Policy scope
This Policy applies to:
- customers and website users
- users who create an account, place orders or request support
- vendors, stores, restaurants, caterers, suppliers and their staff
- delivery partners or logistics operators, when applicable
- Oneg admin users and internal operators
- people who contact us by email, WhatsApp, phone, forms or social channels
1. Who we are
Oneg is a marketplace platform that helps customers discover, filter, choose and order Shabbat food, kiddush products and related services from multiple vendors. Depending on the available delivery method, customers may order from one or multiple vendors and receive their order through Oneg Delivery, store delivery or pickup.
For privacy purposes, Shabbat Eats is responsible for the personal data processed through Oneg, unless another party clearly acts as an independent controller, such as a payment processor, Google, Apple, Meta/WhatsApp or another third-party provider.
2. Data we collect
We collect only the data needed to operate, secure, improve and legally manage Oneg.
2.1 Customer and website user data
We may collect:
- full name
- email address
- phone number
- account login details
- Google Sign-In or Apple Sign-In identifiers, if used
- delivery address, city, neighborhood, building, floor, apartment and delivery notes
- pickup preferences
- order history, cart, selected vendors, selected products, quantities, prices, discounts, fees and order status
- payment status, transaction reference, refund status and invoice/receipt information
- reviews, ratings, comments and feedback
- support messages, emails, WhatsApp messages, call notes and attachments
- marketing preferences and unsubscribe status
- technical data such as IP address, device type, browser, app version, operating system, logs, crash data and security events
2.2 Vendor / partner app data
For vendors, stores, restaurants, caterers, suppliers and their teams, we may collect:
- business name, legal name and commercial name
- contact person name, email and phone number
- business address, service areas, cities and pickup address
- business registration details, tax details, invoices and documents required for onboarding or compliance
- bank account, payout details or payout processor references, if needed
- kashrut/certification information, if provided
- product data, prices, images, descriptions, availability, categories and stock/status updates
- opening hours, pause/schedule/open status, delivery method settings and minimum order settings
- order preparation status, substitutions, missing item handling and internal notes
- vendor dashboard activity, login logs, staff accounts, permissions and audit trails
- support messages and operational communications with Oneg
2.3 Admin and internal operator data
For Oneg admin users and internal team members, we may collect:
- name, email and login details
- role, permissions and access level
- admin actions performed inside the dashboard
- timestamps, IP address, device/browser data and audit logs
- security, fraud-prevention and operational logs
- internal notes created for customer, vendor, order, payout or support management
2.4 Delivery and logistics data
When delivery is involved, we may collect and process:
- customer name and phone number
- delivery address and delivery instructions
- order number and delivery status
- vendor pickup details
- driver or logistics operator name/contact, when applicable
- pickup and delivery timestamps
- route, city, zone or delivery assignment data
- proof of delivery, delivery issue notes or support records, when applicable
2.5 Payment and financial data
We may collect:
- order amount, delivery fees, discounts, commission, payout and refund details
- payment status, transaction ID, authorization status, chargeback or refund status
- invoices, receipts and accounting records
- limited card or payment method metadata, such as last four digits, card brand or token reference, if provided by the payment processor
We do not intentionally store full credit card numbers or full payment credentials on our own servers. Payment card processing is handled by external payment providers such as PAYPLUS.
2.6 Google Maps and address data
When you use address search, address autocomplete, map features or delivery-area validation, we may process:
- typed address search terms
- selected address
- Google Place ID
- latitude/longitude coordinates
- city, zone, neighborhood and delivery eligibility
- IP address and technical request data transmitted as part of the map service
Google may also receive data directly when Google Maps Platform services are used.
2.7 Email, WhatsApp, phone and notification data
We may process:
- email address
- phone number
- message content
- order-related notifications
- delivery updates
- vendor operational alerts
- support history
- WhatsApp template status, message status and delivery/read status where available
- push notification tokens, if push notifications are enabled
2.8 Cookies, analytics and technical data
On the website and apps, we may use cookies, SDKs or similar technologies for:
- login sessions
- cart persistence
- security
- analytics
- performance monitoring
- crash reporting
- fraud prevention
- remembering preferences
Depending on the tools enabled, this may include device identifiers, IP address, pages viewed, clicks, app screens, session duration, errors, crashes and referral sources.
