← orderdino.app

Privacy Policy

Effective date: 12 May 2026 · Last updated: 24 May 2026

1. About this Policy

This Privacy Policy describes how Orderdino (“Orderdino”, “we”, “us”) collects, uses, shares and protects personal data across the family of products listed below (collectively, the “Services”). It applies regardless of whether you access the Services from a web browser, a mobile application or through an integrated third-party platform such as the WhatsApp Business Platform.

Orderdino is operated by Dağhan Karahan (sole proprietorship), Turkish tax ID 5120413027, Bakırköy Tax Office, registered at Ataköy 7-8-9-10. Kısım Mah. Çobançeşme E-5 Yan Yol Cad., Ataköy Towers A Blok No: 20/1, İç Kapı No: 70, Bakırköy / İstanbul, Türkiye. We act as the data controller for our own corporate customers’ administrative data and as a data processor on behalf of those corporate customers for the operational data their staff, drivers and end-customers generate inside the Services.

Contact for any privacy request: privacy@orderdino.app (data deletion, access, correction, complaints).

2. Products covered

This Policy covers all of the following Orderdino products:

  • Orderdino Admin Console — web platform at orderdino.app used by corporate operations teams for order, dispatch and last-mile management.
  • Orderdino Driver — mobile application used by delivery and installation drivers for route execution, proof-of-delivery and live ETA reporting.
  • Conversation Hub — multi-agent shared inbox that connects to messaging channels (including the WhatsApp Business Platform / Cloud API, web chat and email) so that customer-service agents from a single corporate customer can collaboratively respond to end-customer conversations.
  • Orderdino CX — customer-experience console used by client brands to monitor and reply to those conversations.

Each product is offered to business customers (B2B). End-users of our customers (for example, a person messaging a brand on WhatsApp) interact with us only because their conversation or delivery is being serviced by an Orderdino customer.

3. Categories of personal data we process

The categories below describe the maximum scope of what we may process. Not every category applies to every product or every user.

  • Account & identity data — full name, username, corporate email, hashed password (bcrypt), role, employer and workspace assignment.
  • Driver location data (Orderdino Driver only) — device GPS coordinates collected only while a delivery shift is active and the user is signed in. Background location is used solely to power live customer ETA and route compliance. Location is never used for advertising or sold to third parties.
  • Camera & photo uploads (Orderdino Driver only) — images the driver chooses to capture as proof of delivery, installation completion or damaged-goods reporting.
  • Operational data — order codes, addresses, time windows, delivery status, installation notes, customer signature and event logs.
  • Conversation Hub messaging data — when our corporate customer connects their WhatsApp Business Account, web-chat widget or email mailbox to Conversation Hub, we receive and store the inbound and outbound messages handled through that channel, including:
    • the end-user’s display name and phone number (or email);
    • the message body, attachments (images, documents, voice notes), reactions and delivery/read receipts;
    • conversation metadata such as assignment, status, tags and internal notes added by agents;
    • WhatsApp message template usage and 24-hour customer-care window state.
    We process this data solely as a processor on the instructions of the corporate customer that owns the WhatsApp Business Account. We do not message end-users on our own behalf, do not use message content for advertising, and do not sell message content.
  • Device & technical data — app version, device model, OS version, IP address, session identifier, crash and diagnostic logs.
  • Cookies & similar technologies — strictly necessary cookies for authentication and session persistence. We do not use advertising cookies.

4. Purposes & legal bases

  • Service delivery — operating the Services for our corporate customers (performance of contract / legitimate interests).
  • Last-mile execution — routing, dispatch, live customer ETA and proof of delivery (performance of contract).
  • Customer messaging — receiving, displaying, routing and replying to end-user conversations on behalf of the corporate customer through the WhatsApp Business Platform and other channels (processor on customer’s instructions).
  • Security & abuse prevention — fraud detection, authentication, rate limiting, audit logs (legitimate interests / legal obligation).
  • Legal compliance — tax, accounting, KVKK and other applicable obligations (legal obligation).

We do not use personal data for behavioral advertising and we do not sell personal data.

5. Meta / WhatsApp Business Platform – specific terms

Conversation Hub integrates with the official Meta / WhatsApp Business Cloud API. The following Meta Platforms products and APIs are used:

  • WhatsApp Business Platform — Cloud API (sending and receiving messages, media, templates and interactive components)
  • Meta Business Login / Embedded Signup (so corporate customers can connect their own WhatsApp Business Account)
  • Meta Graph API (read-only metadata about the connected WhatsApp Business Account, phone numbers, message templates and webhook subscriptions)
  • Meta Webhooks (delivery of inbound messages and status callbacks)

By using Conversation Hub:

  • Our corporate customer remains the owner of their WhatsApp Business Account (WABA) and the messages exchanged through it. Orderdino acts as a technology provider strictly under our customer’s instructions.
  • Message content is used only to display the conversation to authorised agents of that same corporate customer, to enable replies, and to keep an auditable history of customer service interactions.
  • We comply with Meta’s WhatsApp Business Messaging Policy, including the 24-hour customer-care window, opt-out handling and prohibited-content rules.
  • Conversation data is never reused to train generic or third-party AI models, never shared with other Orderdino customers and never sold.

