Privacy Policy

Last updated: April 2026

TrooNow ("we", "us", "our") respects your privacy. This policy explains what data we collect, why, and what we do with it.

1. What we collect

From Merchants (food truck / restaurant owners)

• Account info: name, email, phone, business name, password (hashed)
• Business data: menu items, orders, customer lists, settings, uploaded images
• Payment info: Stripe handles all payment processing. We never see or store your full card number.
• Usage data: pages visited, features used (for improving the product, not for advertising)

From Customers (people ordering from a Merchant)

• Order info: name, email, phone, order items, delivery address (if applicable)
• Payment info: processed by Stripe. We store the order total and confirmation status, not card details.

2. How we use your data

• To provide and operate the Service (hosting your site, processing orders, sending notifications)
• To send you account-related emails (order confirmations, billing receipts, password resets)
• To improve the Service (aggregate usage analytics — we don't sell or share individual data)
• To respond to support requests

We do not:

• Sell your data to anyone
• Show you ads or track you across the web
• Share your customer lists with other Merchants
• Use your data for AI training

3. Data isolation

Each Merchant's data is stored in a separate, isolated database file. One Merchant cannot access another Merchant's data. This is enforced at the operating-system level, not just by application logic.

4. Third-party services

We use the following third-party services that process data on your behalf:

• Stripe — payment processing (their privacy policy)
• Twilio — SMS notifications, only if you configure it (their privacy policy)
• OpenStreetMap / Nominatim — map tiles and geocoding (their privacy policy)

5. Data retention

• Active accounts: we keep your data as long as your account is active.
• Cancelled accounts: we delete your data within 30 days of account cancellation.
• Backups: encrypted daily backups are retained for 14 days, then automatically purged.

6. Your rights

You can:

• Export your data anytime from your admin dashboard (Settings → Export Tenant Data)
• Delete your account by contacting us — we'll remove everything within 30 days
• Correct your information directly from your admin settings
• Request a copy of your data by contacting us at the address below

7. Cookies

We use the following cookies:

• admin_token / customer_token — session cookies for login (HttpOnly, secure)
• csrf_token — CSRF protection (required for form submissions)
• cart — shopping cart contents (customer-facing only)

We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

8. Security

• All passwords are hashed with bcrypt (never stored in plain text)
• All connections are encrypted via HTTPS / TLS
• CSRF protection on every form
• Rate limiting on authentication endpoints
• Per-tenant data isolation at the file-system level

9. Children

The Service is not intended for children under 13. We don't knowingly collect data from children.

10. Changes

We may update this policy. We'll email Merchants about significant changes at least 14 days before they take effect.

11. Contact

Privacy questions? Contact us.