Nazad na registraciju

Dodatak o obradi podataka

Verzija v1.0 · Obaveze obrađivača. Zameni imejl kontakte pre produkcije.

# MeniQR Data Processing Annex (Restaurant ↔ MeniQR)

**Effective date:** 4 May 2026  
**Version:** v1.0  

This Annex (**“Annex”**) supplements the contractual relationship between (**a**) Restaurants & similar venues using MeniQR (“**Customer / Controller**”) and (**b**) the MeniQR contracting legal entity (**“Processor / MeniQR”**). Undefined capitalised phrases inherit meanings from Privacy Policy unless context contradicts.

For Restaurants **established or primarily operating in the Republic of Serbia**, **Serbian personal data protection law** (verify current official titles in Serbian legal sources) is the **primary substantive reference**. The Annex still uses GDPR-style / EU-SCC-shaped **processor** language where useful for **cross-border enterprise** customers, but **Serbian mandatory rules prevail** for purely Serbian B2B relationships.

---

## 1. Roles

| Party | Typical role regarding personal data originating from Restaurants’ hospitality operations relayed/transiently stored on MeniQR infra |
|------|---------------------------------------------------------------------------------------------------|
| **Customer** | Usually **controller** deciding purposes/means touching guest/staff/order configuration |
| **MeniQR** | **processor** instructed by lawful configuration + overarching commercial Restaurant Terms—not independent controller choices over guest intimacy beyond platform integrity / aggregate cross-tenant infra safety |

Hybrid dual-role nuance clarified in Privacy Policy §7—not repeated exhaustively here.

Where MeniQR bills Customer or secures infra generically mixing limited personal artefacts of internal staff admins, simultaneous limited independent-controller capacity exists only for narrowly scoped artefacts (billing identity of account owner)—still minimised.

---

## 2. Subject matter & duration

Processing concerns **Restaurant digital ordering/menu/workflow artefacts** conveyed through Panel / APIs / webhooks / edge functions / optional desktop bridging.

Duration tracks **commercial subscription lifespan** unless earlier deletion contractually arranged or lawful retention overlays apply (financial compliance, dormant-data minimisation tiers).

Termination triggers **reasonable export grace window** (~30 configurable days absent superior specification) unless law demands earlier purge / longer freeze for disputes.

---

## 3. Nature & purposes of processing under Customer instructions

**Purposes:**

- Digitally projecting Restaurant menus/products/prices/images configured by Restaurant.  
- Transmitting guest orders/events (including calls for staff, bill intents, optional tipping metadata if enabled cleanly).  
- Routing print jobs Restaurants demand to chosen printer destinations.  
- Surfacing KPI summaries Restaurant authorises exporting.  

**Processing operations:** collection (through UI flows), structuring, storing, enriching with operational metadata (timestamps/order ids), restricting access using RBAC, pseudonymisation where pragmatic, deletion cycles per retention.

**No unauthorised secondary exploitation**—MeniQR may not sell guest personal data dossiers nor retarget Hospitality guests commercially for MeniQR’s unrelated ventures without explicit carve-outs & independent lawful grounding.

Aggregate **non-identifying** infra telemetry / cross-tenant SLA metrics permissible.

---

## 4. Categories of data subjects & data

| Subject class | Typical data elements *|
|---------------|-----------------------|
| **Restaurant patrons / guests** | transient device/agent hints, inferred coarse locale, pseudonymous table tokens/Q link handles, textual order modifiers, eventual payment references if surfaced back by PSP integration (minimal direct card data on MeniQR unless mis-architected—discouraged) |
| **Restaurant staff-users** | name, credentials metadata, RBAC scopes, shifts optional modules |
| **Customer corporate contacts** | billing identity, AML-light checks if risk triggers |

\*Always **minimal**—Customer must not gratuitously cram special-category fields into unstructured notes without lawful foundation.

---

## 5. Customer instructions / compliance obligations

Customer warrants:

| # | Obligation |
|---|-----------|
| 1 | lawful collection & onward instruction to Processor |
| 2 | truthful operational configuration (opening hours enforcing consumer fairness) |
| 3 | furnishing necessary guest notices / consents respecting marketing vs transactional divide |
| 4 | cooperating on regulatory investigations reasonably |
| 5 | not instructing infringing / illegal processing deliberately |

Contradictory or impossible instructions communicated after signature: Processor may defer until clarified / refuse manifestly unlawful elements.

