Privacy Policy
Privacy Policy — esahav.com
Publisher: Fredo Andrianaivo — Sole Proprietorship Registered office: Immeuble SALFA, Ambatovinaky, Antananarivo, Madagascar Tax ID (NIF): 2008312301 · Stat. ID (STAT): 70209 11 2026 0 01075 · Trade Register (RCS): 2026 A 00363 Publication Director: Fredo Andrianaivo Contact: contact@esahav.com Hosting: Private virtual server operated via Dokploy (Lauterbourg, Grand Est, France)
Article 1: Preamble
This privacy policy applies to the esahav.com website and its companion professional application (together, "the platform"), published by Fredo Andrianaivo, operating as a sole proprietorship in Antananarivo, Madagascar.
esahav is a Malagasy platform that allows consumers to order from and book at partner restaurants (dine-in, takeaway or delivery), and that allows restaurants to manage their menu, orders and bookings.
The purpose of this policy is to explain to users:
- How their personal data is collected and processed;
- The rights they have over that data;
- Who the data controller is;
- Which recipients and processors may receive that data;
- The platform's cookie policy.
It complements the General Conditions of Use available at https://esahav.com/terms/cgu and the General Conditions of Sale available at https://esahav.com/terms/cgv.
Personal data is processed in compliance with Law No. 2014-038 of 9 January 2015 on the protection of personal data, in force in Madagascar, under the supervision of the Malagasy Commission on Information Technology and Civil Liberties (CMIL). The platform also follows the principles of the European Regulation 2016/679 (GDPR) as a best-practice baseline.
Article 2: General principles
Data collection and processing respect the following principles:
- Lawfulness, fairness and transparency: data is collected only with prior information to the user and, where required by law, their consent;
- Specific purposes: data is collected for the explicit purposes set out in this policy;
- Data minimisation: only the data strictly necessary for the stated purposes is collected;
- Limited retention: data is kept for the durations defined below;
- Integrity and confidentiality: technical and organisational measures protect the data.
To be lawful, processing must rely on one of the following legal bases:
- The user's free and informed consent;
- Performance of a contract to which the user is a party (order, booking, account);
- A legal obligation incumbent on esahav;
- The protection of the user's or another person's vital interests;
- esahav's legitimate interest, where it does not override the user's rights and freedoms.
Article 3: Data collected
A. Categories of data
esahav collects the following categories of data:
- Identity: first name, last name, date of birth (where applicable), profile photo (optional);
- Contact details: email address, phone number;
- Delivery addresses: label, free text, geographic coordinates (latitude/longitude) when the user chooses to locate themselves;
- Order and booking data: ordered items, amounts, time slots, notes, service mode (dine-in, takeaway, delivery);
- Payment data: the mobile-money number used to initiate the transaction (MVola, Airtel Money, Orange Money). The payment secret/OTP is entered directly on the mobile-money operator's interface and is never stored by esahav. Only the transaction receipt (reference, status, amount) is kept;
- Technical data: IP address, session ID, user-agent, device type, activity logs;
- Restaurant data (professional side): business name, NIF, STAT, RCS, sanitary authorisations, payout mobile-money number, manager contact details.
B. When data is collected
Data is collected when:
- A user or restaurant account is created;
- An order or booking is placed;
- A mobile-money payment is received;
- The platform is browsed (cookies and technical logs);
- The user contacts customer support.
C. Purposes of processing
Data is processed in order to:
- Enable account creation, authentication and management;
- Process orders, bookings and payments;
- Coordinate delivery or pickup with the restaurant;
- Send transactional communications (confirmations, order status, receipts);
- Provide customer support and mediation in case of disputes;
- Comply with applicable legal and tax obligations;
- Improve the platform (aggregate usage metrics, fraud prevention).
D. Legal bases
- Account management, orders, payments → performance of the contract;
- Transactional communications → performance of the contract;
- Marketing communications (if any) → consent (revocable at any time);
- Accounting retention of receipts → legal obligation;
- Analytics cookies → consent;
- Fraud prevention → legitimate interest.
Article 4: Retention periods
- User account: 3 years after last activity;
- Restaurant account: duration of the contractual relationship + 3 years;
- Order history and invoices: 10 years (accounting obligation);
- Mobile-money payment receipts: 10 years (accounting obligation);
- Analytics cookies: 13 months;
- Technical logs: 12 months;
- Support data (tickets, exchanges): 3 years after closure.
