← Xorda

Privacy Policy

Last updated: June 2025

1. Who we are

Xorda Ltd (“Xorda”, “we”, “us”, “our”) is a company registered in England and Wales. Registered address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ.

We provide an AI-powered phone ordering and payment platform for UK restaurants and takeaways.

We are registered with the Information Commissioner's Office (ICO) as a data controller. Contact us at: legal@xorda.co.uk

2. What data we collect and why

Restaurant operators (our subscribers)

  • Name and email address — to create and manage your account
  • Restaurant name and business details — to set up your service
  • Payment information — processed securely by Stripe on our behalf
  • Stripe account details — to enable you to receive payments from customers
  • Phone number for call forwarding — to route customer calls correctly

End customers (your customers who call you)

  • Phone number — captured automatically when a call is received
  • Call recording — calls are recorded to capture the order
  • Order details — items, delivery address, order type
  • Payment information — processed securely by Stripe; we do not store card details

3. Call recording

Calls handled by Xorda are recorded and processed by AI to capture order details. Callers are informed of recording at the start of every call via an automated voice message before any order is taken. This disclosure is mandatory and cannot be disabled by restaurant operators.

The legal basis for recording calls is legitimate interests — specifically the legitimate interest of the restaurant in accurately capturing telephone orders placed by the customer. This interest is not overridden by the rights of the caller, given that: (a) the caller has initiated contact for the purpose of placing an order; (b) the caller is informed of recording before proceeding; and (c) the recording is used solely to fulfil the order and is not used for any other purpose.

Recordings are stored securely by Twilio and processed by OpenAI solely for transcription. They are deleted after 90 days. Recordings are never shared with any other third party or used for training AI models.

4. Legal basis for processing

  • Contract — processing necessary to deliver our service to restaurant subscribers, including account management, billing, and platform operation
  • Legitimate interests — processing end customer data (phone numbers, order details, delivery addresses) to fulfil orders placed by that customer with the restaurant. Our legitimate interest is in enabling restaurants to accurately receive and fulfil orders. This does not override the rights and freedoms of end customers given the limited scope of processing and the direct benefit to the customer
  • Legal obligation — where we are required to retain data for tax, accounting or regulatory purposes

5. Who we share your data with

We use the following third-party data processors. Each has been selected for their compliance with UK GDPR and we have Data Processing Agreements in place with each:

TwilioCall handling, SMS messaging, and call recording storage
OpenAIAI transcription of call recordings to extract order details
StripePayment processing and restaurant payout management
SupabaseSecure database storage for orders, menus and account data

We do not sell your data. We do not share it with any third party beyond those listed above.

6. How long we keep your data

  • Call recordings — deleted after 90 days
  • Order data — retained for 12 months then deleted
  • Account data (restaurant operators) — retained while your account is active and for 6 years after closure for legal and tax purposes
  • Payment records — retained for 7 years as required by HMRC

7. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data (“right to be forgotten”)
  • Restrict or object to how we process your data
  • Data portability — receive your data in a machine-readable format
  • Withdraw consent at any time where processing is based on consent

To exercise any of these rights, email legal@xorda.co.uk. We will respond within 30 days.

8. Data security

All data is encrypted in transit (TLS) and at rest. Access to personal data is restricted to authorised personnel only. We conduct regular reviews of our data handling practices.

9. Complaints

If you are unhappy with how we handle your data, you can contact the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

10. Changes to this policy

We may update this policy from time to time. We will notify restaurant subscribers of material changes by email. Continued use of the service after changes constitutes acceptance of the updated policy.

11. Contact

For any privacy-related queries: legal@xorda.co.uk

Terms of ServiceBack to Xorda