Who's reading your customers' phone numbers?

A regular at our restaurant — a teacher, soft-spoken, comes in every Sunday with her mother — once asked Maa quietly: “Aunty, kabhi WhatsApp pe coupons aate the. Ab pata nahi kaun bhej raha hai.” Two months earlier, she had given her number for a loyalty stamp at a different café. The number had wandered.

Most owners hear a story like this and assume it's about that one careless café. It isn't. It is about how almost every POS in India stores customer data, what the vendors can see, and what happens when one of them — or one of their employees, or one of their acquirers, or one of their breaches — decides that data is worth something.

The technology to fix this exists. Almost nobody in restaurant tech uses it. We did. Here is what to ask before you sign up to any POS — and what end-to-end encryption actually changes.

What “encrypted” usually means in a POS demo

When a vendor on a sales call says “your data is encrypted,” they almost always mean two things:

• Encrypted in transit: the connection between your POS and their server uses HTTPS. Standard, expected, table stakes.
• Encrypted at rest: the database files on their server are encrypted by the cloud provider — but the keys are held by the vendor. Their own application reads the data in clear text every time it loads a customer page.

This is real security against a hard drive being stolen or a stray backup tape going missing. It is notsecurity against the people running the software. Their support team, their database admin, and anyone who can pull their access keys can read your customers' phone numbers as easily as you read this paragraph. So can a future buyer of the company. So can a hacker who phishes one engineer.

What end-to-end encryption changes

End-to-end encryption — sometimes called zero-knowledge — moves the keys to yourdevice. Your POS encrypts each customer record before it leaves the shop. The vendor's server stores the result, but the server can't read it. There is no “decrypt button” in their admin panel because there is no key on their side to do it with.

This sounds dramatic, but it is the same idea your bank uses for your UPI PIN, and the same idea WhatsApp uses for your messages. The only thing different about putting it inside a POS is that almost no other POS vendor has bothered.

We bothered. The full design is on our security page: per-outlet keys generated on your machine, AES-256-GCM encryption, ciphertext-only storage in Indian data centres. The short version: even with full access to our database, our own team sees encrypted bytes.

Five questions to ask any POS vendor

Before you hand over your customer database to any restaurant software — ours included — ask these. The answers tell you more than any feature list.

• “Can your support team read a customer's phone number from your admin panel?” If yes, your customer data is one phishing email away from leaking.
• “If you got a court order, what would you be able to hand over?” A vendor that cannot decrypt your data can only hand over ciphertext. A vendor that can, will.
• “If your company is acquired, what does the acquirer get access to?” Most acquisition agreements transfer database access. Encryption keys held on your device do not transfer.
• “Where is my data stored, and who has admin access?” Indian data centres are the right answer for compliance. A short admin list, with named individuals, is the right answer for trust.
• “Can I export every customer, every sale, every recipe — as CSV — without asking for permission?” If the answer involves a support ticket, you do not own your data.

The bigger point

Your customers gave you their phone numbers. Not your software vendor. Not your software vendor's acquirer. Not the engineering intern who joined two months ago and has read access to the customer database.

We built Maatrachhaya so the chain of custody ends at your device. Your customers' data lives where they expect it to live: with you. We chose architecture over policy because policies change, owners change, and breaches happen — and the only promise worth making is one that survives all three.

If a vendor cannot answer those five questions cleanly, that is a signal. If they can, you have found something rare in this market. Either way — your customers will never know to thank you. But the ones who would have got that strange WhatsApp message two months later will be glad you asked.