Privacy Policy

1. Introduction

This Privacy Policy explains how GrandQR, operated by Bogdan Sokolov (Autónomo), NIE: Z1894474S, registered in Spain, collects, uses, stores, and protects your personal data when you use our QR menu platform.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the Spanish Organic Law on Data Protection (LOPDGDD), and other applicable data protection laws.

2. Data Controller

The data controller responsible for your personal data is: Bogdan Sokolov (Autónomo), NIE: Z1894474S, registered in Spain. For any data protection inquiries, please contact us at support@grandqr.com.

3. Personal Data We Collect

Account Information: When you register, we collect your email address for authentication and communication purposes. We use passwordless authentication, so we do not store passwords.

Business Information: Restaurant name, description, URL slug, contact details (phone, WhatsApp, Instagram), location data, and working hours that you provide for your public menu website.

Menu Content: Categories, menu items, descriptions, prices, and images you upload to create your digital menu.

Usage Data: Information about how you use our service, including page views, feature usage, and interaction patterns collected through analytics.

Payment Information: When you subscribe to paid plans, payment processing is handled by Stripe. We do not store your full credit card details; Stripe processes and secures this information.

Technical Data: IP addresses, browser type, device information, and cookies as described in our Cookies Policy.

4. How We Use Your Data

We use your personal data for the following purposes: To provide and maintain our QR menu service, including creating your restaurant website and generating QR codes. To authenticate your account using email verification codes. To process payments and manage your subscription through Stripe. To communicate with you about your account, service updates, and support requests. To provide AI-powered features such as menu translations and image optimization. To analyze service usage and improve our platform. To comply with legal obligations and protect our legitimate interests.

5. Legal Basis for Processing

Contract Performance: Processing necessary to provide our service to you (Article 6(1)(b) GDPR).

Legitimate Interests: Analytics and service improvement, fraud prevention (Article 6(1)(f) GDPR).

Consent: For optional features like marketing communications (Article 6(1)(a) GDPR).

Legal Obligation: When required by law or regulatory requirements (Article 6(1)(c) GDPR).

6. Data Storage and Security

Your data is stored on secure servers provided by Amazon Web Services (AWS). Our database is hosted in the AWS Stockholm (eu-north-1) region within the European Union, ensuring compliance with EU data protection requirements.

Images and media files you upload are stored on AWS S3 servers located in the EU region. Data is encrypted in transit using TLS/SSL and at rest using AES-256 encryption.

We implement appropriate technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction. These include secure authentication, access controls, regular security audits, and employee training.

7. Data Sharing and Third Parties

We share your data with the following categories of third parties:

Stripe (Payment Processor): Processes subscription payments. Stripe is certified under EU-US Data Privacy Framework. Their privacy policy: https://stripe.com/privacy

Amazon Web Services (Infrastructure): Hosts our servers and databases in EU regions. AWS complies with GDPR and is certified under EU-US Data Privacy Framework.

AI Service Providers: We use AI services for menu translations and image optimization. Data is processed in accordance with their privacy policies and data processing agreements.

Google Analytics: For anonymized website analytics (if enabled). You can opt out via cookie preferences.

We do not sell your personal data to third parties. We may disclose data if required by law or to protect our legal rights.

8. International Data Transfers

Your data is primarily stored and processed within the European Union (AWS Stockholm, eu-north-1 region). When data is transferred outside the EU (for example, to US-based service providers), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and certification under recognized data protection frameworks.

9. Data Retention

Account Data: Retained while your account is active. Upon account deletion, personal data is removed within 30 days, except where retention is required by law.

Menu Content: Retained while your account is active. Deleted upon account termination.

Payment Records: Retained for 7 years as required by Spanish tax law.

Analytics Data: Aggregated and anonymized data may be retained indefinitely for service improvement.

Backup Data: May be retained in encrypted backups for up to 90 days after deletion for disaster recovery purposes.

10. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

Right of Access: Request a copy of your personal data we hold.

Right to Rectification: Request correction of inaccurate or incomplete data.

Right to Erasure: Request deletion of your personal data ('right to be forgotten').

Right to Restriction: Request limitation of processing in certain circumstances.

Right to Data Portability: Receive your data in a structured, machine-readable format.

Right to Object: Object to processing based on legitimate interests or for direct marketing.

Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.

To exercise these rights, contact us at support@grandqr.com. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.

11. Children's Privacy

GrandQR is not intended for use by individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through a notice on our website. The 'Last updated' date at the top indicates when the policy was last revised.

Your continued use of GrandQR after changes are posted constitutes acceptance of the revised policy.