Privacy Policy
Last Modified: 2 July 2026
This Privacy Policy sets forth how Bistrochat Software Limited (“Bistrochat”, “we”, “our”, “us”) collects, uses, discloses, and protects your personal data when you access or use our Services (which include our website, mobile applications, and affiliated platforms). Bistrochat is established in the Hong Kong Special Administrative Region, and we handle personal data in accordance with the Personal Data (Privacy) Ordinance (Cap. 486) (the “Ordinance”) and its six Data Protection Principles, together with the applicable data protection laws of the other markets we serve. By using our Services, you agree to this Privacy Policy.
Table of Contents
- Introduction and Scope
- Definitions
- Collection of Personal Information
- Basis for Processing
- Use of Personal Information
- Artificial Intelligence and Automated Processing
- Disclosure and Sharing of Information
- Cross-Border and International Data Transfers
- Data Retention
- Your Rights and Choices
- Cookies and Similar Technologies
- Data Security Measures
- Compliance with Applicable Laws
- Children's Privacy
- Links to Third-Party Websites
- Changes to This Privacy Policy
- Contact Information
1. Introduction and Scope
This Privacy Policy explains how Bistrochat collects, uses, and protects your personal data. As a Hong Kong company, our handling of personal data is governed by the Personal Data (Privacy) Ordinance (Cap. 486) and overseen with regard to the guidance of the Office of the Privacy Commissioner for Personal Data (the “PCPD”). We provide our Services across a number of markets in Asia — including Hong Kong, Macau, Singapore, Thailand, the Philippines, Cambodia, Vietnam, and India — and where the data protection laws of those markets apply to you, we handle your personal data in accordance with them as well. This Policy applies to all personal data processed in connection with our Services.
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person.
- Processing: Any operation performed on personal data, whether automated or manual.
- Data Subject: An individual whose personal data is processed.
- Data User / Controller: The entity that controls the collection, holding, processing, or use of personal data.
- Data Processor: A party that processes personal data on our behalf and under our instructions.
- Automated Processing: Processing carried out by automated means, including through artificial intelligence and machine-learning systems.
- Third Parties: Entities external to Bistrochat that may receive personal data.
3. Collection of Personal Information
3.1 Information You Provide
When you register or use our Services, you may provide:
- Account Information: Mobile number, name, email address, and an optional profile picture. Your name and profile picture are visible within the app to help contacts identify you.
- Booking and Loyalty Data: When you book a restaurant or join a loyalty program, your personal data (e.g., name, contact information, booking details) may be shared with the relevant restaurant. For removal of such data, please contact the restaurant directly.
- Communications: Messages or other information you voluntarily send to us or to restaurants.
3.2 Automatically Collected Information
We automatically collect data as you use our Services:
- Usage Data: Log files, diagnostic and performance information, crash reports, and service usage statistics.
- Device Data: Hardware details, operating system information, unique device identifiers, and mobile network data.
- Location Data: Geolocation information (if enabled) for displaying nearby restaurants and assisting with troubleshooting.
- Cookies and Tracking: Information collected via cookies, web beacons, and similar technologies to enhance your experience and analyze service interactions.
3.3 Information from Third Parties
We may also receive personal data from:
- Contacts: Information shared by individuals in your contact list who use our Services.
- Third-Party Platforms: Data from social media or other platforms when you choose to register or log in using third-party services.
- Service Providers: Data provided by partners who support our operations (e.g., infrastructure, analytics, marketing).
4. Basis for Processing
We collect and use your personal data on one or more of the following bases:
- Consent: Where you have given consent for a specific purpose (which you may withdraw at any time).
- Performance of Services: Processing necessary to provide, operate, and support the Services you request.
- Legal and Regulatory Obligations: Compliance with obligations under the Ordinance and the other laws applicable to us.
- Legitimate Business Interests: Processing necessary for our legitimate interests (such as securing our Services and preventing fraud), balanced against your rights and interests.
We collect personal data by lawful and fair means, for purposes directly related to our functions and activities, and we take practicable steps to ensure the data is accurate and not kept longer than necessary, consistent with the Data Protection Principles.
5. Use of Personal Information
We use your personal data to:
- Operate and Enhance Services: Provide, maintain, support, and improve our Services, including customer support and troubleshooting.
- Process Bookings: Facilitate restaurant reservations, loyalty programs, and messaging services.
- Personalize Experience: Analyze usage patterns, personalize your experience, and develop new features.
- Communicate: Send account-related notifications, service updates, security alerts, and, where permitted, promotional communications.
- Ensure Security: Monitor, detect, and prevent fraud, abuse, and unauthorized access to our Services.
- Research and Analytics: Conduct research and analytics — typically using aggregated or anonymized data — to improve our Services.
We will not use your personal data for a new purpose that is unrelated to the purpose for which it was collected unless we have obtained your consent or are otherwise permitted or required by law.
6. Artificial Intelligence and Automated Processing
6.1 Use of AI Technology
We use technology — including artificial intelligence (AI) and large language models (LLMs) — to support some of our operational processes and to serve you better. In particular, we may use these technologies for service personalization, product improvement (using aggregated data), and automated checks in areas such as fraud detection, safety, and quality assurance. We aim to use AI in a way that is fair, transparent, and consistent with the PCPD's guidance on the ethical development and use of artificial intelligence.
