QRelia Privacy Framework

Privacy
Policy

This Privacy Policy explains how QRelia collects, uses, stores and protects personal data across venue onboarding, administration, QR ordering, real-time operational workflows, subscriptions, reporting, integrations and connected device functionality.

Effective Date 30 April 2026
Platform Owner QRelia / Lukas Slivka
Data Context UK GDPR / SaaS
By using QRelia, creating an account, subscribing, scanning a QRelia QR code, placing an order or interacting with a QRelia-powered venue experience, you acknowledge how personal data may be processed as described in this Policy.

1. Introduction

This Privacy Policy explains how QRelia collects, uses, stores, protects and shares personal data when the Platform is used by Venues, administrators, staff members, Customers and other users.

QRelia is a hospitality technology platform. It may be used for venue onboarding, subscription management, QR-based ordering, digital menus, order receiving, kitchen or receiver screens, operational reporting, live updates, integrations and connected device workflows.

Important: QRelia is primarily a business-to-business SaaS platform supplied to Venues. Customers who scan a QR code or place an order are usually interacting with the Venue through QRelia technology. The Venue remains responsible for its customer relationship, service delivery and customer-facing legal obligations.

2. Data Controller and Data Processor Roles

QRelia may act in different data protection roles depending on the context.

Where QRelia acts as a controller

QRelia acts as a data controller where it processes personal data for its own purposes. This includes platform administration, account management, onboarding, billing, subscription management, support, security, fraud prevention, diagnostics, legal compliance, analytics relating to platform performance and improvement of QRelia services.

Where the Venue acts as controller

For personal data relating to a Venue’s Customers, orders, table or location activity, staff use and operational workflows, the Venue is generally the data controller. In those cases, QRelia processes data on behalf of the Venue as a processor or service provider, subject to the Venue’s instructions and the functionality of the Platform.

Customer-facing clarification

If you are a Customer using a QRelia-powered menu, ordering page or QR code, the Venue you are visiting is normally responsible for how your order details, special requests, dietary notes and service information are handled. You should contact the Venue directly for venue-specific privacy queries, order issues, refunds, service complaints or allergen-related questions.

3. Personal Data We May Collect

The personal data processed through QRelia depends on how the Platform is used, the Venue’s configuration, the subscription plan, enabled features and the information voluntarily provided by users.

Venue account and administrator data

  • name, business name, venue name and contact details;
  • email address, login details and account identifiers;
  • billing contact details and subscription information;
  • role, permissions, staff access and account activity;
  • support messages, onboarding information and operational requests.

Venue configuration and operational data

  • venue settings, location names, service areas and QR code configuration;
  • menus, categories, items, modifiers, prices, availability and images;
  • order statuses, receiver activity, kitchen workflow events and reporting information;
  • device identifiers, configuration details and connected device status where hardware features are used.

Customer and QR ordering data

  • order details, selected items, modifiers, quantities and order notes;
  • table, room, area, seat, location or QR-code context configured by the Venue;
  • special requests, dietary notes or allergy-related text entered by the Customer or Venue staff;
  • timestamps, order status events and operational routing information;
  • browser, session and device information required to operate the customer-facing experience.

Technical, log and diagnostic data

  • IP address, browser type, device type, operating system and approximate technical location information;
  • page interactions, access times, error logs, security logs and diagnostic events;
  • SignalR or real-time connection events, notification activity and session identifiers;
  • system usage data required to detect abuse, protect tenants and maintain platform reliability.

4. QR Codes, Session Data and Location Context

QRelia uses QR codes to connect Customers to Venue-specific digital experiences. A QR code may identify a Venue, table, room, area, service point, device, menu or operational flow. This allows the Platform to route orders and requests to the correct Venue workflow.

When a Customer scans a QRelia QR code or uses a QRelia-powered page, we may process technical and session data such as IP address, browser information, device type, access time, selected menu, basket contents, table or location context, order events and session identifiers.

QRelia does not use QR scans to independently identify a Customer by name unless the Customer or Venue provides information that identifies them. However, order notes, room names, table context, device data or special requests may still be personal data depending on the circumstances.

