Privacy Policy
Application: Aroi (Web)
Last updated: 2026-05-15
Aroi is a scan-to-order platform for Thai restaurants. A diner scans the QR code on their table, browses the menu in their preferred language, places an order, and pays via PromptPay or card. Restaurant owners and staff use Aroi to manage menus (including AI-assisted menu translation), accept orders, run the kitchen display, and view sales summaries.
1. Introduction
This Privacy Policy describes how TM3P Tech (“we”, “us”, “our”) collects, uses, and shares information when you use Aroi (the “App”).
2. Information We Collect
Aroi handles only what it needs to run a restaurant’s ordering flow:
- Restaurant operator accounts: Email address, optional phone number, hashed password, role (owner, manager, staff), language preference, and the restaurant tenant the account belongs to.
- Menu content: Items, prices, modifiers, categories, and any menu photos that the restaurant uploads. Photos may be processed by an AI vision service for OCR and translation (see below).
- Diner orders: Customer name (if entered), optional phone number, table number, ordered items with modifiers and special requests, payment method, and order timestamps.
- Operations data: Real-time order status, kitchen display events, simple per-day metrics (number of orders, revenue, average preparation time), and audit logs of staff actions taken on orders or menus.
- Standard web logs: IP address, user agent, request URL, and timestamp for security, debugging, and abuse prevention.
All restaurant data is tenant-isolated by restaurant identifier and is scoped server-side on every request, so one restaurant cannot see another’s data.
3. How We Use Information
We use the information we collect to: (a) provide, operate, and maintain the App; (b) improve, personalize, and expand the App; (c) understand and analyze how you use the App; (d) detect, prevent, and address technical issues, fraud, or abuse; and (e) communicate with you about the App when necessary.
4. Legal Bases for Processing (EEA/UK Users)
If you are located in the European Economic Area or the United Kingdom, we process your information based on one or more of: (i) your consent; (ii) the performance of a contract with you; (iii) compliance with a legal obligation; or (iv) our legitimate interests in operating and improving the App.
5. Sharing of Information
We do not sell your personal information. We share information only with:
- Service providers that help us operate the App, such as cloud hosting, crash reporting, analytics, and push-notification providers. These providers may include Google Firebase, Apple, and similar industry-standard services.
- Platform providers (Apple and Google) to the extent required by their respective app distribution and payment systems.
- Legal and safety recipients, where required to comply with a legal obligation, enforce our Terms, or protect the rights, property, or safety of our users or others.
- Successors, in connection with a merger, acquisition, or sale of assets, subject to standard confidentiality protections.
6. Third-Party Services
Aroi integrates the following third-party services. Each has its own privacy policy:
- Anthropic (Claude) — AI vision service used to perform OCR on menu photos a restaurant uploads and translate menu items into Thai, English, and Chinese. Diner orders and customer details are not sent to Anthropic.
- Pusher Channels — real-time order updates between the diner’s device, the staff dashboard, and the kitchen display.
- Omise and 2C2P — card and PromptPay payment processing (where enabled by the restaurant). They receive the payment details necessary to process the transaction; we receive only the result.
- Cloudflare R2 (where enabled) — storage for uploaded menu photos.
- Optional infrastructure providers for error tracking (Sentry), observability (Axiom), transactional email (Resend), and SMS (ThaiBulkSMS). These receive only the operational data necessary for their function.
7. Data Retention
We retain personal information only for as long as necessary to provide the App and for the purposes described in this Policy, unless a longer retention period is required or permitted by law. Aggregated or de-identified information may be retained indefinitely.
8. Security
We use commercially reasonable administrative, technical, and physical safeguards to protect information against unauthorized access, loss, or alteration. No method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.
9. International Transfers
The App and its service providers may operate from servers located outside your country of residence, including Thailand and the United States. By using the App, you consent to the transfer of your information to these jurisdictions, which may have different data-protection laws than your own.
10. Your Rights
Depending on your jurisdiction, you may have rights to access, correct, delete, restrict, or object to the processing of your personal information, as well as the right to data portability and to withdraw consent. To exercise these rights, contact us at cto@tm3p.com. We will respond within the timeframe required by applicable law.
11. Children’s Privacy
Aroi is a restaurant-operations and ordering product. It is not directed at children, and we do not knowingly collect personal information from children. If a child places an order, we treat the information involved (name, table number, items ordered) as standard transactional order information for the restaurant. If you are a parent or guardian and would like us to delete information about a child, contact us at cto@tm3p.com.
12. Changes to This Policy
We may update this Policy from time to time. Material changes will be indicated by updating the “Last updated” date and, where required, by additional notice within the App.
13. Contact
If you have questions about this Privacy Policy or our data practices, contact us at cto@tm3p.com.