Rohetek

Privacy Policy

Last updated: May 21, 2026

This Privacy Policy describes how Rohetek ("we", "us", "our") collects, uses, and protects information when restaurants and their visitors interact with websites and services hosted on the Rohetek platform.

1. Who we are

Rohetek is a software platform that lets restaurants publish a website, manage content, and integrate third-party services such as Google Analytics, Resend (email), and Instagram. Each restaurant on the platform operates its own site under its own domain. Rohetek is the data processor; the restaurant is the data controller for its own customers.

2. Information we collect

2.1 From visitors to restaurant websites

When you visit a restaurant's website hosted on Rohetek, we may collect:

  • Basic request data (IP address, user agent, referrer, requested URL) — used for security, rate limiting, and serving the page.
  • Cookies for session management (if you log in as an owner or staff member) and for tenant-preview previews. We do not set advertising cookies.
  • If the restaurant has Google Analytics 4 enabled, GA4 cookies are set to measure traffic. See Google's privacy notice for details.
  • If you submit a contact form, the name, email, phone, and message you provide. We forward it to the restaurant via email and do not retain it beyond a short audit window.

2.2 From restaurant owners and staff

When you sign in to manage a restaurant on Rohetek, we collect your email, a hashed password, your assigned role, and audit-log entries of administrative actions you take.

2.3 From Instagram (when a restaurant connects their account)

A restaurant owner may choose to connect an Instagram Business or Creator account so their recent posts appear in their site's gallery. Rohetek receives, from Instagram's Graph API, only what the connecting user has granted us access to: username, profile picture URL, follower count (where exposed), and media items (image / video URLs, captions, timestamps)from the connected account. We do not collect direct messages, comments, insights, or any data that requires permissions beyondinstagram_business_basic.

Connection is via Meta's OAuth flow. We store an access token (encrypted at rest) so we can refresh the gallery on a schedule. The token is scoped to the single connected account.

3. How we use information

  • To operate, secure, and improve the platform.
  • To display the restaurant's content and Instagram feed on its public site.
  • To deliver platform-generated emails (contact form notifications, password resets) either via Resend or via the restaurant's own SMTP server, depending on the restaurant's configuration.
  • To respond to support requests and enforce our Terms of Service.

We do not sell personal information. We do not use Instagram-derived data for advertising or for training machine learning models.

4. Third parties we share data with

  • DigitalOcean — hosting infrastructure for the platform and its database.
  • Cloudflare — DNS, CDN, and security in front of restaurant sites that use it.
  • Resend — outbound transactional email delivery (unless the restaurant has configured their own SMTP server).
  • Google — when a restaurant has GA4 / Search Console enabled, analytics data flows to Google.
  • Meta (Instagram) — for restaurants who connect an Instagram account, we make read-only API calls to the Instagram Graph API.
  • PreDine — when a restaurant links their PreDine account, reservation and order data flows between PreDine and Rohetek.

We do not share data with any other third parties except as required by law or to investigate and prevent fraud or abuse.

5. Data retention

  • Account data is retained while the restaurant is on the platform and for 90 days after termination, then deleted.
  • Instagram tokens are retained only while the integration is active and are deleted when an owner disconnects or removes the integration.
  • Contact form submissions are stored briefly for audit / re-delivery and purged within 90 days.
  • Error logs older than 90 days are purged automatically.

6. Your rights

Depending on your jurisdiction, you may have the right to access, correct, export, or delete personal data we hold about you. You may also disconnect any third-party integration (Instagram, PreDine, GA4) at any time from the restaurant's admin panel.

To exercise these rights, email [email protected] with your request.

7. How to delete Instagram data

If you connected an Instagram account to a Rohetek-hosted restaurant and want the integration disconnected:

  1. Sign in to the Rohetek admin panel for the restaurant.
  2. Open Settings → Integrations → Instagram.
  3. Click Disconnect. This revokes the access token and deletes the cached posts.

Alternatively, revoke the platform's access directly from your Meta Account → Connected apps page. We honor revocations and delete cached data within 24 hours.

8. Security

Data is encrypted in transit (TLS) and sensitive credentials (Instagram access tokens, PreDine API keys, SMTP passwords) are encrypted at rest using AES-256-GCM. We use industry-standard practices for access control and monitor for unauthorized access.

9. Children

Rohetek and the restaurants on the platform are not directed at children under 13. We do not knowingly collect data from children under 13.

10. Changes

We may update this Privacy Policy. The "Last updated" date at the top reflects the most recent revision. Material changes will be communicated to account holders via email.

11. Contact

Questions about this Privacy Policy or about how Rohetek handles your data? Email [email protected].