3. Data we do not intentionally collect
Unless clearly stated or required for a specific feature, Oneg does not intentionally collect:
- health data
- biometric data
- contacts from your device
- microphone recordings
- precise background location tracking
- SMS content
- photos or files unrelated to vendor/customer support or vendor onboarding
- government ID documents from customers
If a device allows login through Face ID, Touch ID or another biometric unlock, the biometric data is handled by the device operating system. Oneg does not receive the biometric template.
4. How we collect data
We collect data when:
- you create or use an account
- you browse the website or app
- you place or manage an order
- you enter an address
- you pay, request a refund or receive an invoice
- you contact support
- you communicate through email, WhatsApp, phone or forms
- a vendor updates products, prices, availability or orders
- an admin manages orders, vendors, payouts or support
- our systems generate logs for security, reliability and fraud prevention
- third-party providers send us payment, delivery, authentication, analytics or messaging status data
5. Why we use personal data
We use personal data for the following purposes:
5.1 Account and authentication
- create and manage customer accounts
- create and manage vendor accounts
- manage admin access and permissions
- enable Google Sign-In, Apple Sign-In or email/password login
- prevent unauthorized access
5.2 Marketplace operation
- display vendors, stores, products, menus and categories
- manage carts and orders
- transmit order details to the relevant vendors
- manage missing items, substitutions, cancellations, refunds and support cases
- display order history and invoices
- allow reviews and feedback
5.3 Vendor operations
- onboard vendors
- manage product catalogues, pricing, availability and delivery methods
- manage vendor dashboards and staff permissions
- calculate commissions, payouts, invoices and financial summaries
- communicate operational updates
5.4 Delivery, pickup and logistics
- check delivery eligibility by address or city
- assign orders to the correct delivery method
- coordinate vendor pickup and customer delivery
- provide customer contact and address details to delivery operators when required
- manage delivery incidents and proof of delivery
5.5 Payments, invoices and accounting
- process payments through payment providers
- verify payment success or failure
- process refunds
- manage disputes or chargebacks
- generate invoices, receipts and payout records
- comply with tax, accounting and legal obligations
5.6 Communication
- send order confirmations
- send delivery or pickup updates
- send password reset or access links
- send vendor order alerts
- send admin or operational alerts
- respond to support requests
- send marketing messages where allowed and with unsubscribe options
5.7 Security and fraud prevention
- detect suspicious activity
- prevent abuse, fraud and unauthorized access
- protect accounts, vendors, payments and operations
- maintain audit logs
- enforce our terms and policies
5.8 Analytics and improvement
- understand how users interact with Oneg
- improve product experience, performance and reliability
- fix bugs and crashes
- measure feature usage
- improve search, filters, ordering, delivery and vendor tools
5.9 Legal and compliance
- comply with applicable law
- respond to lawful requests
- maintain required financial and tax records
- protect legal rights
- resolve disputes
6. Legal basis for processing
Depending on the applicable law and user location, we process personal data based on one or more of the following legal bases:
- contract necessity: to provide the marketplace, orders, vendor tools, payments and delivery services
- consent: for certain marketing, optional location permissions, cookies or push notifications where consent is required
- legal obligation: for tax, accounting, payment, fraud-prevention and regulatory requirements
- legitimate interests: to secure, operate, improve and protect Oneg, our users, vendors and business operations
- vital or public interest: only in rare cases where required by law or emergency circumstances
You may withdraw consent where processing is based on consent. Withdrawal does not affect processing already performed before withdrawal.
8. Payments
Payments are processed by PAYPLUS. Oneg does not intentionally store full card numbers, CVV codes or full payment credentials on its own servers.
We may store or receive:
- transaction ID
- payment status
- order amount
- refund status
- chargeback status
- card brand or last four digits, if provided by the payment processor
- invoices and accounting records
- payout and commission data for vendors
Payment processors may independently process data for payment security, fraud prevention, regulatory compliance, dispute handling and financial reporting.
9. Delivery, pickup and multi-vendor orders
Oneg may offer several fulfillment methods, such as Oneg Delivery, store delivery and pickup.
When a customer orders from multiple vendors, we may combine relevant order, vendor and delivery data to coordinate preparation, pickup, storage, routing and delivery.
For Oneg Delivery, relevant order and customer details may be shared with:
- Oneg internal operators
- vendors involved in the order
- logistics partners
- drivers
- customer support staff
Only the data needed to fulfill the order should be shared with each party.
Customers should avoid writing sensitive personal information in delivery notes unless strictly necessary.
