Privacy Policy

Last updated: June 2026

1. Introduction

This Privacy Policy explains how Cheflink ("Cheflink", "we", "us", or "our") collects, uses, shares, and protects personal data when you use our platform for QR ordering and table tab management (the "Platform"), our websites, and related services.

It applies to the restaurants, bars, cafés, and other establishments that subscribe to Cheflink (each a "Venue"), to the staff who operate a Venue's account, and to the guests who place orders through QR codes generated by a Venue (each a "Guest").

Please read it together with our Terms & Conditions. By using the Platform you acknowledge the practices described here.

2. Who We Are

The organization responsible for the Platform is:

If you have any question about this Policy or how your data is handled, contact us at the address above.

3. Our Role: Controller and Processor

Cheflink plays two different roles depending on whose data is involved:

  • As a controller — for data about Venues, their staff, account holders, prospective customers, and visitors to our marketing website, we decide why and how the data is processed.
  • As a processor — for the Guest and order data that flows through a Venue's QR ordering pages, the Venue is the controller and Cheflink processes that data on the Venue's behalf and instructions. Each Venue is responsible for its own privacy notices and for handling its Guests' rights requests; we support Venues in meeting those obligations.

4. Data We Collect

4.1. Venue and staff data

  • Business name, legal name, and basic tax/registration details.
  • Name and contact details of account owners and authorized staff (email, phone, role).
  • Account credentials (email, username, and passwords stored in hashed form).
  • Venue configuration (language, currency, taxes, menus, tables, service charges, loyalty and inventory settings).
  • Subscription, plan, and billing records.

4.2. Guest and order data

  • Order information (selected items, modifiers, special notes, assigned table, timestamps, and tab status).
  • Contact details only when a Guest voluntarily provides them — for example a name, email, or phone for a reservation, receipt, or loyalty program.
  • Loyalty identifiers and reward history where a Venue runs a loyalty program.

4.3. Payment data

Where a Venue enables digital payments, transactions are handled by third-party payment providers. Cheflink does not collect or store full card numbers or security codes; we receive only limited confirmation data such as a transaction reference, amount, status, and a masked card identifier.

4.4. Technical and usage data

  • Device and connection information (IP address, browser/device type, language, and access timestamps).
  • Actions taken within the Platform and pages visited.
  • Aggregated, statistical metrics about order volume, service times, and feature usage.
  • Cookies and similar technologies (see Section 12).

4.5. Support and communications

When you contact us for support, sales, or other inquiries, we keep the messages, contact details, and information you choose to share.

5. How and Why We Use Data

  • To provide, operate, and maintain the Platform and its features.
  • To enable Venues to receive orders, manage table tabs, run loyalty and inventory, and close out payments.
  • To authenticate users and keep accounts secure.
  • To process subscriptions, invoicing, and payments.
  • To provide customer support and respond to inquiries.
  • To monitor, troubleshoot, and improve performance, and to develop new features.
  • To detect, prevent, and investigate fraud, abuse, and security incidents.
  • To send service communications about technical issues, updates, and changes to our terms.
  • To comply with legal, tax, and regulatory obligations.

We do not use Guest order data to send our own marketing, and we do not sell personal data.

6. Legal Bases for Processing

Where data protection law requires a legal basis, we rely on one or more of the following:

  • Performance of a contract: to deliver the Platform to a Venue and operate the service.
  • Legitimate interests: to secure, maintain, and improve the Platform and prevent fraud, balanced against your rights.
  • Consent: where a Guest voluntarily shares data for a specific purpose, or for non-essential cookies. Consent can be withdrawn at any time.
  • Legal obligation: where the law requires us to retain or disclose certain information.

7. How We Share Data

We do not sell personal data. We share it only as needed to run the service, and with appropriate contractual safeguards:

  • With the relevant Venue: order and tab data is shared with the Venue so it can fulfill orders and manage service.
  • Service providers (sub-processors): vetted third parties that process data on our behalf under written agreements, by category — cloud hosting and infrastructure, payment processing, analytics and performance monitoring, and communications/support tooling.
  • Professional advisors: auditors, lawyers, or accountants where reasonably required.
  • Authorities: when required by law, regulation, legal process, or a valid governmental request.
  • Corporate transactions: in connection with a merger, acquisition, financing, or sale of assets, subject to this Policy.

8. International Data Transfers

Cheflink and our service providers may process data in countries other than your own. Where data is transferred across borders, we put in place recognized safeguards — such as standard contractual clauses or transfers to jurisdictions deemed to offer an adequate level of protection — so that your data remains protected to the standard described in this Policy.

9. Data Retention

  • Venue account and configuration data is retained while the account is active and for a reasonable period afterward to handle wind-down, disputes, and legal requirements.
  • Order, tab, and billing records may be retained to meet accounting, tax, and audit obligations for the period required by applicable law.
  • Guest contact data provided for loyalty or marketing is retained while consent remains and until deletion is requested.
  • Technical logs are kept for a limited period for security and troubleshooting, then deleted or anonymized.

When data is no longer needed, we delete it or irreversibly anonymize it.

10. Data Security

We apply technical and organizational measures appropriate to the risk, including encryption of data in transit (HTTPS), hashed password storage, access controls and least-privilege practices, and regular monitoring. No method of transmission or storage is completely secure; if a breach affecting your personal data occurs, we will notify affected parties and the competent authorities where the law requires.

11. Your Rights

Subject to your local law, you may have the right to:

  • Access: obtain confirmation of, and a copy of, the data we hold about you.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure: request deletion where data is no longer necessary.
  • Restriction: ask us to limit processing in certain circumstances.
  • Objection: object to processing based on legitimate interests.
  • Portability: receive your data in a structured, machine-readable format.
  • Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing.
  • Complain: lodge a complaint with your local data protection authority.

To exercise these rights, email hola@cheflink.com. We will respond within the timeframe required by applicable law and may need to verify your identity first. If your request concerns data a Venue controls (Guest or order data), we will direct it to, or act on the instructions of, that Venue.

12. Cookies and Similar Technologies

We use cookies and similar technologies to:

  • Keep authorized Venue users signed in and maintain secure sessions (strictly necessary).
  • Remember configuration and language preferences (functional).
  • Measure aggregated usage to understand and improve the Platform (analytics).

Strictly necessary cookies are required for the Platform to work. You can control non-essential cookies through your browser settings or any cookie controls we provide.

13. Children's Privacy

The Platform is intended for businesses and adult users. It is not directed to children, and we do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

14. Automated Decision-Making

We do not make decisions producing legal or similarly significant effects about you based solely on automated processing without human involvement.

15. Third-Party Links and Services

The Platform may link to or integrate with third-party services (such as payment providers). Their handling of your data is governed by their own privacy policies, which we encourage you to review.

16. Changes to This Policy

We may update this Policy from time to time. When changes are material, we will update the "Last updated" date and notify Venues through reasonable channels. The version published on this page is always the current one.

17. Contact