Back to home

Privacy Policy

Last updated: 18 May 2026

In short — we collect what we need to take and deliver your order. Stripe handles your card; we never see it. Your details are used to serve you, not sold. Contact info@hitexconsulting.com to access or delete your data.

1. Who we are

This Privacy Policy applies to the online ordering service for Ozmo Kebab & Mandi (the restaurant whose menu you are ordering from). The online ordering platform is built and operated on the restaurant's behalf by Hitex Consulting, which acts as the platform provider and data processor for this service.

References to "we", "us", or "our" in this policy mean the restaurant and Hitex Consulting acting together to provide you with the online ordering service.

2. What information we collect

When you place an order or make a reservation, we collect:

  • Your name (required) — so we can prepare and hand over your order.
  • Your phone number (required) — to contact you about your order and to send a one-time SMS verification code at payment.
  • Your email address (optional) — used by Stripe to send a payment receipt if you provide it.
  • Delivery address (delivery orders only) — street, suburb, postcode, and any delivery instructions you choose to add.
  • Order details — the items, options, and any special instructions you add for the kitchen.
  • Table number (dine-in only) — captured manually or via the QR code on your table.
  • Reservation details (if you use the reservation form) — date, time, number of guests, and any special requests.
  • Technical data — your IP address, browser type, and device information that web servers receive on every request, used for security and troubleshooting.

We do not collect or store your card details. See section 7 below.

3. How we collect it

  • Directly from you when you fill in the checkout or reservation forms on this site.
  • Automatically through your browser's local storage (see section 9).
  • From Twilio's SMS verification service when you enter the one-time code we send to your phone at payment.

4. Why we use it

  • To prepare, package, and deliver your order.
  • To contact you about your order — for example, to confirm details, notify you when it's ready, or follow up on delivery.
  • To verify your phone number at payment, which helps prevent fraudulent orders.
  • To keep records required by Australian tax and accounting law.
  • To improve the service and troubleshoot technical issues.
  • (Opt-in only) To send you future promotional offers from the restaurant, if you have explicitly opted in. We do not send marketing without your consent.

5. Who we share it with

We only share your data with the third parties needed to deliver this service:

  • Stripe Payments Australia Pty Ltd — processes your card payment. Stripe receives your name, email (if provided), order amount, and order reference. Stripe is PCI-DSS Level 1 certified. See stripe.com/au/privacy.
  • Twilio — sends the one-time SMS verification code at payment. Twilio receives your phone number only.
  • Shipday — dispatches delivery drivers for delivery orders. Shipday receives your name, phone, delivery address, delivery instructions, and a summary of the order.
  • Supabase — provides the database that stores your order and customer record.
  • Hitex Consulting — operates the ordering platform on the restaurant's behalf and may access your data solely to provide and support the service.

We do not sell your data, and we do not share it with anyone other than the providers listed above, except where required by law.

6. Overseas disclosure

Some of the providers listed above may process or store data outside Australia — for example, Stripe (United States, Ireland), Twilio (United States), and Supabase (regional hosting). We choose providers that apply industry-standard safeguards to protect data in transit and at rest.

7. Payment data — your card is never stored by us

When you enter your card details at checkout, they are typed directly into secure fields hosted by Stripe. Your card number, expiry date, and CVV are never transmitted to or stored on any server operated by Ozmo Kebab & Mandi or Hitex Consulting. After Stripe processes the payment, we receive only a payment reference (a Stripe PaymentIntent ID) that lets us match the charge to your order.

8. Marketing communications

Order-related messages — order confirmations, ready-for-pickup notices, delivery updates, and the SMS verification code — are part of the service and are sent regardless of marketing preferences.

Promotional or marketing messages are sent only if you have separately opted in. We do not pre-tick consent boxes. Every marketing message we send will identify the sender and include a way to unsubscribe (reply STOP to SMS, or use the unsubscribe link in emails).

9. Cookies & browser storage

This site does not use third-party tracking or analytics cookies. The ordering app uses your browser's built-in storage to remember your session:

  • sessionStorage (cleared when you close the browser tab): oms_cart (your current cart), oms_orderDraft (your in-progress checkout details), oms_sessionMode (dine-in / pickup / delivery), oms_lastOrder (your most recent order, used to show the tracking page), oms_tableNumber (your table from a QR scan).
  • localStorage (kept until you clear it): ozmo_favorites (the menu items you have favourited — does not contain personal information).

Stripe's payment fields may set their own cookies for fraud prevention when you reach the payment step.

10. Data retention

We keep order and customer records for as long as required by Australian tax and accounting law (generally seven years). You can request earlier deletion of your personal information, and we will comply to the extent permitted by those record-keeping obligations.

11. Data security

All data is transmitted over encrypted connections (TLS / HTTPS). Database access is restricted to the systems and personnel that need it to operate the service. Card data is handled exclusively by Stripe under the PCI-DSS standard.

12. Your rights

You have the right to:

  • Ask what personal information we hold about you.
  • Ask us to correct information that is wrong.
  • Ask us to delete your information (subject to legal record-keeping requirements).
  • Withdraw any marketing consent at any time.
  • Make a complaint to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au if you believe we have mishandled your information.

To exercise any of these rights, email info@hitexconsulting.com.

13. Children

This service is not directed at people under the age of 16. We do not knowingly collect information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

14. Changes to this policy

We may update this Privacy Policy from time to time. Updates will be posted on this page, and the "Last updated" date at the top will change. For material changes, we will take reasonable steps to bring the update to your attention at checkout.

15. Contact us

For any privacy question or to exercise your rights, contact Hitex Consulting at info@hitexconsulting.com.