Privacy Policy

1. Who We Are

QR Food Menu is a Software-as-a-Service (SaaS) digital menu platform operated by Needinfotech, with offices at E-557, Budh Nagar, Inderpuri, New Delhi — 110012, India. In this policy, "we", "us", and "our" refer to Needinfotech. For privacy-related questions, contact us at support@needinfotech.com.

2. Information We Collect

We collect the following categories of information when you use the Service:

• Account information: Restaurant name, contact email, password (stored hashed using bcrypt), phone number, and any settings you provide during signup.
• Menu content: Categories, items, descriptions, prices, dietary tags, and images you upload — stored on our servers so they can be served to your customers.
• Billing information: Subscription plan, billing dates, and transaction references. Card and payment-account details are processed by PayPal and are not stored on our servers.
• Usage and device data: IP address, browser type, operating system, referring URL, page views, and timestamps. We use this for security, fraud prevention, and improving the Service.
• Customer scans: When a diner scans your QR code, we may log anonymised page views (no personal identifiers) to provide menu analytics in your dashboard.
• Communications: Emails or support requests you send to us.

3. How We Use Your Information

We use your information to:

• Provide, maintain, and improve the Service
• Authenticate accounts and prevent unauthorised access
• Process subscription payments and send billing notifications
• Send service-related emails (password resets, plan changes, important notices)
• Provide customer support
• Detect, investigate, and prevent fraud, abuse, or security incidents
• Comply with legal obligations

We do not sell your personal information or your customers' data to third parties, and we do not use your menu data to train artificial intelligence models.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area or the United Kingdom, we rely on the following lawful bases under the GDPR / UK GDPR:

• Contract: Processing necessary to deliver the Service you signed up for.
• Legitimate interests: Securing the Service, preventing fraud, and improving our product.
• Consent: Optional cookies and marketing communications, where required.
• Legal obligation: Tax, accounting and compliance requirements.

5. Cookies & Local Storage

We use a small number of cookies and similar technologies:

• Essential session cookies (e.g. QRFM_SESSID, QRFM_ADMIN) to keep you logged in. These cannot be disabled without breaking the Service.
• Preference cookies such as the googtrans language cookie used by the in-menu language switcher.
• Security cookies for CSRF protection.

We do not currently use third-party advertising or cross-site tracking cookies.

6. Third-Party Service Providers

We use a small set of trusted sub-processors that may process your data on our behalf:

• PayPal — payment processing (paypal.com/privacy)
• Google Fonts & Google Translate — typography and on-the-fly menu translation. Google may receive your IP address when assets are loaded.
• QR code generator API — generates QR images on demand.
• Web hosting / CDN provider — stores and serves the Service infrastructure.
• Transactional email provider — delivers password resets and billing emails.

7. International Data Transfers

Our servers and some of our sub-processors are located outside India and the EEA. Where personal data is transferred internationally, we rely on appropriate safeguards such as Standard Contractual Clauses or the recipient country's adequacy decision, as applicable.

8. Data Security

We take reasonable technical and organisational measures to protect your information, including:

• HTTPS/TLS encryption for all traffic between your browser and our servers
• Bcrypt password hashing for account credentials
• Rate limiting and brute-force protection on login endpoints
• HttpOnly, Secure, SameSite session cookies
• Regular software updates and security reviews
• Restricted internal access on a need-to-know basis

No system is 100% secure. If we become aware of a personal-data breach affecting you, we will notify you without undue delay as required by law.

9. Data Retention

We retain your account and menu data for as long as your account is active. If you cancel your subscription, your data is retained for up to 90 days to allow reactivation, after which it is permanently deleted from active systems. Backups are rotated and overwritten in the normal course of operations. Billing records may be kept for longer where required by tax or accounting law.

10. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data ("right to be forgotten")
• Export your data in a portable format
• Object to or restrict certain processing
• Withdraw consent where processing is based on consent
• Lodge a complaint with a supervisory authority (e.g. your local data-protection regulator)

To exercise any of these rights, email support@needinfotech.com. We will respond within 30 days.

11. Children's Privacy

The Service is intended for restaurant operators and is not directed at children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email and reflected in the "Last updated" date at the top of this page. Your continued use of the Service after the effective date of any change indicates your acceptance of the updated policy.

13. Contact Us

For questions about this Privacy Policy or to exercise your data rights, contact:

Needinfotech — QR Food Menu
E-557, Budh Nagar, Inderpuri,
New Delhi — 110012, India
Email: support@needinfotech.com