← Back to home

Privacy Policy

Effective date: 2026-05-24 · Version: 2026-05-24-v1

This Privacy Policy describes how QR Service ("we", "us", or "our") collects, uses, and shares personal data when you use our website, the business and admin panels, the public API, and related services (together, the "Service"). It is written to satisfy both the EU General Data Protection Regulation 2016/679 ("GDPR") and the Turkish Personal Data Protection Law No. 6698 ("KVKK").

1. Data controller

The data controller for personal data processed via the Service is:

[INSERT_COMPANY_LEGAL_NAME]
[INSERT_REGISTERED_ADDRESS]
Trade registry / VKN: [INSERT_TAX_NUMBER]
VERBİS registration: [INSERT_VERBIS_NUMBER_IF_APPLICABLE]
Email: [INSERT_CONTACT_EMAIL]
Data Protection Officer (KVKK): [INSERT_DPO_EMAIL]
EU representative (GDPR Art. 27, if applicable): [INSERT_EU_REP]

2. Data we collect

  • Account data — username, business name, email (if provided), password hash, role, OAuth identifiers (Google sub) where you sign in with Google.
  • Billing data — plan, subscription state, billing cycle, Stripe customer / subscription ID. We do not store card numbers; Stripe handles payment data directly.
  • Configuration data — tables, forms, areas, staff users, business hours, optional service-area geofence coordinates.
  • Customer interaction data — form submissions sent from QR pages (call waiter, orders, ratings, etc.) and the per-device customer ID. The restaurant operator is the controller of this data; we act as a processor.
  • Technical data — IP address (for rate-limit and abuse enforcement), user-agent, request timestamps, server logs. Logs are retained for operational purposes and rotated. For our consent audit table we store only SHA-256 hashes of IP and user-agent, not the raw values.
  • Analytics data — only when you accept analytics cookies: aggregated page views, session duration, device class. See the Cookie Policy for details.

3. Why we process your data and on what legal basis

Purpose GDPR Art. 6 KVKK Md. 5
Provide and operate the Service for account holders. (b) performance of a contract (2)(c) necessity for performance of a contract
Process payments and manage subscriptions. (b) performance of a contract (2)(c)
Security, fraud prevention, rate-limiting and abuse logs. (f) legitimate interest (2)(f) legitimate interest of the controller
Comply with tax, accounting and legal obligations. (c) legal obligation (2)(a) explicitly provided by law
Optional analytics (only after opt-in). (a) consent (1) explicit consent

4. Sharing with third parties

We share personal data only with sub-processors that are necessary to operate the Service, under written data-processing agreements:

  • Hosting provider — [INSERT_HOSTING_PROVIDER], hosting our servers and database (region: [INSERT_REGION]).
  • Stripe Payments Europe Ltd. — subscription billing.
  • Google Ireland Ltd. / Google LLC — Google Analytics (opt-in), Google Sign-In (if enabled by the owner), Google Maps (if enabled and used).
  • Email provider — [INSERT_EMAIL_PROVIDER] for transactional email (if configured).

We do not sell personal data and we do not share it for cross-context behavioural advertising.

5. International data transfers

Some of our sub-processors (notably Stripe, Google) process data outside the EU/EEA, the UK and Türkiye, including in the United States. Such transfers rely on:

  • European Commission Standard Contractual Clauses (GDPR Art. 46);
  • Equivalent safeguards under KVKK Md. 9 (currently relying on explicit consent for analytics and contractual necessity for billing); and
  • Each sub-processor's published transfer impact assessment.

6. Retention

  • Active accounts — for the duration of your subscription plus 10 years to satisfy commercial-record obligations under Turkish law (Turkish Commercial Code Art. 82 and Tax Procedure Law).
  • Closed accounts — same as above; personal identifiers are minimised after closure where possible.
  • Server logs — typically 30–90 days.
  • Consent records — for the lifetime of your cookie ID plus 24 months after withdrawal, to prove compliance.
  • Customer interaction data — controlled by the restaurant operator; default retention 12 months unless overridden.

7. Your rights

Under GDPR Art. 15–22 and KVKK Md. 11, you have the right to:

  • Learn whether we process your personal data and obtain a copy (access);
  • Correct inaccurate or incomplete data (rectification);
  • Ask for erasure where one of the legal grounds in GDPR Art. 17 / KVKK Md. 7 applies;
  • Restrict or object to processing on certain grounds;
  • Receive your data in a structured, machine-readable format (portability);
  • Withdraw consent at any time, where processing is based on consent;
  • Not be subject to a decision based solely on automated processing;
  • Object to processing that causes you damage or distress (KVKK Md. 11(1)(g)–(h));
  • Lodge a complaint with a supervisory authority (see section 9).

8. How to exercise your rights

Send a written request to [INSERT_DPO_EMAIL], including enough information for us to identify your records (account email or username, and a description of your request). We aim to respond within 30 days (GDPR) and within the period prescribed by KVKK secondary legislation (currently 30 days from the request being properly submitted).

We may ask you for additional information to verify your identity before acting on a request, in line with GDPR Art. 12 and KVKK Md. 13.

9. Complaint authorities

  • Türkiye: Kişisel Verileri Koruma Kurumu (KVKK), Nasuh Akar Mah. 1407. Sok. No: 4 Çankaya / Ankara, kvkk.gov.tr.
  • EU/EEA: the supervisory authority of the country where you live or work; a list is published by the European Data Protection Board at edpb.europa.eu.
  • United Kingdom: the Information Commissioner's Office (ico.org.uk).

10. Security

We apply technical and organisational measures appropriate to the risk under GDPR Art. 32 and KVKK Md. 12: passwords are stored as bcrypt hashes, sessions use secure HTTP-only cookies under HTTPS, CSRF and rate-limiting are enforced on mutating endpoints, and access to production data is restricted.

11. Children

The Service is intended for business operators aged 18 and over. We do not knowingly collect personal data from children. Restaurant customers using QR order pages are not asked to provide personal identifiers; if you believe a child has provided personal data, please contact us so we can delete it.

12. Changes

We may update this policy. Material changes are signalled by bumping the version above and re-prompting cookie consent. The latest version is always available at this URL.

13. Contact

For privacy questions, data-subject requests, or to reach our Data Protection Officer: [INSERT_DPO_EMAIL].

This template is a starting point and is not legal advice. Have it reviewed by qualified counsel — especially the controller details, retention periods, sub-processor list, and international-transfer mechanisms — before publishing.