6.2 AI and Technology Service Providers
To support these capabilities, we may share personal data with technology and AI service providers, including where those providers' infrastructure is located outside Hong Kong. Where we do so, we apply safeguards consistent with the PCPD's guidance on cross-border data transfer, so that your personal data continues to receive a standard of protection at least comparable to that provided under the Ordinance. We engage such providers under contractual terms that limit their use of your data to the services they perform for us.
6.3 AI Governance and Safeguards
Our use of AI is subject to internal governance and safeguards, including:
- Data Minimisation: Using only the data necessary for the relevant purpose, and favouring aggregated or anonymized data where practicable.
- Security Validation: Assessing and testing systems that process personal data before and during their use.
- Vendor Due Diligence: Reviewing the data protection and security practices of the AI and technology providers we engage.
- Human Oversight: Retaining meaningful human oversight over material outcomes rather than relying solely on automated processing.
6.4 Automated Decisions and Human Review
Where a decision that significantly affects you is made solely by automated means, you may inquire about that decision and request that it be reviewed by a person. To make such a request, please contact us using the details in Section 17.
Processing that is necessary to operate your account or to meet our legal obligations (for example, fraud detection and due diligence) is required and cannot be opted out of. For discretionary uses described above — such as service personalization and product-improvement analytics — you may opt out at any time, without affecting your account, by contacting us.
7. Disclosure and Sharing of Information
Your personal data may be shared with:
- Restaurants: To enable bookings and loyalty program participation.
- Service Providers: Trusted vendors who provide technical, infrastructure, analytical, AI, and marketing services under data protection obligations.
- Legal Authorities: In compliance with lawful requests, court orders, or regulatory investigations.
- Business Transfers: In connection with a merger, acquisition, or sale of assets.
- Aggregated/Anonymized Data: Data that has been aggregated or anonymized so that it does not identify you personally.
We do not sell your personal data.
8. Cross-Border and International Data Transfers
Because we operate across several markets and rely on service providers in different locations, your personal data may be transferred to and processed outside your place of residence, including outside Hong Kong. Where we transfer personal data across borders, we take practicable steps — consistent with the Ordinance and the PCPD's guidance on cross-border data transfer — to ensure that your personal data receives a standard of protection at least comparable to that provided under the Ordinance, including through contractual protections with the parties receiving the data.
9. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, to comply with legal obligations, resolve disputes, and enforce our agreements. When personal data is no longer required, we take practicable steps to erase it or render it anonymous. Retention periods depend on the nature of the data and applicable laws.
10. Your Rights and Choices
Subject to applicable law, you may have the right to:
- Access: Request confirmation of whether we hold your personal data and a copy of it.
- Correction: Request correction of inaccurate or incomplete data.
- Deletion: Request deletion of your data, subject to legal obligations.
- Objection / Restriction: Object to or restrict certain processing of your data.
- Withdraw Consent: Withdraw consent where processing is based on consent.
- Opt Out of Direct Marketing: Ask us to stop using your data for direct marketing at any time.
- Human Review: Request human review of a decision made solely by automated means that significantly affects you (see Section 6.4).
To exercise any of these rights, please contact us as set out in Section 17. We may need to verify your identity before responding, and we will handle your request within the timeframes required by applicable law. You also have the right to make a complaint to the PCPD or to the relevant data protection authority in your market.
11. Cookies and Similar Technologies
We use cookies and related technologies to:
- Enhance and personalize your experience.
- Analyze site usage and trends.
- Deliver relevant content and, where permitted, advertising.
You may adjust your cookie preferences through your browser settings.
12. Data Security Measures
We apply appropriate security measures to protect your personal data, including:
- Encryption: Encryption of data in transit and, where appropriate, at rest.
- Access Controls: Strict access policies and authentication measures.
- Security Reviews: Regular reviews and vulnerability assessments.
- Monitoring: Continuous monitoring of systems to detect and prevent security breaches.
- Secure Development: Secure coding practices and regular software updates.
13. Compliance with Applicable Laws
Bistrochat is committed to complying with the data protection laws applicable to our Services. Our primary framework is Hong Kong's Personal Data (Privacy) Ordinance (Cap. 486). In the other markets we serve — including Macau, Singapore, Thailand, the Philippines, Cambodia, Vietnam, and India — we handle personal data in accordance with the local data protection laws that apply to you, such as Singapore's Personal Data Protection Act and Thailand's Personal Data Protection Act. We continuously review and update our practices to meet evolving legal requirements.
14. Children's Privacy
Our Services are not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If we discover that we have inadvertently collected such data, we will take steps to delete it.
15. Links to Third-Party Websites
Our Services may include links to third-party websites or services that we do not operate. We are not responsible for the privacy practices or content of those sites, and we encourage you to review their privacy policies.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Changes will be posted on our website with an updated “Last Modified” date, and material changes may be communicated to you where appropriate. Your continued use of our Services after any update indicates your acceptance of the revised Privacy Policy. We encourage you to review this Policy periodically.
17. Contact Information
For any questions, concerns, or requests regarding this Privacy Policy or our data practices — including access, correction, human review of automated decisions, or opting out of discretionary processing — please contact us:
- Bistrochat Software Limited (Hong Kong SAR)
- Data Protection Officer
- Email: [email protected]
We are committed to protecting your personal data and to handling it responsibly, transparently, and in accordance with the standards set by Hong Kong's Personal Data (Privacy) Ordinance and the other laws that apply to our Services.