10. Google Maps, address search and location
Oneg may use Google Maps Platform to provide address autocomplete, geocoding, delivery-area validation, map display, routing support and location-based features.
When these features are used, Google may receive data such as typed search terms, selected addresses, IP address, request metadata, Google Place IDs and latitude/longitude coordinates. Google may process this data according to the Google Privacy Policy and Google Maps terms.
Oneg may process location or address data to:
- validate whether an address is eligible for delivery
- calculate city, zone or delivery availability
- improve address accuracy
- coordinate pickup and delivery operations
- support driver or logistics routing, where applicable
Oneg does not collect precise background location from customer devices or partner devices.
If live driver tracking is introduced later, Oneg will update this Privacy Policy and request the required permissions before collecting such location data.
11. Google Sign-In and Apple Sign-In
If you choose to sign in using Google or Apple, we may receive:
- your email address
- your name, if shared
- your profile identifier
- authentication status
- Apple private relay email, if you choose to hide your email
Google and Apple process your authentication according to their own privacy policies and account settings.
12. Email, WhatsApp, phone and push notifications
12.1 Transactional communications
We may send service-related communications without marketing consent where needed to provide the service, including:
- account verification
- password reset
- order confirmation
- payment status
- invoices or receipts
- delivery updates
- pickup updates
- vendor order alerts
- refund or support updates
- security alerts
12.2 Marketing communications
Oneg may send marketing messages about Oneg, vendors, promotions, seasonal offers or new features only where allowed by law and, where required, after the user has given prior consent.
Marketing consent is optional and should not be pre-selected by default. Users may unsubscribe or opt out of marketing messages at any time.
Opting out of marketing does not stop transactional or service messages, such as order confirmations, payment updates, delivery updates, pickup instructions, password reset messages, security alerts, refund updates or legally required notices.
12.3 WhatsApp
If WhatsApp is used, your phone number and message content may be processed by WhatsApp/Meta according to their own terms. WhatsApp may be used for order updates, vendor operations, support or marketing where allowed.
12.4 Push notifications
If push notifications are available and enabled, we may process push notification tokens to send app notifications. You can disable push notifications in your device settings.
13. Reviews, ratings and public content
Customers may be able to leave reviews, ratings or comments about vendors, products or orders.
Reviews may be displayed publicly or to vendors in a limited form. Where possible, Oneg may display reviews anonymously or without exposing the customer's full identity to vendors. However, Oneg admins may retain the ability to link a review to an account or order for moderation, fraud prevention, support, legal or operational reasons.
We may remove, moderate or restrict reviews that are abusive, false, unlawful, irrelevant or violate our terms.
14. Vendor data and business data
Vendors are responsible for ensuring that any staff member using the vendor app or vendor dashboard is authorized to do so.
Vendor staff data may be processed for:
- login and access control
- order management
- preparation workflows
- catalog management
- payout and invoice management
- support
- security and audit logs
Vendor business data, product data and operational data may be displayed publicly on Oneg where necessary to operate the marketplace.
15. Admin dashboard and audit logs
Oneg may maintain admin tools to manage customers, vendors, products, orders, refunds, payouts, support, promotions, delivery operations and compliance.
Admin actions may be logged for security and accountability, including:
- admin user identity
- action performed
- affected order/vendor/customer/product
- timestamp
- IP address or device metadata
- before/after changes where needed
These logs help detect mistakes, fraud, unauthorized access and operational abuse.
17. Analytics, crash reporting and performance monitoring
We may use analytics, crash reporting and monitoring tools to understand usage, fix errors and improve Oneg.
These tools may collect:
- device model
- operating system
- app version
- browser type
- IP address
- screen or page views
- clicks and events
- crash logs
- error traces
- session metadata
Where possible, we limit analytics data and avoid collecting unnecessary personal content inside logs.
18. Data retention
We keep personal data only as long as reasonably needed for the purposes described in this Privacy Policy, unless a longer period is required or permitted by law.
Typical retention periods include:
- Active account data: while the account remains active.
- Customer order history: as needed for service, support, accounting, tax, fraud-prevention and dispute purposes.
- Invoices, receipts, tax and accounting records: as required by applicable tax and accounting law.
- Payment transaction references: as required for payments, refunds, chargebacks, disputes, fraud prevention and accounting.
- Vendor onboarding and business records: while the vendor relationship exists and as required after termination for tax, payout, compliance, audit or dispute purposes.
- Support messages: usually up to 36 months, unless needed longer for legal, fraud, safety, operational or dispute reasons.
