Privacy Policy

Last updated: May 28, 2026

GrabEats Technologies Limited (“GrabEats”, “we”, “us”) is committed to protecting your privacy. This policy describes how we collect, use, and safeguard your information when you use our platform and services.

Information we collect

We may collect information you provide when you register, place orders, or contact us, including name, email, phone number, delivery address, and payment details. We also collect usage data (e.g. device, IP, pages visited) to improve our services.

How we use your information

We use your information to process orders, communicate with you, improve our app and website, prevent fraud, and comply with legal obligations. We do not sell your personal data to third parties.

Sharing of information

We may share information with restaurants and delivery partners to fulfil orders, and with service providers who assist our operations (e.g. hosting, payments), under strict confidentiality. We may disclose information when required by law.

Third-party services and processors

Depending on features you use, data may be processed by subprocessors such as:

  • Cloud hosting and database — where the app and data store run (e.g. managed servers or PaaS in a chosen region).
  • Payment providers — for example MTN Mobile Money (MoMo) for collection and disbursements; they receive transaction references, amounts, and identifiers needed to complete payments.
  • Maps and location — for example Google Maps Platform (when enabled) for geocoding, routing, or map display; requests may include coordinates or place identifiers subject to Google’s terms.
  • Email and notifications — transactional email or push/in-app notification providers used to send order updates and account messages.
  • Analytics and error monitoring — if enabled, limited technical or usage data may be sent to analytics or crash-reporting tools to improve reliability.

We select providers with appropriate safeguards and contracts where required. A detailed subprocessor list can be published on request or linked here as your vendor stack stabilises.

Security, encryption, and retention

We use appropriate technical and organisational measures to protect your data. In transit, data between your device and our services is protected using TLS (HTTPS) for web and API traffic where TLS is enabled on the server and client.

At rest, encryption depends on your hosting provider and database product (for example full-disk encryption on the server, encrypted managed databases, or encrypted object storage). GrabEats configures production environments to use providers that offer industry-standard protections; verify the exact controls in your deployment’s security documentation (e.g. cloud console “encryption at rest” settings).

We retain your information for as long as needed to provide services, resolve disputes, and meet legal, tax, and accounting obligations. Retention periods may differ by data category (see below).

Your rights (including GDPR-style requests)

If the laws of your country or region apply (including, for individuals in the European Economic Area or UK, concepts similar to GDPR), you may have rights to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — ask us to delete your personal data, subject to legal exceptions (for example completed transactions we must retain for tax or fraud-prevention).
  • Restriction or objection — ask us to limit or stop certain processing where the law allows.
  • Portability — where applicable, receive your data in a structured, machine-readable format.
  • Withdraw consent — where processing is based on consent (e.g. marketing), you may withdraw it at any time.
  • Lodge a complaint — with your local data protection authority.

We respond within a reasonable period required by applicable law (often within one month for GDPR-style requests, subject to extension for complex cases). We may need to verify your identity before acting on a request.

Data deletion and account closure

To delete your account or request erasure of personal data, contact us via Contact Us from the email address on your account (or provide proof of identity if you no longer have access). We will:

  • Confirm receipt of your request within a reasonable timeframe.
  • Disable login and marketing use of the account where applicable.
  • Delete or anonymise profile and preference data that we are not legally required to keep.
  • Retain order, payment, delivery, and dispute records for the period required by law, regulation, or legitimate business needs (for example tax records, fraud prevention, and defence of legal claims). Such records may be minimised to what is necessary and, where possible, anonymised.

If you are a restaurant partner or rider with contractual obligations, separate offboarding or data-handling steps may apply under your agreement.

International transfers

If data is stored or processed outside your country, we rely on appropriate safeguards where required (for example standard contractual clauses or adequacy decisions). Ask us for more detail if your organisation requires transfer documentation.

App-specific disclosures

If you use the GrabEats iOS, Android, or other mobile apps, additional documents apply, including our iOS End User License Agreement (EULA), Android EULA, data sharing disclosure, and third-party SDKs & services summary. A single hub with support contacts is available at App & legal information.

Contact

For privacy-related questions or requests, email support@grabeats.com or use our Contact Us page.

Install GrabEats: tap Share then Add to Home Screen.