6. How we share data

We share personal data only with the categories of recipients listed below, and only as needed to provide the Services. The table summarises our current sub-processors, their purpose, processing location and the data categories they receive.

RecipientPurposeLocationData categories
Meta Platforms Ireland Ltd.WhatsApp Business Cloud API deliveryEU / USPhone number, message content, attachments, delivery status
Supabase (via Lovable Cloud)Managed database, auth, file storageEU (Frankfurt)All categories listed in §3
Cloudflare, Inc.CDN, edge runtime, DDoS protectionGlobal edge (EU-preferred)IP address, request metadata
TomTom International B.V.Routing, geocoding, ETAEU (Netherlands)Anonymised coordinates, addresses
Google Maps PlatformOptional fallback geocoding / map tilesEU / USAnonymised coordinates, addresses
NetGSMTransactional SMS (OTP, delivery notifications)TürkiyePhone number, SMS body
OpenAI / Google AI (model providers)Optional AI assist for agents (only when enabled by the corporate customer)EU / USMessage snippets passed through with zero-retention enterprise contract
Competent authoritiesValid legal requestsAs requiredMinimum necessary

We also share data with the corporate customer that employs you or whose WhatsApp / web / email channels you contacted — they are the controller of the conversation or shift in question. We do not sell personal data and we do not share it with advertising networks.

7. International transfers

Personal data may be transferred to and processed in countries other than your country of residence (notably the European Union, the United States and Türkiye). Where required we rely on Standard Contractual Clauses, Meta’s data-processing addenda and equivalent safeguards.

8. Retention

Operational and conversation data is retained for the duration of the contract between Orderdino and the corporate customer, plus any statutory retention period (in Türkiye up to 10 years for accounting, and up to 3 years for customer-care records). When an account is closed or a verified deletion request is received, personal data that we are not legally required to retain is deleted within 30 days. Driver location data older than 90 days is automatically aggregated and the raw GPS pings are deleted.

9. Your rights

Subject to applicable law (GDPR for EU/EEA residents, KVKK for users in Türkiye, equivalent local laws elsewhere) you have the right to: access your personal data, request correction or deletion, object to or restrict processing, withdraw consent, port your data and lodge a complaint with the competent supervisory authority. To exercise any of these rights, contact privacy@orderdino.app. We respond within 30 days.

If you are an end-user whose conversation reached us through one of our corporate customers (for example by messaging a brand on WhatsApp), we will forward your request to that corporate customer, who is the controller of the conversation, and assist them in fulfilling it.

10. Account & data deletion (how to exercise your rights)

You can request access, correction, export, restriction or full deletion of your Orderdino account and associated personal data at any time. Use one of the following procedures — we confirm receipt within 72 hours and complete the request within 30 days (extendable by a further 60 days for complex requests, with notice).

  1. Email privacy@orderdino.app from the address registered with your account. Include: full name, account email or WhatsApp phone number, the corporate customer (brand) you contacted, and the type of request (access / deletion / export / objection).
  2. In-app (Orderdino Driver) — open Profile → Settings → “Delete my account”. This triggers the same workflow.
  3. Web form — for WhatsApp end-users, use the contact link on this page (start a data-deletion request).

We verify your identity before acting on the request (typically by replying to the email on file or by sending a WhatsApp confirmation to the phone number on record). Where Orderdino acts only as a processor (Conversation Hub messages, driver shifts run for a corporate customer), we will forward the request to the controlling corporate customer and assist them in fulfilling it. You may also lodge a complaint with the competent supervisory authority — in Türkiye, the KVKK Authority (kvkk.gov.tr); in the EU/EEA, your local Data Protection Authority.

11. Children

The Services are intended for business use and are not directed at children under 18. We do not knowingly collect personal data from children.

12. Security

All traffic is encrypted with TLS 1.2+. Passwords are hashed with bcrypt. Database access is governed by row-level security and role-based access control. We maintain audit logs, automatic backups and a documented incident-response process; suspected breaches are reported to affected controllers without undue delay.

13. Changes to this Policy

We may update this Policy from time to time. Material changes are announced in-product and on this page at least 7 days before they take effect. The “Last updated” date at the top always reflects the current version.

14. Contact

Orderdino — Dağhan Karahan
Ataköy 7-8-9-10. Kısım Mah. Çobançeşme E-5 Yan Yol Cad., Ataköy Towers A Blok No: 20/1, İç Kapı No: 70, Bakırköy / İstanbul, Türkiye
Privacy: privacy@orderdino.app · Support: destek@orderdino.app