Privacy Policy

Last updated: January 2025

1. Introduction

Welcome to QR Menu & Order ("we," "our," or "us"). We are committed to protecting your privacy and ensuring you have a positive experience on our platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our digital menu and ordering service.

This Privacy Policy applies to all users of QR Menu & Order, including restaurant owners who create menus and customers who access menus via QR codes. By using our service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address (for authentication and communication)
  • Password (hashed and encrypted)
  • Restaurant name and public URL address
  • Full name and contact information

2.2 Restaurant Information

To provide our service, we collect and store:

  • Restaurant address and location
  • Phone number and country code
  • Currency preferences
  • Menu content (dishes, descriptions, prices, images)
  • Menu language preferences and translations
  • Wi-Fi network credentials (SSID and password, if provided)
  • Social media links (website, Instagram, Facebook, Twitter)
  • Appearance settings (theme, fonts, cover images)

2.3 Payment Information

When you subscribe to our paid plans:

  • Payment processing is handled securely by Stripe
  • We store Stripe customer ID and subscription details
  • We do not store your credit card details; Stripe handles all payment data
  • Billing information (if provided) is processed by Stripe

2.4 Analytics and Usage Data

We automatically collect information about how you use our service:

  • QR code scans (menu URL, timestamp, IP address)
  • Page views on public menu pages (IP address, user agent, referrer)
  • Time of day analytics (morning, afternoon, evening)
  • Device information (browser type, operating system)
  • Session data and navigation patterns

2.5 Communication Data

When you contact us or subscribe:

  • Contact form submissions (name, email, company, message)
  • Newsletter subscription email addresses
  • Customer service communications

3. How We Use Your Information

We use the collected information for the following purposes:

  • Service Provision: To create, manage, and display your digital menus and QR codes
  • Authentication: To authenticate your identity and manage your account
  • Payment Processing: To process subscription payments and manage your plan
  • Analytics: To provide you with insights about QR code scans and menu views
  • Communication: To respond to your inquiries, send important service updates, and provide customer support
  • Improvement: To analyze usage patterns and improve our platform
  • Translation: To provide automatic translation of menu content into multiple languages
  • Security: To protect against fraud, abuse, and unauthorized access
  • Legal Compliance: To comply with applicable laws and regulations

4. Data Storage and Security

4.1 Data Storage

Your data is stored securely using:

  • Supabase: Our database and authentication provider stores your account and menu data with enterprise-grade security
  • Row Level Security (RLS): Database-level security policies ensure users can only access their own data
  • LocalStorage: Session data is stored locally in your browser (expires after 24 hours)
  • Encryption: All data in transit is encrypted using SSL/TLS protocols

4.2 Security Measures

We implement industry-standard security measures:

  • Encrypted connections (HTTPS) for all data transmission
  • Secure password hashing (never stored in plain text)
  • Row-level security policies in our database
  • Regular security audits and updates
  • Limited access to personal data (only authorized personnel)

5. Third-Party Services

We use the following third-party services to provide our platform:

5.1 Supabase

We use Supabase for database storage, authentication, and file storage. Supabase is GDPR compliant and processes data according to their privacy policy.

5.2 Stripe

Payment processing is handled by Stripe. When you make a payment, Stripe collects and processes your payment information according to their privacy policy. We only receive confirmation of successful payments and subscription status.

5.3 Vercel Analytics

We use Vercel Analytics and Speed Insights to understand website performance and usage patterns. This service may collect anonymized analytics data.

5.4 Trustpilot

We integrate Trustpilot widgets to display customer reviews. Trustpilot may use cookies according to their privacy policy.

5.5 Google Fonts

We use Google Fonts to display typography. Google may collect information about font usage according to their privacy policy.

6. Cookies and Local Storage

We use cookies and local storage for the following purposes:

  • Authentication Cookies: Supabase uses cookies to maintain your login session
  • LocalStorage: We store session data locally (expires after 24 hours) to improve user experience
  • Cache Data: We cache user data locally to reduce server load and improve performance
  • Third-Party Cookies: Trustpilot and other third-party services may set their own cookies

You can control cookies through your browser settings. However, disabling cookies may affect the functionality of our platform.

7. Data Sharing and Disclosure

We do not sell your personal information. We may share your data only in the following circumstances:

  • Service Providers: With third-party service providers (Supabase, Stripe, Vercel) who help us operate our platform
  • Legal Requirements: When required by law or to protect our rights
  • Business Transfers: In the event of a merger, acquisition, or sale of assets
  • Public Menu Data: Your menu content is publicly accessible via QR codes (this is necessary for the service)
  • With Your Consent: When you explicitly authorize us to share your information

8. Your Rights

You have the following rights regarding your personal data:

  • Access: Request a copy of your personal data
  • Correction: Update or correct inaccurate information through your account settings
  • Deletion: Request deletion of your account and associated data
  • Data Portability: Request your data in a portable format
  • Objection: Object to certain processing of your data
  • Withdrawal of Consent: Withdraw consent for newsletter subscriptions or other optional services

To exercise these rights, please contact us at info@innobytes.io.

9. Data Retention

We retain your data for as long as necessary to provide our services and comply with legal obligations:

  • Account Data: Retained while your account is active
  • Menu Data: Retained while your account is active
  • Analytics Data: Retained for analysis purposes (anonymized after account deletion)
  • Payment Records: Retained as required by financial regulations (typically 7 years)
  • Contact Submissions: Retained for customer service purposes

When you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal or regulatory purposes.

10. Children's Privacy

Our service is not intended for users under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately at info@innobytes.io.

11. International Data Transfers

Your data may be processed and stored in locations outside your country of residence:

  • Our service providers (Supabase, Stripe, Vercel) may process data in various locations globally
  • We ensure adequate safeguards are in place to protect your data during international transfers
  • All data transfers comply with applicable data protection laws, including GDPR

12. GDPR Compliance

If you are located in the European Economic Area (EEA), you have specific rights under the General Data Protection Regulation (GDPR):

  • Right to access your personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Right to withdraw consent

Our legal basis for processing includes: consent, contract performance, legal obligations, and legitimate interests.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. You are advised to review this Privacy Policy periodically for any changes. Continued use of our service after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us:

InnoByte OÜ

Registry code: 17288940

Sepapaja tn 6, 15551 Tallinn, Estonia

Email: info@innobytes.io

15. Data Controller

InnoByte OÜ, with registry code 17288940, located at Sepapaja tn 6, 15551 Tallinn, Estonia, is the data controller responsible for your personal data.