Our commitment to protecting your data under the General Data Protection Regulation
Last updated: February 23, 2026
Scan2Order is committed to protecting the privacy and rights of individuals in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). This page outlines how we comply with GDPR requirements and explains your rights as a data subject.
This page supplements our Privacy Policy and provides specific information required under the GDPR.
The data controller responsible for your personal data is:
As a data controller, we determine the purposes and means of processing your personal data and are responsible for ensuring compliance with GDPR.
We process your personal data based on one or more of the following lawful bases under Article 6 of the GDPR:
| Lawful Basis | Processing Activity |
|---|---|
| Contract Performance (Art. 6(1)(b)) | Processing necessary to provide the Scan2Order service: account creation, subscription management, QR menu generation, payment processing via Stripe, and customer support |
| Legitimate Interests (Art. 6(1)(f)) | Analytics and service improvement, fraud prevention and security, platform performance monitoring |
| Consent (Art. 6(1)(a)) | Marketing communications and newsletters, non-essential cookies and tracking (analytics, preferences) |
| Legal Obligation (Art. 6(1)(c)) | Tax record retention, responding to lawful requests from authorities, maintaining billing records |
Under the GDPR, you have the following rights regarding your personal data. We are committed to facilitating these rights in a transparent and timely manner.
You have the right to obtain confirmation as to whether we process your personal data, and if so, to access that data along with information about the purposes, categories, recipients, retention periods, and your rights.
You have the right to request correction of inaccurate personal data and to have incomplete data completed. You can update most account information directly through your profile settings.
You have the right to request deletion of your personal data ("right to be forgotten") when:
Note: We may retain certain data where we have a legal obligation (e.g., billing records for tax compliance) or where processing is necessary for the establishment, exercise, or defense of legal claims.
You may request restriction of processing when you contest the accuracy of data, when processing is unlawful but you prefer restriction over erasure, when we no longer need the data but you require it for legal claims, or when you have objected to processing pending verification.
You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON or CSV). This applies to data you provided to us and that we process based on consent or contract performance.
You have the right to object to processing based on legitimate interests or for direct marketing purposes. When you object to direct marketing, we will stop processing immediately and without exception.
You have the right not to be subject to decisions based solely on automated processing that produce legal effects or significantly affect you. Scan2Order does not currently use fully automated decision-making processes.
To exercise any of the above rights, contact our Data Protection Officer at:
We will respond to your request within 30 days. In complex cases, this may be extended by a further 60 days, and we will inform you of any such extension. There is no fee for exercising your rights unless requests are manifestly unfounded or excessive.
The following table summarizes our key data processing activities:
| Activity | Data Processed | Lawful Basis | Retention |
|---|---|---|---|
| Account registration | Name, email, business info | Contract | Account lifetime + 30 days |
| Subscription billing | Payment details (via Stripe), billing address | Contract | 7 years (legal obligation) |
| Menu management | Menu content, images, translations | Contract | Account lifetime + 30 days |
| QR code analytics | Scan counts, device info, location | Legitimate interest | 24 months (aggregated indefinitely) |
| Website analytics | Page views, sessions, referrers | Consent | 26 months |
| Newsletter | Email address | Consent | Until unsubscribed |
| Customer support | Name, email, message content | Contract / Legitimate interest | 24 months after resolution |
As Scan2Order serves customers worldwide across 31 languages, personal data may be transferred outside the European Economic Area (EEA). When this occurs, we ensure adequate protection through:
Our key sub-processors and their locations:
Our Data Protection Officer (DPO) oversees our compliance with the GDPR and serves as the point of contact for data protection matters.
If you are located in the EU/EEA and believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. For Scan2Order, the lead supervisory authority is:
You may also lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.
In the event of a personal data breach, Scan2Order will:
In accordance with Article 25 of the GDPR, Scan2Order implements data protection by design and by default. This means:
We may update this GDPR compliance information from time to time. Significant changes will be communicated through our platform and via email to registered users.
For any GDPR-related inquiries, please contact:
Dai un'occhiata alla nostra Cookie Policy per maggiori informazioni.
Essential
Session, security & basic functionality. Always active.
Analytics
Google Analytics & usage statistics to improve our service.
Preferences
Theme, language & personalization settings.
Third-party
Stripe payments, embedded content & external services.
