No internet connection — some features unavailable

Privacy Policy

Last updated: July 1, 2026

QRDine ("we", "us", "our") respects your privacy and is committed to protecting personal data. This Privacy Policy explains what personal information we collect, how we use and share it, the choices you have, and how we safeguard it. It applies to our websites, mobile interfaces, APIs, and services (collectively, the "Service"). Where a restaurant ("Tenant") uses QRDine to interact with its guests or staff, the Tenant is the controller of that personal data and QRDine acts as a processor on the Tenant's behalf.

1. Information We Collect

Account information — name, email address, phone number, password hash, profile photo, role, restaurant name, business address.

Operational data — menu items, categories, prices, tables, QR codes, orders, order status, receipts, inventory levels, staff schedules, payroll, feedback, loyalty balances.

Guest data (submitted by Tenants or guests) — guest name, phone, order history, dietary preferences, feedback, loyalty membership.

Payment data — transaction identifiers, gateway references, amounts, currency, and status. Card numbers and full bank credentials are handled directly by our PCI-compliant payment processors; we do not store them.

Technical data — IP address, device type, browser, operating system, referrer, timestamps, session identifiers, error logs, and diagnostic telemetry.

Cookies & similar technologies — see our Cookie Policy.

2. How We Use Personal Data

We process personal data to (a) provide, maintain, and improve the Service; (b) authenticate users and secure accounts; (c) process payments and issue receipts; (d) send transactional messages (email, SMS, WhatsApp) such as order confirmations, password resets, and invoices; (e) send marketing communications where you have opted in; (f) detect, prevent, and investigate fraud, abuse, and security incidents; (g) comply with legal and regulatory obligations; and (h) produce aggregated, de-identified analytics to understand product usage.

3. Legal Bases

Depending on your jurisdiction, we rely on the following legal bases under applicable law (including GDPR where relevant): performance of a contract with you; compliance with legal obligations; our legitimate interests in operating and securing the Service; and your consent, where required (which you may withdraw at any time).

4. How We Share Personal Data

Service providers (subprocessors): Supabase (database, authentication, storage), Cloudflare (hosting, CDN, security), Resend (transactional email), WhatsApp Cloud API / Meta (messaging), Stripe, bKash, Nagad, ZiniPay, SSLCommerz (payment processing), OpenRouter / model providers (AI features), and analytics vendors — each under contractual data-processing terms.

Tenants: If you are a guest or staff member, your data is shared with the Tenant operating the restaurant.

Legal & safety: We may disclose data when required by law, subpoena, or to protect the rights, property, or safety of QRDine, our users, or the public.

Business transfers: In connection with a merger, acquisition, financing, or sale of assets, personal data may be transferred subject to standard confidentiality protections.

We do not sell personal data.

5. International Data Transfers

Our infrastructure and subprocessors may be located outside your country. Where required, transfers rely on Standard Contractual Clauses or equivalent safeguards.

6. Data Retention

Active account data is retained while the account is active and for a reasonable wind-down period thereafter. After deletion, personal data is purged within 30 days, except (a) financial and tax records retained for up to 6 years as required by law, (b) anonymized analytics, and (c) records required for legal defense or dispute resolution.

7. Security

We employ industry-standard safeguards: TLS 1.2+ in transit, encryption at rest, hashed passwords (bcrypt/argon2), role-based access control, row-level security in the database, least-privilege service credentials, audit logging, automated backups, and periodic security reviews. No system is fully secure; report suspected vulnerabilities to security@qrdine.io.

8. Your Privacy Rights

Subject to applicable law, you may have the right to: access, correct, delete, or restrict processing of your personal data; object to processing; request portability; and withdraw consent. To exercise these rights, contact privacy@qrdine.io. You may also lodge a complaint with your local data-protection authority. If you are a guest of a Tenant, please contact the Tenant first; we will assist as processor.

9. Children

The Service is not directed to children under 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect data from children. If you believe a child has provided data, contact privacy@qrdine.io and we will delete it.

10. Automated Decisions

We do not use personal data for automated decision-making that produces legal or similarly significant effects without human review.

11. Marketing Preferences

You may opt out of marketing communications at any time via the unsubscribe link in our emails or by contacting privacy@qrdine.io. Transactional messages (order, security, billing) will continue as they are necessary to operate the Service.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email or in-app notice. The "Last updated" date at the top reflects the current version.

13. Contact Us

Data Protection Contact: privacy@qrdine.io
Security: security@qrdine.io
Postal address available on request.