Customer remains answerable toward supervisory authorities/data subjects predominantly for substantive hospitality relational harms Processor cannot knowledgeably remediate sans Customer truth.

Processor may summarise emergent illicit usage patterns anonymously to defend platform integrity lawfully.

---

## 6. Confidentiality / personnel constraints

Processor ensures personnel obliged by confidentiality (**NDA/code-of-conduct**), least-privilege, role-based segregation, revocation on offboarding.

Subcontractors materially accessing personal data constrained under Section 11.

Security officer function may be virtual CTO accountability.

---

## 7. Security measures (baseline descriptor)

Measures include but aren’t exhaustive:

| Layer | Control |
|-------|---------|
| Transport | HTTPS/TLS hardened configurations |
| At-rest encryption | Leveraging cloud provider KMS where supported |
| Access | MFA for privileged ops where deployed |
| Segmentation | production vs sandbox DB separation attempts |
| Monitoring | alerting on suspicious volumetrics |
| Patching cadence | critical CVE expedited patching SLAs inwardly monitored |

Residual risk disclosures remain non-zero—Customer responsible for workstation malware & insider threats on its side plus misconfigured Restaurants staff roles granting excess guest data exports.

Processors must notify infringements risking individuals without undue delay per law after internal triage—even if Customer concurrently controller-notified earlier.

Customer **must supply accurate notification contact phone** escalation.

---

## 8. Assistance to Customer (rights, DPIAs)

Processor reasonably assists—with possible **time & materials** fees for disproportionate workloads—toward:

| Area | Assist scope |
|------|--------------|
| **Data-subject DSAR choreography** technically feasible retrieval |
| Breach dossier collation | timelines for logs/metadata |
| **DPIAs / TIAs** (transfers risk) factual infra facts truthful |

Fees must be proportional & negotiated if enterprise volume enormous.

Processor may withhold assistance conflicting with secrecy of other Customers or statutory Processor duties.

---

## 9. Sub-processors

Current categories (evolving list published operationally / upon written request): **cloud hosting**, **managed DB/auth (Supabase)**, **email delivery**, **optional analytics**, **PSP when billing enabled**, **support ticketing**, **status monitors**.

Material new sub-processing categories notifying Customer (**30-day objection window**) unless emergency security patch exception—then retrospective notice promptly.

Enterprise pricing may allow narrowed pre-approved whitelist.

Transfers outside adequate territories follow SCC-like modules + Serbia-recognised equivalent mechanisms supplemented by supplementary technical measures pragmatically achievable.

---

## 10. Audit & evidence

Annual **SOC-style** assurance roadmaps aspirationally—not guaranteed SLA on day one; pragmatic interim: questionnaires + targeted log sampling under NDA/time-box.

Over-frequent intrusive audits harming other tenants may be calendared / fee-bearing.

Evidence exports may redact neighbouring Customer metadata.

Customer may not demand root hypervisor unrestricted shell.

---

## 11. Post-termination obligations

Upon subscription end Processor shall (subject to lawful retention freezes):

| Action | Deadline guideline |
|--------|---------------------|
| Customer-triggered deletion API / tooling | per product evolution |
| Return structured exports if contractually prepaid | contractual |
| certify deletion where legally credible | good-faith attestation—not absolute cryptographic proof destroying all magnetic remanence at hyperscale |

Backups rotational overwrite windows may linger ≤90 days typical—documented pragmatically balancing integrity vs erasure extremes.

Legal holds suspend deletion until lifted.

Statutory accounting retention overrides complete erasure horizons.

---

## 12. Supervisory coexistence law

Interpretive primacy resolves under **Serbia PDP Law**, harmonised minimally with cross-border SCC logic only where unavoidable by enterprise cross-border structuring.

Courts adjudicate inconsistencies narrowly.

Annex survives invalidity of solitary clauses—remaining operative.

Signatures / electronic equivalents occur within underlying Master Terms acceptance.

---

## 13. Contact for Annex operational matters

**privacy@meniqrr.com**

**legal@meniqrr.com**

---

**END OF ANNEX v1.0**