Back
QRtaapQRtaap

Privacy Policy

Last updated: March 10, 2026

1. Introduction

Premium Box ("we," "us," or "our") operates QRtaap, a review management platform for restaurants and hospitality businesses. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using QRtaap, you consent to the data practices described in this policy. If you do not agree with our policies, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

When you register for and use QRtaap, we collect:

  • Account Information: Email address and password
  • Restaurant Information: Restaurant name, owner's full name (optional), and business logo (image file)
  • Review Platform URLs: Links to your Google, TripAdvisor, Yelp, or other review platform pages
  • QR Code Preferences: Number of touchpoints, QR code theme preference, and brand color preference
  • Payment Information: Billing details processed securely through Stripe (we do not store card numbers)

2.2 Customer Feedback Data

When your customers use the QRtaap feedback system, the following data may be collected:

  • Star rating (1-5)
  • Feedback comments (for ratings 1-3)
  • Customer email address (required for ratings 1-3)
  • Customer name (optional, if voluntarily provided)
  • Customer phone number (optional, if voluntarily provided)
  • Touchpoint number associated with the feedback
  • Timestamp of submission

Note: Customers who rate 4-5 stars are redirected to an external review platform. No personal data is collected or stored by QRtaap for positive ratings.

2.3 Automatically Collected Information

When you or your customers access QRtaap, we automatically collect:

  • Device Information: Browser type, operating system, device type
  • Usage Data: Pages visited, features used, time spent on the Service
  • IP Address: For security and analytics purposes
  • Cookies: Session and preference cookies (see Section 8)

3. How We Use Your Information

We use the collected information for the following purposes:

  • Service Delivery: To provide, maintain, and improve QRtaap
  • Account Management: To manage your account and process payments
  • Communication: To send service-related emails, updates, and notifications
  • Feedback Replies: To send reply emails from the restaurant owner to customers who submitted feedback
  • QR Code Generation: To generate and customize QR codes with your brand settings, and export them as PDF
  • Analytics: To understand how the Service is used and improve user experience
  • Security: To detect, prevent, and address technical issues and fraud
  • Legal Compliance: To comply with applicable laws and regulations

4. Data Sharing and Third-Party Services

We do not sell your personal information. We may share your information in the following circumstances:

  • Service Providers: Third parties that help us operate the Service
  • Legal Requirements: When required by law, court order, or governmental authority
  • Business Transfers: In connection with a merger, acquisition, or sale of assets
  • With Your Consent: For any other purpose with your explicit consent

Third-Party Services We Use

  • Supabase: Database storage, user authentication, and file storage (business logos)
  • Stripe: Subscription billing and payment processing
  • Resend: Transactional email delivery — including OTP verification codes, welcome emails, feedback notification emails, and feedback reply emails
  • Facebook Pixel: Conversion tracking and advertising optimization (see Section 5)
  • Google Fonts: Font delivery — Playfair Display and DM Sans typefaces are loaded from Google's servers

Each third-party service has its own privacy policy governing how they handle your data. We encourage you to review their policies.

5. Facebook Pixel and Advertising

We use Facebook Pixel (Meta Pixel) for conversion tracking. Specifically, we track the following events:

  • PageView: Tracked on all pages to measure website traffic
  • CompleteRegistration: Tracked when a user completes the onboarding process

This data helps us measure the effectiveness of our advertising and understand how visitors find QRtaap. Facebook may use this information to show you relevant ads on Facebook and its partner platforms.

You can manage your Facebook ad preferences through your Facebook account settings or opt out of interest-based advertising through the Digital Advertising Alliance at optout.aboutads.info.

6. Data Processing Roles

Under GDPR and applicable data protection laws:

  • Premium Box (QRtaap) is the data processor for customer feedback data. We process this data on behalf of the restaurant owner according to their instructions through the Service.
  • The restaurant owner is the data controller for customer feedback data collected through their QR codes. As the data controller, you are responsible for ensuring your use of customer data complies with applicable privacy laws.
  • Premium Box is the data controller for account data (restaurant owner information, account credentials, billing data) and website analytics data.

7. Legal Basis for Processing (GDPR)

We process personal data under the following legal bases:

  • Contract Performance: Processing account data and payment information is necessary to provide the Service you signed up for
  • Legitimate Interest: Analytics data and security measures are processed based on our legitimate interest in improving the Service and protecting against fraud
  • Consent: Marketing cookies (including Facebook Pixel) are based on your consent, which you can withdraw at any time

8. Cookies and Tracking Technologies

We use the following cookies and tracking technologies:

  • Supabase Auth Session Cookies: Essential cookies required for user authentication and maintaining your login session
  • Facebook Pixel Cookies: Marketing cookies used for conversion tracking and advertising optimization (e.g., _fbp, _fbc)

We do not use any additional analytics cookies beyond Facebook Pixel. You can control cookies through your browser settings. Note that disabling essential cookies (Supabase auth) will prevent you from using the Service.

9. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. Specifically:

  • Account Data: Retained until you delete your account
  • Customer Feedback: Retained as long as your account is active; deleted when the owner deletes their account
  • Email Verification Codes: Auto-expire after 30 minutes; OTP attempts are limited to 3 per code
  • Payment Records: Retained as required by tax and financial regulations
  • Usage Logs: Retained for up to 12 months

Upon account deletion, we will delete or anonymize your data within 30 days, except where retention is required by law.

10. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

  • Encryption of data in transit (HTTPS/TLS)
  • Encryption of sensitive data at rest
  • Regular security assessments and updates
  • Access controls and authentication requirements

However, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security of your information.

11. Your Rights (GDPR)

If you are located in the European Economic Area, you have the following rights:

  • Access: Request a copy of your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Restriction: Request restriction of processing
  • Portability: Receive your data in a portable format
  • Objection: Object to processing based on legitimate interests
  • Withdraw Consent: Withdraw consent at any time where processing is based on consent
  • Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority. For Italy, this is the Garante per la protezione dei dati personali (www.garanteprivacy.it)

To exercise these rights, contact us at hello@qrtaap.com. We will respond within 30 days.

12. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: You can request information about the categories and specific pieces of personal data we have collected about you
  • Right to Delete: You can request that we delete the personal data we have collected from you
  • Right to Opt-Out of Sale: We do not sell your personal information to third parties
  • Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

We currently do not respond to "Do Not Track" browser signals, as there is no industry-standard method for honoring these signals. However, you can opt out of tracking cookies through your browser settings or the opt-out links provided in Section 5.

To exercise your CCPA rights, contact us at hello@qrtaap.com.

13. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for such transfers, including Standard Contractual Clauses approved by the European Commission.

14. Children's Privacy

QRtaap is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a notice on the Service. Your continued use after changes take effect constitutes acceptance of the updated policy.

16. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

Premium Box

Lecco, Italy, 23899

Email: hello@qrtaap.com