Back to home

Last updated: 2026-02-26

Privacy Policy

1. Data Controller

1.1. The controller of your personal data is [COMPANY NAME], with registered office at [ADDRESS] (hereinafter "Controller").

1.2. Contact: [email protected]

2. Purposes and Legal Bases for Processing

2.1. We process your personal data for the following purposes:

Purpose Legal Basis (GDPR Art. 6)
Account creation and management Performance of contract (Art. 6(1)(b))
Subscription and payment processing Performance of contract (Art. 6(1)(b))
Customer support and communication Legitimate interest (Art. 6(1)(f))
Platform analytics and improvement Legitimate interest (Art. 6(1)(f))
Legal compliance and fraud prevention Legal obligation (Art. 6(1)(c))
Marketing communications (with consent) Consent (Art. 6(1)(a))

3. Categories of Data Processed

3.1. Account data: email address, hashed password, locale preference.

3.2. Restaurant data: restaurant name, address, phone number, email, opening hours, logo, hero image.

3.3. Payment data: processed by Stripe; we store only subscription status, plan type, and billing period. We do not store card numbers.

3.4. Technical data: IP address, user agent, browser type, timestamps of consent and actions.

3.5. Analytics data: anonymised menu view events, QR scan events, item interaction data.

4. Data Recipients

4.1. We share your data with the following categories of recipients:

  • Supabase (database and authentication provider)

  • Stripe (payment processing)

  • DigitalOcean (hosting infrastructure)

  • Cloudflare (CDN and security)

    4.2. We do not sell your personal data to third parties.

5. Data Transfers

5.1. Some of our service providers operate outside the European Economic Area (EEA). Where applicable, we ensure adequate safeguards through Standard Contractual Clauses (SCCs) or adequacy decisions.

6. Retention Periods

6.1. Account data: retained for the duration of the account and up to 30 days after deletion.

6.2. Payment records: retained for the period required by tax law (5 years in Poland).

6.3. Legal consent records: retained indefinitely as part of the GDPR compliance audit trail.

6.4. Analytics data: retained in anonymised form; no personal data is stored in analytics events.

7. Your Rights

7.1. Under GDPR, you have the right to:

  • Access your personal data (Art. 15)

  • Rectify inaccurate data (Art. 16)

  • Erase your data ("right to be forgotten") (Art. 17)

  • Restrict processing (Art. 18)

  • Data portability (Art. 20)

  • Object to processing based on legitimate interest (Art. 21)

  • Withdraw consent at any time, without affecting the lawfulness of prior processing (Art. 7(3))

    7.2. To exercise your rights, contact us at: [email protected]

    7.3. We will respond to your request within 30 days.

8. Cookies and Tracking

8.1. The Platform uses the following cookies:

Cookie Purpose Duration
Session cookie Authentication Session
Locale cookie Language preference 1 year
Theme cookie Dashboard theme preference 1 year

8.2. We do not use third-party tracking cookies or advertising pixels.

9. Data Security

9.1. We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption in transit (TLS/HTTPS)
  • Row-Level Security (RLS) for tenant isolation
  • Hashed passwords (bcrypt via Supabase Auth)
  • Regular security audits

10. Right to Lodge a Complaint

10.1. If you believe your data protection rights have been violated, you have the right to lodge a complaint with the President of the Personal Data Protection Office (UODO):

Urzad Ochrony Danych Osobowych ul. Stawki 2, 00-193 Warszawa https://uodo.gov.pl

11. Changes to This Policy

11.1. We may update this Privacy Policy from time to time. Changes will be communicated via email or Platform notification at least 14 days before taking effect.

This Privacy Policy is a draft and requires review by a qualified legal professional before publication.