Privacy Policy
Last updated: June 27, 2026 · Applies to all users worldwide
This Privacy Policy explains how Dasenakis Nikolaos ("we", "us"), operating QRMENOO (qrmenoo.com), collects, uses, and protects your personal data in accordance with the EU General Data Protection Regulation (GDPR) and Greek law.
Contact: info@qrmenoo.com
1. Data We Collect
| Data | Source | Purpose |
|---|---|---|
| Name, email address | Registration form | Account management, transactional emails |
| Business name, menus, photos, logos | You upload it | Delivering the Service (your digital menu) |
| Subscription plan, payment status | LemonSqueezy (our payment processor) | Billing, access control |
| IP address, browser, usage data | Server logs, Google Analytics (with consent) | Security, analytics, service improvement |
| Cookies | Your browser | Session management, analytics, advertising (with consent) |
We do not collect or store payment card details — these are handled entirely by Lemon Squeezy.
2. Legal Basis for Processing
- Contract performance (Art. 6(1)(b) GDPR): processing your name, email, and menu data to deliver the Service you signed up for.
- Legitimate interests (Art. 6(1)(f) GDPR): server logs for security, fraud prevention, and basic service operation.
- Consent (Art. 6(1)(a) GDPR): analytics cookies and advertising cookies — only after you explicitly accept via our cookie banner.
- Legal obligation (Art. 6(1)(c) GDPR): retaining transaction records as required by Greek tax law.
3. How We Use Your Data
- To create and manage your account and digital menus
- To process payments and manage your subscription
- To send transactional emails (subscription reminders, expiry notices, security alerts)
- To display your public menu to your customers via QR code
- To improve the platform based on aggregate usage analytics
- To display advertisements on the Bronze (free) plan
We do not sell your data to third parties. We do not use your data for automated profiling or decisions that have legal effect on you.
4. Third-Party Services
| Service | Purpose | Privacy Policy |
|---|---|---|
| Lemon Squeezy | Payment processing | lemonsqueezy.com/privacy |
| Hostinger | Web hosting (EU servers) | hostinger.com/privacy-policy |
| Google Analytics | Usage analytics (consent required) | policies.google.com/privacy |
| Google AdSense | Advertising on free plan (consent required) | policies.google.com/privacy |
| Google Fonts | Typography (font files loaded from Google CDN) | policies.google.com/privacy |
Each third-party provider is responsible for their own GDPR compliance. Where required, we have entered into Data Processing Agreements with these providers.
5. Data Retention
- Account data: retained for as long as your account is active.
- Menus and uploaded files: retained indefinitely even after plan downgrade, so you can reactivate at any time.
- After account deletion: all personal data is permanently deleted within 30 days. Transaction records may be retained for up to 7 years as required by Greek tax law (Law 4308/2014), in anonymised form where possible.
- Server logs: retained for up to 90 days for security purposes.
6. Your Rights under GDPR
As a data subject you have the following rights, exercisable by contacting us at info@qrmenoo.com:
- Right of access (Art. 15): request a copy of your personal data.
- Right to rectification (Art. 16): correct inaccurate data.
- Right to erasure (Art. 17): delete your account and all associated data via the Preferences page or by emailing us.
- Right to restriction (Art. 18): restrict processing in certain circumstances.
- Right to data portability (Art. 20): receive your data in a structured, machine-readable format.
- Right to object (Art. 21): object to processing based on legitimate interests.
- Right to withdraw consent: withdraw cookie consent at any time via the "Cookie settings" link in the footer.
You also have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA) at dpa.gr.
7. Data Security
We implement appropriate technical and organisational measures including HTTPS encryption, hashed passwords (bcrypt), access controls, and regular backups. No method of transmission over the Internet is 100% secure; we cannot guarantee absolute security.
8. International Transfers
Your data is hosted in the EU (Hostinger EU servers). Payment data processed by Lemon Squeezy may be transferred to the US — Lemon Squeezy is Privacy Shield certified and compliant with EU standard contractual clauses. Google Analytics and AdSense also process data in the US under Google's standard contractual clauses.
9. Children
The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us immediately.
10. Changes to This Policy
We may update this Privacy Policy. We will notify registered users by email at least 30 days before material changes take effect. The current version is always available at this URL.