Security & Data Protection
We describe the full lifecycle of your data as it really is: what we collect, where we store it, how long we keep it and how we delete it. We never present a certification we do not hold as if we held it.
This page explains the company's own data practices. It is not legal advice or a statement of legal obligation; see our privacy policy for the formal texts.
The Data Lifecycle
The path data follows from the moment a guest opens the QR menu to the moment it is deleted.
Collection
We collect only the data the service needs to work: order items, table number, bill total, and business details for the restaurant account. Guests are never asked to create an account or sign up personally.
Processing
Data is processed to relay the order, split the bill and initiate payment. Payment card data is not processed by us; it goes straight to the payment provider's PCI DSS scoped infrastructure.
Storage Location
Production data is held in access-controlled databases on managed hosting infrastructure in an EU region. Backups are kept within the same legal region.
Retention
Operational order records are kept only as long as the business needs them for reporting; contact-form data is kept for at most 90 days. Retention periods are limited by purpose.
Deletion
Expired data is deleted on a regular cycle. Deletion requests are processed within 30 days and are removed from backups at the end of the backup cycle.
Encryption in Transit and at Rest
We describe encryption without overstating it: we say what we do and never quote a fabricated certificate number.
In transit
All traffic between the browser and our servers is encrypted over HTTPS/TLS. Plain HTTP is redirected to HTTPS and security headers (HSTS, content security policy) are applied.
At rest
The database and backups are protected by the managed hosting provider's disk-level encryption. Encryption keys are managed by the provider's key management; they are not embedded in application code.
Payment data
We neither store nor log sensitive payment data such as card number, expiry date or CVV. That data is handled by the PCI DSS scoped payment provider.
Access Control & Auditing
Least privilege: no one can access more than they need, and important actions are recorded.
Least privilege
Employee access is role-based and limited to the scope required for the task. Access to production data is closed by default.
Authentication
Access to admin interfaces is protected by authentication. Strong password enforcement and session management are in place for business accounts.
Audit logging
System and administrative actions are logged; these records are used for investigation and accountability in the event of an incident.
Data isolation
Each restaurant sees only its own data; tenant-based isolation is applied to prevent data leakage between businesses.
Backups & Availability
Our posture against data loss and downtime — with realistic commitments.
Regular backups
The production database is backed up regularly and backups are stored in the same legal region. The restore process is designed to bring data back when recovery is needed.
Availability posture
We aim to run the service with high availability. A specific contractual uptime (SLA) commitment is defined separately in enterprise agreements; we do not quote a fabricated percentage here.
Disaster readiness
Restore-from-backup steps are documented. Comprehensive disaster-recovery automation is one of the areas we are maturing alongside our certification roadmap.
Sub-processors & Hosting Transparency
We describe the types of service providers we rely on by category. We do not quote a fabricated brand name or SLA percentage.
To deliver the service we rely on a small number of infrastructure providers. We list them by category below; contracting businesses can request the current provider list on demand.
| Category | Purpose | Location |
|---|---|---|
| Cloud hosting | Running the application and database | EU region |
| Payment processing | Securely accepting card payments (PCI DSS scoped) | Provider scope |
| Email / notifications | Sending transactional email and notifications | Provider scope |
| Error & performance monitoring | Uptime and error tracking (personal data minimised) | Provider scope |
Certifications / Certification Roadmap
Honesty first: we never present a certification we do not hold as if we held it. The items below are targets and have not yet been obtained.
Current practices
- In place Data-processing approach aligned with KVKK
- In place Encryption in transit via HTTPS/TLS
- In place Encryption at rest at the disk level
- In place Payment data delegated to a PCI DSS scoped provider
Roadmap
- Planned ISO/IEC 27001
- Planned SOC 2 Type II
- Planned Independent penetration test (third party)
- Planned Formal data processing agreement (DPA) template
When a roadmap item is completed this page is updated and the relevant document is made available on request. Until then we do not present these items as a held certification.
Responsible Disclosure
If you discover a security vulnerability, please contact us before disclosing it publicly. We commit to reviewing your report, responding within a reasonable time and remediating. We appreciate good-faith research that does not harm user data.
When reporting
- Share step-by-step instructions to reproduce the issue.
- Do not damage, download or alter any data.
- Keep the issue confidential until a fix is released.