Privacy

Privacy Policy

Effective date: May 26, 2026 · Operator: Concept Restaurants LLC ("Pastaphony", "we", "us") · Contact: contact@pastaphony.com

Summary

Pastaphony is a restaurant brand and a mobile app that helps you find the closest Pastaphony restaurant, browse menus, order ahead, and earn loyalty rewards. We collect the minimum information needed to operate our service and never sell your data. This policy explains what we collect, how we use it, and the choices you have.

What we collect

Your phone number

When you sign in to the app, we send a one-time verification code via SMS. Your phone number is your identity across the Pastaphony loyalty program and at the counter. We store the phone number in our backend so we can associate it with your saved delivery addresses, push-notification preferences, and order tracking. We never ask for a password.

Your email address

We never ask for it inside the app, but when you check out via Square Payment Links, Square may collect your email to send the receipt. Each franchise's Square Customer record may then retain that email under Square's own privacy policy.

Your approximate location

When you grant location permission, the app uses your GPS to sort Pastaphony restaurants by distance and to compute which restaurant is closest to a saved delivery address. The location is read on your device and only sent to our servers when you save a delivery address (where we store the resulting latitude/longitude alongside the address itself).

Your saved delivery addresses

If you add a delivery address in the app, we encrypt and store it on our backend so you don't have to re-enter it. You can delete any address at any time from the app.

Your order activity

Each Pastaphony restaurant runs its own Square account. When you place an order, the order lives in that franchise's Square (under their Customer record keyed by your phone). The app displays your order history by querying each franchise's Square for orders linked to your phone.

Your loyalty activity

Each Pastaphony restaurant runs its own Square Loyalty program. When you sign in, the app reads your loyalty point balance from each restaurant's Square so you can see your rewards in one place.

Your push-notification token

If you grant notification permission, the app registers an Expo push token with our backend, keyed to your phone, so we can send "your order is ready" notifications when the kitchen marks your order prepared. You can revoke this by signing out or turning off notifications in your device settings.

Device and usage information

We collect anonymized technical information (app version, device model, OS version, crash logs) to fix bugs and improve performance. We do not link this to your identity.

What we do not collect

  • We do not ask for your full name in the app (Square may collect it during checkout).
  • We do not collect your payment card details (Square processes all payments directly with the restaurant; we never see card numbers).
  • We do not collect your contacts, photos, microphone, or any other data beyond what's listed above.
  • We do not track you across other apps or websites.
  • We never sell your data.

How we use your information

  • To send you the SMS verification code at sign-in (via Twilio).
  • To identify you to each Pastaphony restaurant's loyalty program so you earn and redeem points.
  • To show restaurants sorted by distance from your current location or a saved delivery address.
  • To create your order at the right franchise (via Square).
  • To send a notification when your order is ready (via Expo Push).
  • To alert our operations team when an order appears stuck (alerts contain order id, location, amount — never your name or phone).
  • To diagnose technical issues and improve the app.

We do not sell or share your information with advertisers, data brokers, or any third party for marketing.

Who has access to your information

ServiceRoleData it sees
Concept Restaurants LLCOperates the app and backendAll of the above
TwilioSMS verification + deliveryYour phone number at sign-in
SquarePayment processing, loyalty, customer records — each franchise has its own Square accountPhone, optional name/email at checkout, order details, payment, loyalty balance
VercelHosts our backend (US data centers)All request traffic to our API
UpstashStores encrypted franchise OAuth tokens, your encrypted saved addresses, your push token (keyed to your phone)Phone (as a key), encrypted data
Expo (EAS)Delivers push notifications to your devicePush token (a non-readable device identifier)
SlackInternal ops alerts about stuck ordersFranchise name, order id, dollar amount — never your name or phone
Apple and GoogleDistribute the app via their storesStandard install analytics per their published policies

We never sell your data. We share it only with the providers above strictly to operate the app.

How we protect your information

  • The app communicates with our backend over HTTPS only.
  • Franchise Square OAuth tokens and your saved delivery addresses are encrypted at rest with AES-256-GCM.
  • Authentication tokens are short-lived JWTs signed with a server-only secret; we can revoke them per-device or for an entire phone if your account is compromised.
  • Phone numbers are stored encrypted-at-rest in our backend as the lookup key for your saved addresses, push token, and segment opt-ins. Phone numbers are also stored inside each restaurant's Square Customer records.

Your choices

Turn off location: in iOS Settings → Pastaphony → Location, set to "Never." The Locations tab will still show all stores but won't sort by distance.

Turn off notifications: in iOS Settings → Pastaphony → Notifications, or via the in-app Notifications screen.

Sign out: tap Account → Sign Out. This deletes your local session token and revokes the push token from our backend. Your loyalty accounts at each restaurant remain — the restaurants manage those independently in Square.

Delete your account: tap Account → Delete account. This permanently removes (1) your saved addresses, (2) your push token and segment preferences, (3) your customer record at every Pastaphony Square account that has your phone on file, and invalidates every active sign-in for your phone. Past orders are kept by each franchise in Square for their accounting records — the orders themselves remain in the franchise's books but they are no longer linked to your phone via a customer record. If you prefer to also delete the historical order records, email contact@pastaphony.com and we will forward that request to each franchise; deletion of historical financial records is at each franchise's discretion.

Restaurant-specific data: each Pastaphony is an independently owned franchise running its own Square account. To remove data held by one specific franchise (including paid order receipts), contact that franchise directly.

Children

Pastaphony is not directed to children under 13. We do not knowingly collect information from children under 13. If you believe a child has provided us with information, contact us and we will delete it.

Changes to this policy

If we make material changes we will update the effective date above and, if changes are significant, prompt you in the app the next time you open it.

Contact

Questions about this policy? Email contact@pastaphony.com.

Mail: Concept Restaurants LLC.