Orderfellow Privacy Policy

Orderfellow is made available through app.orderfellow.com and related application subdomains. It is operated by Dreamspot for order, team, and field operations management. This policy applies to administrators, staff users, support contacts, customer records, message recipients, and any individual whose information is entered into or generated through the platform.

Dreamspot generally acts as controller, business operator, or equivalent responsible party for account registration, authentication, billing, support, security, audit, and platform administration data. When one of our business customers uploads or sends personal data about its own customers, staff members, invitees, beneficiaries, or service recipients, that business usually acts as the controller or responsible business for that data and Dreamspot acts as processor, service provider, or authorized operator on the business customer's behalf, unless applicable law requires a different allocation.

This policy covers personal data collected directly from you, generated while you use the service, or received from integrated channels such as email, SMS, WhatsApp, uploads, APIs, webhooks, payment flows, and related support or compliance workflows.

We collect and generate personal data only to the extent reasonably necessary to provide, secure, maintain, document, and improve the service.

• Account and identity data: name, surname, phone number, email address, role, business membership details, sign-in records, password-reset events, and account verification data.
• Operational data: customer contact details, order content, event or service addresses, staff assignments, delivery notes, and operational comments.
• Customer, staff, and contact data entered by businesses: names, phone numbers, email addresses, order references, service history, communication preferences, and internal notes or tags.
• Messaging and communication data: support requests, message templates, campaign or reminder content, delivery logs, read or delivery receipts where available, opt-out or stop records, and channel-specific status information.
• Technical and security data: IP address, browser or device details, approximate location inferred from technical data, session logs, audit logs, error logs, abuse-prevention events, rate-limit events, and security incidents.
• Optional uploads and free-text content: files, images, order-related media, attachments, notes, and manually entered instructions. Do not upload special-category or highly sensitive personal data unless you are legally permitted to do so and the service genuinely requires it.

Personal data is processed only for defined business, legal, and security purposes. Depending on the country where the relevant data subject or business is located, processing may rely on one or more lawful bases such as performance of a contract, steps requested before entering into a contract, compliance with legal obligations, legitimate interests, and consent where consent is required. This may include compliance frameworks such as GDPR, UK GDPR, KVKK, ePrivacy rules, telecommunications rules, and local commercial electronic messaging laws.

• To create and manage user accounts, sign-in sessions, permissions, business-level access controls, and platform administration settings.
• To create, schedule, update, fulfill, monitor, and report on operational records and customer-facing activities.
• To send transactional emails, SMS messages, push notifications, or WhatsApp messages when enabled by a business configuration and when a valid legal basis exists for the communication.
• To detect, investigate, prevent, and document abuse, fraud, unauthorized access, data leakage, and other security incidents.
• To maintain backups, audit trails, accounting records, dispute files, and compliance records required for operational continuity, legal obligations, or defense of legal claims.
• To improve product reliability, troubleshoot bugs, analyze platform performance, and plan new features using aggregated or access-controlled operational information.

If messaging features are enabled, messages may be routed through WhatsApp Cloud API, a connected WhatsApp session, telecom carriers, email providers, push notification services, or similar communication vendors configured for Orderfellow. Meta Platforms, Inc., WhatsApp LLC, telecom carriers, device vendors, and other providers may separately process personal data under their own platform terms and privacy notices.

Businesses using messaging features remain responsible for the lawfulness of recipient selection, message timing, message content, consent records, and local marketing or notification compliance. The platform provides delivery tooling; it does not replace the business customer's own legal obligations.

• Do not send WhatsApp, SMS, or similar messages unless the recipient has received any required notice and you have any required opt-in, consent, or other lawful basis under applicable law.
• Stop, unsubscribe, or opt-out requests must be honored promptly and reflected in operational processes.
• Where provider rules apply, including the 24-hour customer service window for non-template WhatsApp messages, businesses must use only approved templates or other permitted formats outside that window.
• Message logs, delivery statuses, and provider identifiers may be stored so that businesses can document sending activity, troubleshoot failures, and respond to disputes or regulatory requests.

We do not sell personal data. Data may be shared with hosting, database, storage, backup, analytics, support, communications, payment, or infrastructure providers only to the extent reasonably necessary to operate Orderfellow, secure the service, document compliance, or fulfill business-customer instructions.

Personal data may be processed in the country where you or the relevant business operates and in other countries where our service providers, backup systems, support staff, or communication vendors operate. Where required by law, we use contractual, technical, and organizational safeguards intended to protect transferred data.

We may also disclose information to courts, regulators, law enforcement, telecom operators, payment institutions, insurers, auditors, or legal advisors when required by law, valid process, or when reasonably necessary to establish, exercise, or defend the rights, security, and integrity of Dreamspot, our customers, or affected data subjects.

We use essential cookies and similar local storage technologies to keep users signed in, remember language and interface preferences, protect sessions, and maintain core security functions. We may also keep technical logs for debugging, rate limiting, auditability, and service reliability.

We retain data for as long as the relevant account, subscription, business relationship, support need, legal obligation, backup cycle, dispute, or fraud-prevention purpose requires. Retention periods vary by record type and by mandatory accounting, tax, audit, employment, telecom, or litigation requirements.

We use role-based authorization, encrypted transport, controlled access, environment segregation, monitored infrastructure, logging, and other reasonable technical and organizational safeguards. No internet-connected service can be guaranteed perfectly secure, but we work to detect, limit, and remediate risk in a commercially reasonable way.

Subject to applicable law, you may have the right to request access to, correction of, deletion of, export of, or restriction on the use of your personal data, and to object to certain processing activities. Some of these rights may vary by country or by whether we act as controller or processor for the relevant data.

If your request concerns data that one of our business customers entered about you, we may direct you to that business first because it usually controls the purpose and legal basis of the processing.

• Review and update inaccurate or incomplete personal data.
• Request deletion of data that is no longer necessary for the service or required by law.
• Request restriction, objection, or portability where those rights apply.
• Withdraw consent for consent-based processing without affecting earlier lawful processing.
• Request information about how data is used, shared, and transferred.

To request deletion of personal data, contact support@orderfellow.com or info@orderfellow.com and use a clear subject such as "Data deletion request". Include the brand name, the relevant business name, the email address or phone number connected to the record, your relationship to the record, and enough context for us to identify the request safely. If the request concerns WhatsApp or Meta-related messaging activity, include the phone number used and the approximate message date when possible.

We may ask for additional verification before deleting data so that we do not erase the wrong record or disclose information to an unauthorized person. Some data may be retained after a deletion request if retention is required for legal obligations, fraud prevention, backup integrity, unresolved disputes, payment records, or establishment, exercise, or defense of legal claims.

This section is intended to serve as the public user data deletion instruction reference for partner-platform forms, including Meta application settings, unless a separate deletion page is published for the relevant business.

For privacy questions, rights requests, or complaints, contact us at support@orderfellow.com or info@orderfellow.com. Please include the brand name, your business name, and enough context for us to identify the relevant record safely.

If you believe your data has been processed unlawfully, you may also lodge a complaint with the supervisory authority, data protection authority, or other competent regulator in the country where you live, work, or where the issue occurred, subject to the rules of that jurisdiction.