Privacy Policy
Last updated: 2026-05-13
This policy explains what personal data we process through qorder, why we process it, and what your rights are. It applies both to business owners using the qorder dashboard and to customers who place an order via a QR-code menu.
1. Who we are
Data controller: „АР ЕМ ДИДЖИТАЛ" ООД (transliterated: RM Digital Ltd.), a limited liability company registered in Bulgaria, EIK 208452504. Contact for data protection matters: support@qorder.me.
2. What data we process
2.1. From customers of our business clients (QR-code order)
When a customer scans the QR code on a table and places an order, we process:
- Order content — the items the customer selects, quantities, options (e.g. "extra cheese"), optional tip.
- Order notes — free-text the customer voluntarily enters (e.g. "no nuts please").
- Browser language — to render the menu in the right language.
- Table identifier — so the order routes to the correct table in the kitchen.
We do not collect a name, email, or phone number from customers. Access to the order receipt is via an unguessable 8-character code that only the customer holds from the confirmation page.
The customer's card details are entered directly into the secure payment page of the merchant's payment provider (currently Stripe). qorder never sees or stores those details.
2.2. From business owners
When you sign up for and use the qorder dashboard we process:
- Email and password — the password is hashed with BCrypt; nobody, including us, can read it in plaintext.
- First and last name, business role, preferred interface language.
- Business data — name, URL handle (slug), currency, description (optional), cover image (optional), opening hours.
- Menu content — items, prices, options, allergens, translations, images.
- Table data — label and URL handle for each table.
- Payment-provider credentials — API keys for your payment provider (e.g. Stripe), stored encrypted with AES-256-GCM in our database. We never display them again after you save them.
3. Why we process this data (lawful bases)
- Performance of a contract (Art. 6(1)(b) GDPR) — to maintain the owner's account and deliver the service.
- Legitimate interest (Art. 6(1)(f) GDPR) — to deliver the order content to the business it is addressed to; for basic security logs and error tracking.
- Compliance with legal obligations (Art. 6(1)(c) GDPR) — accounting and tax obligations under Bulgarian law, within the scope of our duties.
4. Who we share data with
We share personal data only with:
- The business whose QR code the customer scanned — they receive the full order content, including notes.
- The merchant's payment provider (currently Stripe; more being added) — we send the cart contents to create a payment session. The customer's card details are entered directly on the provider's page and never pass through qorder.
- Cloudinary (Cloudinary Ltd., USA) — our processor for storing item images and business cover images.
- Sentry (Functional Software, Inc., USA) — our processor for error tracking. We never attach end-user PII to the errors we send.
We do not sell personal data to third parties. We do not give access to advertisers.
5. Transfers outside the EU
Cloudinary, Sentry, and Stripe are established in the USA (or have US affiliates). Data transfers to them rely on the European Commission's Standard Contractual Clauses (SCCs) plus the supplementary measures those providers commit to.
6. How long we keep data
- Orders — kept for the period required by Bulgarian accounting and tax law (typically 10 years), then deleted.
- Owner accounts and related business data — for the duration of the active contract plus 12 months after termination, to resolve potential disputes.
- Standard access logs — up to 30 days.
7. Browser-side technical data
The qorder dashboard stores the following items in your browser's local storage. All of them are either strictly necessary for the service to function or are user preferences:
- Authentication token (JWT) — required to keep you signed in.
- Basic profile data (email, name) — so we don't refetch it on every page load.
- Selected theme (light / dark) — your preference.
- Selected language — your preference.
We do not use tracking cookies. We do not embed advertising networks, do not load third-party analytics on customer-facing pages, and do not pass data to social networks.
8. Your rights
As a data subject you have the right to:
- request access to the data we hold about you;
- request correction of inaccurate data;
- request erasure ("right to be forgotten") subject to GDPR conditions;
- request restriction of processing;
- request portability of your data in a machine-readable format;
- object to processing based on legitimate interest;
- withdraw your consent at any time, without this affecting the lawfulness of prior processing.
To exercise these rights, send a request to support@qorder.me. We will respond within 30 days.
9. Right to lodge a complaint
If you believe your rights have been violated, you have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection:
- 1592 Sofia, 2 Prof. Tsvetan Lazarov Blvd.
- website: www.cpdp.bg
- email: kzld@cpdp.bg
10. Security
We use industry-standard protections: HTTPS for all traffic, BCrypt for passwords, AES-256-GCM for payment-provider credentials at rest, short-lived JWTs for sessions, and strict isolation between businesses so no owner can see another business's data.
11. Changes to this policy
We may update this policy. For material changes we will notify active owners by email. The last-updated date appears at the top of this document.
See also the Terms of Service — part of the same legal package.