Privacy Policy

Last updated: June 2026

This Privacy Policy explains how the online ordering platform you are using collects, uses, and protects your personal data when you place an order. The platform is operated by Mordu, a technology company based in Wexford, Ireland (“we”, “us”, “our”). We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR) and Irish data protection law.

1. Who we are

Mordu provides white-label ordering technology to independent restaurants. When you place an order through a restaurant’s ordering page, Mordu acts as the data controller for the personal data collected. We are based in Wexford, Ireland. If you have any questions about this policy or your data, contact us at hello@mordu.ie.

2. What data we collect

When you place an order, we collect:

  • Your name
  • Your email address
  • Your phone number
  • Your order details and total spend
  • The date and time of your orders

If you tick the SMS marketing checkbox at checkout, we also record your consent to receive promotional SMS messages from that restaurant.

We do not collect or store your payment card details. Payments are processed directly and securely by Stripe. We never see your card number.

3. Why we collect it and our legal basis

  • To process your order — lawful basis: performance of a contract
  • To send you an order confirmation email — lawful basis: performance of a contract
  • To send you promotional SMS messages — lawful basis: your explicit consent (only if you ticked the box at checkout)
  • To allow the restaurant to manage their customer database — lawful basis: legitimate interest of the restaurant to operate their business

4. Who we share your data with

We use the following third-party services to operate the platform. Each acts as a data processor on our behalf:

  • Stripe — payment processing (stripe.com)
  • Resend — transactional email delivery (resend.com)
  • Twilio — SMS delivery (twilio.com)
  • Supabase — database storage, hosted in the EU West region (supabase.com)
  • Vercel — application hosting (vercel.com)

Some of these processors (Stripe, Resend, Twilio, and Vercel) are based in the United States. Where personal data is transferred outside the European Economic Area, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

Your data is also accessible to the restaurant you ordered from. The restaurant uses it to fulfil your order and, if you consented, to send you promotional messages.

We do not sell your personal data to any third party.

5. How long we keep your data

  • Order records — retained for 7 years to comply with Irish tax and accounting obligations
  • Customer records — retained for as long as the restaurant remains on the platform, or until you request deletion
  • SMS consent — retained until you withdraw consent by replying STOP to any SMS

6. Your rights

Under GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate data
  • Erasure — ask us to delete your data (subject to legal retention requirements)
  • Portability — receive your data in a machine-readable format
  • Object — object to processing based on legitimate interests
  • Withdraw consent — withdraw SMS marketing consent at any time by replying STOP to any message

To exercise any of these rights, email us at hello@mordu.ie. We will respond within 30 days.

7. Cookies

This platform uses a single session cookie to keep you logged in to the restaurant admin dashboard. This cookie is essential for the service to function and does not track you across other websites. No marketing or analytics cookies are used.

8. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Irish Data Protection Commission at dataprotection.ie.