5. Orders, Requests, Allergen Notes and Venue Data

QRelia may process Customer order information so that the Venue can receive, manage, prepare, update, cancel, report on or fulfil orders and requests.

Customers and Venue staff should avoid entering unnecessary sensitive personal data into order notes or special requests. If allergy, intolerance, dietary, medical or accessibility information is entered, it is processed to communicate the request to the Venue and support the Venue’s operational workflow.

Venue control: Menu content, allergen information, pricing, availability, order handling and customer service are controlled by the Venue. QRelia provides the technology infrastructure and does not verify ingredients, allergens, food preparation methods or staff advice.

6. Payments, Subscriptions and Stripe

QRelia may use third-party payment processors such as Stripe to manage subscription billing, payment methods, invoices, payment authentication, failed payment handling, tax information and subscription status.

QRelia does not intentionally store full payment card numbers or full card security codes on its own servers. Payment card data is handled by the relevant payment processor according to its own terms, security standards and privacy policy.

We may receive limited payment-related information such as customer identifiers, subscription identifiers, payment method summaries, payment status, billing email, invoice history and transaction references required to administer subscriptions and platform access.

7. Lawful Bases for Processing

Where UK GDPR or GDPR applies and QRelia acts as controller, we rely on one or more lawful bases depending on the purpose.

  • Contract: to provide accounts, subscriptions, onboarding, platform access, support and requested services.
  • Legitimate interests: to secure the Platform, prevent fraud, diagnose errors, improve reliability, manage customer relationships and develop QRelia.
  • Legal obligation: to comply with tax, accounting, regulatory, security, dispute, law enforcement or legal requirements.
  • Consent: where required for optional communications, cookies, analytics or other processing that legally requires consent.

Where QRelia acts as processor on behalf of a Venue, the Venue is responsible for identifying and communicating the lawful basis for processing Customer and staff personal data through the Platform.

8. How We Use Personal Data

We may use personal data to:

  • provide, operate, maintain and secure QRelia;
  • create accounts, authenticate users and manage role-based access;
  • process subscriptions, billing, invoices, plan access and payment status;
  • display digital menus, route QR sessions and process orders or requests;
  • send real-time updates, operational notifications and receiver or kitchen events;
  • support connected devices, displays, lighting indicators and local operational workflows;
  • provide support, onboarding assistance and administrative communications;
  • diagnose errors, monitor performance, detect misuse and prevent unauthorised access;
  • maintain tenant separation, enforce subscriptions and protect platform integrity;
  • comply with legal, accounting, tax, security and dispute-related obligations;
  • improve QRelia using aggregated, anonymised or non-identifying operational data.

9. Sharing, Service Providers and Subprocessors

We do not sell personal data. We may share or make personal data available only where reasonably necessary to provide, secure, support, bill, maintain or improve QRelia, or where legally required.

Categories of recipients

  • hosting, infrastructure, database, backup and security providers;
  • payment processors such as Stripe;
  • email, communication, support and notification providers;
  • analytics, diagnostic, logging and performance monitoring providers;
  • professional advisers, accountants, legal advisers and insurers where necessary;
  • law enforcement, regulators, courts or public authorities where legally required;
  • successor entities in connection with restructuring, investment, sale, merger or transfer of QRelia.

Subprocessors

Where QRelia processes personal data on behalf of a Venue, these service providers may act as subprocessors. Subprocessors are used only where reasonably necessary to provide or support the Platform, and they may change as QRelia evolves.

Current key subprocessor categories include: payment processing, cloud hosting, database/storage, email delivery, diagnostics/logging, security monitoring and operational support tools.

10. International Transfers

Personal data may be processed in the United Kingdom, European Economic Area or other countries where QRelia, its hosting providers, payment processors or service providers operate.

Where personal data is transferred internationally and UK GDPR or GDPR applies, we rely on appropriate safeguards where required, such as adequacy decisions, standard contractual clauses, UK international data transfer mechanisms or other lawful transfer methods.

Third-party providers such as payment processors may process data internationally according to their own privacy terms, safeguards and compliance frameworks.

11. Data Retention

We retain personal data only for as long as reasonably necessary for the purposes described in this Policy, unless a longer retention period is required or permitted by law.