- Security logs and audit logs: usually 3 to 24 months, unless needed longer for security, fraud, legal or operational reasons.
- Marketing preferences: until unsubscribe, account deletion or longer if needed to maintain suppression lists.
- Deleted account data: deleted or anonymized, except data retained for legal, tax, security, fraud, accounting, active order or dispute purposes.
When data is no longer needed, we delete, anonymize or restrict it according to our technical and legal requirements.
19. Account deletion and data deletion
Customers may request deletion of their account and associated personal data.
You can request deletion by:
- using the in-app deletion path: Profile / Settings -> Delete account
- using the web deletion page: https://onegapp.co/account-deletion
- contacting us at yehielzaouch@gmail.com
When you request deletion, we may need to verify your identity before completing the request.
Account deletion means deleting or anonymizing the account and personal data associated with it, except data that Oneg is legally required or allowed to retain, including:
- invoices and accounting records
- payment and refund records
- fraud-prevention records
- legal claims or dispute records
- security logs
- data needed to complete an active order
- vendor payout, tax, invoice, audit and compliance records
For vendor accounts, deletion may be limited by business, tax, payout, invoice, order history, compliance, audit and dispute obligations.
If data was shared with service providers, we will request deletion or restriction where required and technically possible.
20. Your privacy rights
Depending on your location and applicable law, you may have rights to:
- know what personal data we collect and why
- access your personal data
- correct inaccurate personal data
- request deletion of certain personal data
- withdraw consent where processing is based on consent
- object to marketing
- restrict certain processing
- request a copy of certain personal data
- complain to a privacy authority
To exercise your rights, contact us at yehielzaouch@gmail.com or use the account deletion page: https://onegapp.co/account-deletion.
We may ask for information to verify your identity. We may refuse or limit requests where allowed by law, including where the request affects another person's privacy, conflicts with legal obligations, or relates to fraud, security, accounting, tax, active orders or legal claims.
21. Security
We use reasonable technical, organizational and administrative safeguards to protect personal data, including where appropriate:
- HTTPS encryption in transit
- access controls
- role-based permissions
- authentication controls
- audit logs
- secure server configuration
- backup procedures
- monitoring and error logging
- separation of admin/vendor/customer access
- limited staff access based on operational need
- vendor and service-provider controls
No online service can guarantee absolute security. Users and vendors are responsible for keeping account credentials confidential and notifying us immediately of suspected unauthorized access.
If a security incident affects personal data, Oneg will assess the incident and, where required by applicable law, notify affected users, regulators or relevant partners.
22. International transfers
Oneg may use service providers located outside your country, including hosting, cloud infrastructure, payment, analytics, messaging, email, support and authentication providers.
When personal data is transferred internationally, we use appropriate safeguards where required by applicable law, such as contractual protections, provider security commitments or other lawful transfer mechanisms.
23. Children
Oneg is not intended for children under the age of 18, unless a parent or legal guardian is involved and applicable law allows it.
We do not knowingly collect personal data from children under 18. If you believe a child provided us personal data without appropriate permission, contact us at yehielzaouch@gmail.com.
24. Third-party links and services
Oneg may link to third-party websites, vendor pages, payment pages, maps, social media pages or external services.
We are not responsible for the privacy practices of third-party services. You should review their privacy policies before using them.
25. App stores and platform disclosures
If you download Oneg from the Apple App Store or Google Play, the relevant app store may require privacy disclosures about the data collected through the app.
Our App Store privacy details and Google Play Data Safety section should match this Privacy Policy. If our practices change, we will update the relevant store disclosures where required.
Apple, Google and other platform providers may separately process data related to app downloads, purchases, device information, crash reports, account details and store usage according to their own privacy policies.
26. Changes to this Privacy Policy
We may update this Privacy Policy from time to time.
When changes are material, we may notify users through the website, app, email or another reasonable method. The "Last updated" date at the top shows when the Policy was last changed.
Continued use of Oneg after an update means the updated Privacy Policy applies, unless additional consent is legally required.
27. Contact us
For privacy questions, data requests or account deletion requests, contact:
- SHABBAT EATS
- Email: yehielzaouch@gmail.com
- Address: KOBOBI 69 JERUSALEM
- Website: https://onegapp.co
- Account deletion page: https://onegapp.co/account-deletion
Privacy contact
For privacy questions, data requests or account deletion requests, contact yehielzaouch@gmail.com.