Privacy Policy

1. Who We Are

Qrave ("we", "us", "our") operates the Qrave SaaS platform — an AI-powered digital QR menu service for hospitality venues. This Privacy Policy explains how we collect, use, and protect personal data when you use our platform as a guest or as a venue operator. Contact: [email protected]

2. Data We Collect

From guests (QR code users):

• Session data: an anonymous session token assigned when a QR code is scanned.
• Chat messages: the content of conversations with the AI assistant.
• Order data: items selected, table number, and order status.
• Payment data: deposit transaction reference (card details are handled exclusively by our certified third-party payment provider and are never stored by Qrave).
• Device/browser metadata: used only for session continuity.

From venue operators:

• Account information: name, email address, and password (hashed).
• Business information: venue name, address, and menu content.
• Usage data: dashboard activity, login times, and feature usage.

3. How We Use Your Data

• To operate and improve the platform and AI assistant.
• To process and confirm orders and deposit payments.
• To provide venue operators with order analytics and management tools.
• To send transactional emails (order confirmations, password resets, subscription and usage notifications).
• To track AI chat session counts per venue for subscription billing and usage limits.
• To comply with legal and regulatory obligations.

We do not sell personal data to third parties.

4. Legal Basis for Processing

We process personal data on the following legal bases: Contract performance — to fulfil orders and operate accounts. Legitimate interests — to improve the platform and prevent fraud. Legal obligation — to comply with applicable laws.

5. Payment Data

Deposit payments are processed by a certified third-party payment provider. Qrave does not store, process, or have access to full card numbers, CVV codes, or any other sensitive payment card data. All payment card processing is performed by the payment provider in accordance with PCI DSS standards.

6. Data Sharing

We share data only with our certified third-party payment provider (for payment processing), AI providers (Anthropic, OpenAI, or Google) to power the menu assistant — only chat message content is sent, no personal identifiers — cloud infrastructure providers (Amazon Web Services), and email service providers for transactional emails.

7. Data Retention

• Guest session and chat data: retained for up to 90 days, then anonymised.
• Order records: retained for up to 3 years for accounting and legal purposes.
• Venue operator account data: retained while the account is active and for 1 year after closure.

8. Your Rights

You have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data (subject to legal retention requirements).
• Object to or restrict processing in certain circumstances.

To exercise any of these rights, email us at [email protected]

9. Cookies

The platform uses strictly necessary cookies and local storage for session management and theme preferences. We use Google Analytics (GA4) to understand how visitors use the platform — this collects anonymised usage data such as page views and session duration. No advertising cookies are used.

10. Security

We use industry-standard security measures including HTTPS encryption, hashed passwords, and encrypted storage of sensitive API keys. Access to production data is restricted to authorised personnel only.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered venue operators of material changes by email. Continued use of the platform after changes are posted constitutes acceptance of the updated policy.

12. Contact