Privacy Policy

Last updated: April 2026

1. Who we are

Qisliq SmartMenu (“we”, “us”) operates the Qisliq SmartMenu platform, which provides restaurants with a digital menu and push notification service accessible via QR code.

2. What data we collect

Restaurant owners (admin users)

Email address and password hash (for account login)
Restaurant name, description, and menu content you enter
Billing information handled by Stripe — we never see or store card numbers

Menu visitors (customers scanning QR codes)

Push notification subscription(only if you explicitly click “Notify me”): your browser generates a pseudonymous push endpoint URL, which we store to send you notifications from the restaurant you subscribed to. No name or email is required. You can unsubscribe at any time from the menu page.
Language preference: a functional cookie (menu-locale) stores your chosen language so it persists across visits. It contains no personal data.
Anonymous analytics: we count menu views and filter clicks per restaurant (e.g. “vegetarian filter used 12 times today”). No IP address, device fingerprint, or user identifier is stored with these counts.

3. Cookies

We use only strictly functional cookies — no advertising or tracking cookies.

Cookie	Purpose	Duration	Consent
next-auth.session-token	Admin login session (restaurant owners only)	8 hours	Strictly necessary
menu-locale	Remembers language choice on the menu page	1 year	Functional (no consent required)
locale	Remembers language choice in the admin panel	1 year	Functional (no consent required)

4. Legal basis (GDPR)

Account data: contract performance (Art. 6(1)(b) GDPR)
Push subscriptions: explicit consent (Art. 6(1)(a) GDPR) — you opt in voluntarily and can withdraw at any time
Functional cookies: legitimate interest (Art. 6(1)(f) GDPR) — essential for the menu to function in the chosen language
Anonymous analytics: legitimate interest — aggregated counts used only to help restaurants understand their menu usage

5. Data retention

Account data: retained while the account is active, deleted within 30 days of account deletion
Push subscriptions: deleted immediately when you unsubscribe, or when the restaurant is deleted
Anonymous analytics: aggregated counts retained indefinitely; no personal data is attached

6. Third-party processors

Stripe — payment processing. Your card data is handled exclusively by Stripe and is never stored on our servers.
Google Gemini API — AI menu translation and recommendations. Menu content is sent to Google's API; no personal data is included in these requests.
Resend — transactional email (password reset). Your email address is used solely for sending the requested email.

7. Your rights

Under GDPR you have the right to access, correct, or delete your personal data, to restrict or object to processing, and to data portability. To exercise these rights, contact us at the address below. Push notification subscribers can unsubscribe directly from the menu page at any time.

8. Contact

For any privacy-related questions or requests, please contact us at [email protected].

← Back to Qisliq SmartMenu