restaurant owns the data it stores in its workspace, including data about its diners. For that diner data, the restaurant is the data controller and Rosuii is the data processor: we process it only to provide the Service, on the restaurant's documented instructions, and we do not sell it or use it for our own advertising. If you are a diner with a question about your data, please contact the restaurant you ordered from, as it controls that information; we will assist the restaurant in responding to your request.

5. Payment processing

Payments are processed by third-party gateways including bKash, Nagad and licensed card processors. When you pay, your payment details are submitted directly to the relevant gateway, which is responsible for handling them under its own privacy policy and applicable card-network and regulatory standards.

Rosuii does not store raw card numbers, CVV/CVC codes or full wallet PINs. We retain only the limited transaction records needed to operate billing and reconcile payments — such as amount, currency, status, a masked or tokenised reference, and a gateway transaction identifier.

6. Cookies & tracking

We use the following categories of cookies and similar technologies:

  • Strictly necessary — sign-in sessions, security and core functionality;
  • Preference — remembering language, theme and other settings;
  • Analytics — understanding aggregate usage to improve the Service.

You can control or disable cookies through your browser settings. Blocking strictly necessary cookies may prevent you from signing in or using parts of the Service.

7. Data sharing & sub-processors

We do not sell personal information. We share it only in these limited circumstances:

  • Sub-processors and service providers — cloud hosting and infrastructure, payment gateways, email and messaging delivery, error monitoring and analytics — who process data on our behalf under contractual confidentiality and security obligations;
  • The relevant restaurant — diner order data is made available to the restaurant that the diner transacted with;
  • Legal and safety — where required to comply with applicable law, a valid legal request, or to protect the rights, property or safety of Rosuii, our users or the public;
  • Business transfers — in connection with a merger, acquisition, financing or sale of assets, subject to this Policy.

8. Data retention

We retain personal information for as long as your account is active and as needed to provide the Service, comply with our legal, tax and accounting obligations, resolve disputes and enforce our agreements. When you close your account, we delete or anonymise personal data within a reasonable period, except where retention is required by law or for legitimate business records. Restaurants control the retention of their own tenant data within their workspace.

9. Security

We use technical and organisational measures designed to protect personal information, including encryption of data in transit (HTTPS/TLS), hashed passwords, per-tenant database isolation, access controls, and monitoring. No method of transmission or storage is completely secure, so we cannot guarantee absolute security; please use a strong, unique password and keep your credentials confidential.

10. Your rights & choices

Subject to applicable law, you may:

  • Access, update or correct your account information;
  • Request a copy or deletion of your personal data;
  • Object to or restrict certain processing, or withdraw consent where applicable;
  • Opt out of non-essential marketing communications at any time;
  • Manage cookies through your browser settings.

To exercise these rights, contact us at [email protected]. If your request concerns data a restaurant controls (diner order data), we will refer you to, or assist, the relevant restaurant.

11. Children's privacy

The Service is intended for businesses and adults. It is not directed to children, and we do not knowingly collect personal information from children under the age of 13 (or the minimum age required by local law). If you believe a child has provided us with personal information, please contact us so we can remove it.

12. International data transfers

Rosuii is operated from Bangladesh. Where we use service providers located in other countries, your information may be transferred to and processed outside your country of residence. We take steps to ensure such transfers are subject to appropriate safeguards and that your information remains protected in line with this Policy.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will revise the "Last updated" date above and, where appropriate, provide additional notice. Your continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

14. Contact us

If you have questions or requests regarding this Privacy Policy or your personal information, contact us at [email protected]. For general support, email [email protected]. Rosuii is operated from Bangladesh.