Privacy Policy

The data controller for personal data processed via Tapeo is ATOMIRA TECHNOLOGIES, S.L.

• CIF: B27662717 · EU VAT: ESB27662717
• Registered office: Calle Lepant 270, 08013 Barcelona, Spain
• Registered at: Registro Mercantil de Barcelona, entry nº 2026060968
• Privacy contact: hola@tapeo.menu

We have not appointed a formal Data Protection Officer because we are not legally required to do so under Article 37 GDPR at our current scale. For any data-protection inquiry, write to hola@tapeo.menu and we will respond within 30 days (the statutory maximum under Article 12(3) GDPR).

We collect the categories of data described below. We do not sell personal data and we do not allow third-party advertising trackers.

2.1 Account data (venue operators and Tapeo admins). Email address, optional display name, OAuth-provider identifier if you sign in with Google, account-creation timestamp, IP address at registration.

2.2 Venue data uploaded by the operator. Venue name, address, brand fields, table layout, menu content (categories, dishes, descriptions, prices, allergens), photographs of chalkboards or printed menus you upload for OCR, menú-del-día rotations.

2.3 Diner data (customers who scan a QR menu). No account is created. A per-table customer session cookie (tapeo_cs) and an anonymous favoriter identifier (tapeo:favoriter-id) let diners group items in a shared tab and mark dishes as ♥. Cart items, optional notes attached to an order, optional push-notification subscription if you opt in. Approximate session timestamps.

2.4 Staff data (waiters / kitchen). A per-shift PIN session (tapeo_staff cookie). No personal staff profile is created.

2.5 Operational logs. Sign-in events, order events, call-waiter events, editor edits, AI-call records (without prompt content), email-send attempts. IP addresses in operational logs are stored hashed (SHA-256), not in plaintext.

2.6 Communications. If you contact us, we keep your message, your email, timestamps, and which staff member responded.

2.7 Subscription and payment data — not collected yet. Pro-tier billing via Stripe is on the roadmap; when it ships, this section will be updated to describe what Stripe collects and what we receive.

• Create and operate your venue operator account — account data (§ 2.1) — Contract performance, GDPR Art. 6(1)(b).
• Render your venue’s public QR menu and accept table-side orders — venue + diner data (§§ 2.2, 2.3) — Contract performance, Art. 6(1)(b) (and legitimate interest of the operator under Art. 6(1)(f) for in-venue order routing).
• Generate translations, OCR-digitize menus, detect EU-1169 allergens from dish names — venue data (§ 2.2) — Contract performance, Art. 6(1)(b). See § 7 for details on AI processing.
• Send transactional emails (magic-link sign-in, weekly insights, alpha invites) — account data — Contract performance, Art. 6(1)(b).
• Send push notifications to a diner who opted in — push subscription (§ 2.3) — Consent, Art. 6(1)(a). You can withdraw at any time from the in-app banner.
• Detect, prevent, and respond to abuse (rate limits, spike monitoring) — operational logs (§ 2.5) — Legitimate interest, Art. 6(1)(f).
• Comply with legal obligations (e.g. tax records, valid court orders) — whatever data is required — Legal obligation, Art. 6(1)(c).

Where we rely on legitimate interest, we have conducted a balancing test and concluded the processing does not override your rights and freedoms. You may object to any such processing under Article 21 GDPR.

Access is limited to Atomira personnel with a need to know (bound by confidentiality), the subprocessors listed in § 5 under Article 28 GDPR DPAs, and Spanish authorities when legally required. We do not share data with any other third party without your explicit consent.

Tapeo uses the following subprocessors. All are bound by data-processing agreements (DPAs) and process personal data only on our documented instructions.

• Hetzner Online GmbH — hosting (server, PostgreSQL database, daily backups) — Falkenstein, Germany (EU) — standard DPA, no third-country transfer.
• Hetzner Webhosting — outbound SMTP transport for transactional email (magic-link, alpha invites, weekly insights) — Germany (EU) — same DPA umbrella.
• Google LLC — Google OAuth (sign-in) — United States — DPA, Standard Contractual Clauses, and EU-US Data Privacy Framework. Receives only the email and identifier you choose to sign in with.
• Google LLC (Gemini API) — AI features: chalkboard / printed-menu OCR, translation to seven languages, EU-1169 allergen detection, weekly insights summarization — United States — Standard Contractual Clauses and EU-US Data Privacy Framework. We do not opt in to Google’s model training; menu and operational text sent to Gemini are processed for the request only.
• Hetzner Cloud (object storage / backups, if used) — Germany / Finland (EU) — same DPA umbrella.