After these periods, data is deleted or anonymised.
Article 5: Recipients and processors
esahav does not sell or rent personal data. It may be transmitted to the following processors, strictly for the purposes described above:
- Telma (MVola) — mobile-money collection and payout (Madagascar);
- Airtel Madagascar — mobile-money collection and payout (Madagascar);
- Orange Money Madagascar — mobile-money collection and payout (Madagascar);
- ImageKit — storage and optimisation of restaurant and product photos (outside Madagascar);
- Zoho Mail (Zoho Corporation) — transactional emails (outside Madagascar);
- Mapbox / MapLibre — map rendering (outside Madagascar);
- Google Places API — address autocomplete (outside Madagascar);
- VPS host / Dokploy — application hosting and MongoDB database (Lauterbourg, France — outside Madagascar).
The partner restaurant receives the data needed to fulfil the order concerning it (customer name, delivery address, order content, phone number where applicable).
Article 6: Transfers outside Madagascar
Some technical processors (the Dokploy VPS host in Lauterbourg, ImageKit, Zoho, Mapbox, Google) operate from abroad. esahav ensures these processors offer a reasonable level of protection and shares only the data strictly required for their service. Users may request, by email at contact@esahav.com, details about the safeguards in place.
Article 7: Data controller
The data controller is Fredo Andrianaivo, operating as a sole proprietorship under the esahav brand. Any request relating to personal data may be sent to contact@esahav.com.
The controller commits to:
- Protecting the collected data through reasonable technical and organisational measures;
- Not transmitting the data to third parties outside the cases listed in Article 5;
- Strictly respecting the declared purposes;
- Using a TLS certificate (HTTPS) to secure exchanges with the platform;
- Notifying the user and the CMIL without undue delay in the event of a data breach likely to create a risk for their rights and freedoms.
Article 8: User rights
In accordance with Law No. 2014-038, the user has the following rights:
- Right of access: confirm that their data is processed and obtain a copy;
- Right to rectification: have inaccurate or incomplete data corrected;
- Right to erasure: request the deletion of their data, subject to legal retention obligations;
- Right to portability: receive their data in a structured, commonly used format, or have it transmitted to another service;
- Right to object: oppose the processing of their data on grounds relating to their particular situation;
- Right to withdraw consent: at any time, for processing based on consent, without affecting prior processing;
- Right not to be subject to a decision based solely on automated processing;
- Right to decide on the fate of data after death;
- Right to lodge a complaint with the CMIL (Malagasy Commission on Information Technology and Civil Liberties).
To exercise these rights, users may send a request to contact@esahav.com, specifying their identity (first name, last name, email tied to the account) and the subject of the request. esahav responds within a maximum of 30 days.
Article 9: Cookies
A. Categories of cookies used
- Essential cookies — authentication, cart, security — consent not required;
- Analytics cookies — anonymised audience measurement — consent required;
- Map cookies — Mapbox / MapLibre map rendering — consent required;
- Third-party cookies — features provided by processors (Google, etc.) — consent required.
Consent for non-essential cookies is collected via a banner on the first visit and is valid for 6 months. Once it expires, consent is requested again.
B. Withdrawal of consent
At any time, the user may:
- Update their preferences through the "Cookies" link at the bottom of the page;
- Configure their browser (Chrome, Firefox, Safari, Edge, Opera) to block cookies;
- Email contact@esahav.com.
Disabling non-essential cookies may impair certain features (maps, analytics).
Article 10: Security
esahav implements the following measures:
- TLS (HTTPS) encryption across the entire platform;
- Password hashing (passwords are never stored in clear text);
- Strict access controls on databases;
- Regular backups;
- Logging of sensitive administrative actions.
Article 11: Changes to this policy
esahav reserves the right to amend this policy to remain compliant with applicable law. In the event of a substantial change, users are informed by a notification on the platform or by email before the changes come into force.
The applicable version is always the one available at https://esahav.com/terms/privacy.
Last updated: 15 May 2026.
Article 12: Acceptance
By browsing the platform and creating an account, the user acknowledges having read and understood this privacy policy.
Contact
For any question relating to your personal data, the exercise of your rights or a rectification request, please write to: contact@esahav.com.