  • Account and subscription data may be retained while the account is active and for a reasonable period afterwards.
  • Billing, invoice and payment records may be retained for tax, accounting and legal compliance purposes.
  • Order and operational data may be retained to support Venue operations, reporting, dispute resolution and platform integrity.
  • Security logs, diagnostic logs and access records may be retained to investigate abuse, errors, fraud or security incidents.
  • Backups may retain copies of data for a limited period before being overwritten or deleted under normal backup cycles.

If a Venue terminates its use of QRelia, data may be deleted, anonymised, archived or retained according to our operational, legal, accounting, backup and security requirements. Venues are responsible for exporting or copying information they require before termination where export functionality is available or agreed.

12. Security and Tenant Separation

We use reasonable technical and organisational measures intended to protect personal data against unauthorised access, loss, misuse, alteration or disclosure. These may include authentication, role-based access, tenant-based separation, HTTPS, access controls, logging, monitoring, backups and operational security practices.

QRelia is designed to separate data between Venues using tenant-based controls. Venues and users must not attempt to access another Venue’s data, dashboard, QR flow, orders, devices, configuration or reports.

No platform, network or storage system can be guaranteed completely secure. Venues remain responsible for protecting their own staff accounts, passwords, devices, local networks, browser sessions, exported data and internal access permissions.

If you suspect unauthorised access, account compromise, data exposure or cross-tenant access, contact QRelia immediately using the details at the end of this Policy.

13. Your Data Protection Rights

Depending on your location and the role QRelia plays in the relevant processing, you may have rights under UK GDPR, GDPR or other applicable data protection laws.

  • the right to access your personal data;
  • the right to correct inaccurate or incomplete data;
  • the right to request deletion of personal data;
  • the right to restrict processing;
  • the right to object to certain processing;
  • the right to data portability where applicable;
  • the right to withdraw consent where processing is based on consent;
  • the right to complain to a data protection authority.

If QRelia processes your data on behalf of a Venue, we may need to direct your request to that Venue or act according to that Venue’s instructions. Customers should usually contact the Venue first for order-specific or venue-specific requests.

In the United Kingdom, you may contact the Information Commissioner’s Office (ICO) if you have concerns about how your personal data is handled.

14. Cookies and Similar Technologies

QRelia may use cookies, local storage, session storage or similar technologies to operate essential Platform functions. This may include authentication, security, basket/session continuity, QR ordering sessions, tenant routing, preferences, subscription access and basic diagnostics.

Where optional analytics, marketing cookies or non-essential tracking technologies are used, we will provide appropriate notice or consent controls where required by law.

Operational storage: Some browser storage may be essential for QRelia to remember a Customer’s basket, maintain a session, route an order correctly or keep an administrator logged in securely.

15. Children

QRelia is not intended for direct use by children as an account-based SaaS platform. Venue administrators and staff users must be authorised by the Venue.

Customers may include families or younger guests in hospitality settings. In those cases, the Venue remains responsible for its customer-facing service, ordering practices and compliance with applicable laws.

16. Venue Privacy Responsibilities

Venues using QRelia are responsible for ensuring their own privacy notices, lawful bases, staff training, customer communication and internal procedures are appropriate for how they use the Platform.

  • Venues must not enter unnecessary sensitive personal data into QRelia.
  • Venues must ensure staff accounts are used only by authorised personnel.
  • Venues must handle Customer rights requests appropriately where they are the controller.
  • Venues must ensure QR codes, menus and order flows are deployed lawfully and transparently.
  • Venues must ensure allergen, dietary, accessibility or medical notes are handled carefully and only where necessary.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in QRelia, legal requirements, subprocessors, security practices, data flows or business operations.

Updated versions may be published on this page or communicated through the Platform, email, account area or other reasonable method. Continued use of QRelia after an updated Policy is published means the updated Policy applies from its effective date.

18. Contact

Questions about this Privacy Policy, data protection, platform access, security or privacy requests should be directed to QRelia.

Email: support@qrelia.uk
Website: qrelia.uk

This Privacy Policy should be read alongside the QRelia Terms & Conditions. The Terms govern use of the Platform, while this Policy explains how personal data is handled when QRelia is used.
© 2026 QRelia. All rights reserved.