When Tapeo adds card / Bizum payments (Stripe + Redsys), this list will be updated and you will be notified per § 11.

Our default infrastructure is EU-only (Hetzner in Germany). When data has to leave the EU/EEA (currently: Google OAuth identity look-up and Gemini AI calls), we rely on the EU-US Data Privacy Framework adequacy decision plus Standard Contractual Clauses and encryption in transit and at rest. You can request a copy of the relevant transfer-safeguard documentation by emailing hola@tapeo.menu.

Tapeo uses Google Gemini (a third-party generative-AI model) for four purposes: (1) reading dishes and prices from a photo of your chalkboard or printed menu; (2) translating dish names and descriptions into up to seven languages; (3) auto-detecting EU-1169 allergens from dish names; (4) generating a short Spanish-language summary in the weekly insights email.

The AI generates suggestions only. Translations, OCR results, and allergen flags appear in the editor for you to review before they reach a diner. We do not guarantee the accuracy of any AI output. You remain responsible for the final published content, including any allergen disclosure required by EU Regulation 1169/2011.

No AI feature in Tapeo makes a decision about you with legal or similarly significant effect (Article 22 GDPR is not triggered). Your account is not subject to automated profiling, automated suspension, or automated denial of service. We comply with applicable obligations of Regulation (EU) 2024/1689 (AI Act) for our use of a general-purpose AI model and disclose the model provider (Google) here.

• Active venue operator accounts — kept until you delete your account; then 30 days for export, then deleted from active systems (residual backup copies erased on the standard 90-day rotation).
• Inactive operator accounts — deleted after 24 months of inactivity, after 30 days’ notice to the registered email.
• Diner customer-session cookies — 12 hours.
• Diner anonymous favoriter identifier — 12 months on the device.
• Order records linked to a venue — retained as long as the venue account is active (the operator uses them for kitchen / billing); subject to Spanish tax-law 6-year retention once Pro billing ships.
• Operational logs (sign-in events, AI calls, email-send attempts, editor events with hashed IPs) — 12 months, then aggregated / anonymized.
• Support communications — 24 months from last interaction.
• Email-send log (status, recipient, subject, trigger; body not stored) — 12 months.
• Legal acceptances (terms / privacy consents) — 6 years (Spanish civil-law limitation period).

Our use of cookies is described in detail in our Cookie Policy at /legal/cookies. In summary: only strictly-necessary cookies plus the tapeo-locale language-preference cookie are used. No advertising trackers, no cross-site profiling, no analytics cookies.

You have the rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), and withdrawal of consent (Art. 7(3)) where consent is the legal basis.

To exercise any of these rights, write to hola@tapeo.menu. We will respond within 30 days. We may ask you to verify your identity before processing the request, to prevent unauthorized access. If you are unsatisfied with how we handle your data, you can lodge a complaint with the Agencia Española de Protección de Datos (AEPD) at C/ Jorge Juan, 6, 28001 Madrid — https://www.aepd.es.

Technical and organizational measures we apply: TLS 1.3 in transit; encryption at rest for daily PostgreSQL backups; HMAC-signed session cookies; HttpOnly cookies for all authentication tokens; password-less sign-in (Google OAuth + magic link); least-privilege internal access; UFW firewall + fail2ban on the production host; intrusion-detection guardian daemon; regular security updates of dependencies. Incident-response procedure includes GDPR Art. 33 (72-hour AEPD notification) and Art. 34 (notification to affected users where high risk).

Tapeo is not directed at children under 14. We do not knowingly collect personal data from children under 14. If you are a parent or guardian and become aware that a child has provided us with personal data, please contact hola@tapeo.menu so we can delete it.

If you access Tapeo from outside the EU/EEA (as a tourist scanning a QR menu, for example), your data is still processed primarily in the EU (Hetzner Germany). By using the Service, you understand that European data-protection law applies to the processing.

We may update this Policy from time to time. Material changes will be notified to account owners by email and posted at /legal/privacidad with at least 30 days’ advance notice before they take effect. If you do not accept the changes, you may close your account and request deletion before they take effect.

For any privacy question, request, or complaint: hola@tapeo.menu. Postal address: ATOMIRA TECHNOLOGIES, S.L., Calle Lepant 270, 08013 Barcelona, Spain. For independent review: AEPD at https://www.aepd.es.