← Back to home

Cookie Policy

Effective date: 2026-05-24 · Version: 2026-05-24-v1

This Cookie Policy explains how QR Service ("we", "us", or "our") uses cookies and similar technologies on this website (the "Service"). It applies in addition to our Privacy Policy and is intended to comply with the EU General Data Protection Regulation (GDPR), the ePrivacy Directive (2002/58/EC), and the Turkish Personal Data Protection Law (KVKK — Kişisel Verilerin Korunması Kanunu, Law No. 6698).

1. What cookies are

Cookies are small text files placed on your device by a website you visit. They are widely used to make websites work, or work more efficiently, and to provide usage information to the site owners. Similar technologies include local storage and pixels; in this policy we refer to all of them as "cookies".

2. Categories of cookies we use

2.1 Strictly necessary cookies

These cookies are required to operate the Service and cannot be disabled. They do not require consent under GDPR Art. 5(3) ePrivacy / KVKK Md. 5(2)(c) ("performance of a contract") and Md. 5(2)(f) ("legitimate interest").

NamePurposeDurationProvider
connect.sid Keeps you signed in to the business / admin panel. Session QR Service (first-party)
_csrf / CSRF token Protects against cross-site request forgery on forms and API calls. Session QR Service (first-party)
qr_consent Remembers your accept / reject choice for non-essential cookies. 12 months QR Service (first-party)

2.2 Analytics cookies optional

These cookies are loaded only after you accept them in the consent banner. They help us understand which pages are popular and where users encounter problems. We use Google Analytics 4 (GA4) with IP anonymisation and Consent Mode v2; no analytics requests are sent before you opt in.

NamePurposeDurationProvider
_ga Distinguishes unique users for aggregated analytics. 2 years Google Ireland Ltd. / Google LLC
_ga_<container> Holds the GA4 session state. 2 years Google Ireland Ltd. / Google LLC

Google Analytics data is processed in the United States. Where you are in the EU, the UK or Türkiye, the transfer relies on Standard Contractual Clauses (SCCs) and Google's privacy framework.

3. Third-party services that may set cookies

Some pages embed third-party services. Each is loaded only when its feature is used. They have their own cookie policies which take precedence on their own domains.

  • Stripe — payment processing. Loaded on signup, billing, and admin pricing pages. stripe.com/privacy.
  • Google Fonts — typography. Loaded site-wide; no analytics cookies.
  • Google Maps — only on the business "Service area" settings screen when the integration is enabled. policies.google.com/privacy.
  • Google Analytics — opt-in only, as described above.

4. Customer QR pages

Pages reached by scanning a per-table QR code (URLs starting with /qr/) do not load Google Analytics or any optional cookies. Only the strictly necessary cookies listed above may be set on those pages. The restaurant operator is the data controller for any data collected from its guests; QR Service acts as a processor in that context.

5. Your choices

  • Consent banner — on your first visit, you will see a banner asking you to accept or reject optional cookies. You can change your decision at any time using the "Cookie settings" link in the page footer.
  • Browser controls — most browsers let you block or delete cookies. Disabling necessary cookies may prevent parts of the Service from working (for example, signing in).
  • Withdraw consent — selecting "Reject" removes optional tracking immediately for the current device. Existing analytics data we already collected before withdrawal remains in aggregated form.

6. How we record your choice

When you accept or reject, your decision is saved in two places:

  • A first-party cookie (qr_consent) on your device, valid for 12 months.
  • A row in our consent_logs table, containing a random consent ID, your choice, the policy version, a SHA-256 hash of your IP address, and a SHA-256 hash of your user-agent. We do not store your raw IP or user-agent. This audit trail is kept to demonstrate compliance with GDPR Art. 7(1) and KVKK Md. 12.

7. Changes to this policy

We may update this Cookie Policy from time to time. Material changes will be signalled by bumping the version number above; existing consents become stale and you will be re-prompted on your next visit.

8. Contact

Questions about cookies or this policy can be sent to [INSERT_CONTACT_EMAIL]. See also the Privacy Policy for how to exercise your rights under GDPR or KVKK.

This template is a starting point and is not legal advice. Have it reviewed by qualified counsel before publishing to ensure it reflects your specific processing activities and applicable jurisdictions.