Privacy Policy
Effective date: 18 June 2026
This Privacy Policy explains how Chequo OÜ, a private limited company registered in
Estonia (registry code [REGISTRY CODE]), with its registered office at
[REGISTERED ADDRESS], Estonia ("Chequo", "we", "us", or "our"),
collects, uses, and protects personal data in connection with the Chequo
point-of-sale, QR menu, reservations, and related services (the "Service").
We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable Estonian law.
1. Our two roles
Chequo handles personal data in two distinct capacities:
- As a controller — for the personal data of our business customers and their staff (for example, the restaurant owner or manager who signs up, and the staff members who log in). We decide how and why this data is processed.
- As a processor — for the personal data that our business customers ("Customers") collect from their own guests and customers ("End Customers") using the Service (for example, reservation details). Here, the Customer is the controller and Chequo processes the data on their behalf and under their instructions, as set out in our Data Processing Agreement ("DPA").
If you are an End Customer (for example, you made a reservation at a restaurant that uses Chequo), the restaurant — not Chequo — is responsible for your data as controller. Please direct privacy requests to that restaurant. We will assist them as their processor.
2. Personal data we collect
As controller (Customer and staff data):
- Account and contact data — name, email address, phone number, business name, and login credentials of the account owner and managers.
- Staff data — staff names, roles, and PINs used to access the Service.
- Billing data — subscription and payment information. Card payments are processed by Stripe; we do not store full card numbers.
- Usage and device data — log data, device identifiers, app version, IP address, and diagnostic information generated when you use the Service.
- Support communications — information you provide when you contact us.
As processor (data we process on behalf of Customers):
- End Customer data — for example, reservation details such as a guest's name, phone number, email address, party size, and notes; and order and transaction data that Customers generate through the Service. QR menu viewing is designed not to require End Customers to provide personal data.
3. Why we use personal data and our legal bases
When we act as controller, we rely on the following legal bases under the GDPR:
| Purpose | Legal basis |
|---|---|
| Provide, operate, and maintain the Service and your account | Performance of a contract |
| Process payments and manage subscriptions | Performance of a contract |
| Provide support and respond to enquiries | Performance of a contract; legitimate interests |
| Secure the Service, prevent fraud and abuse, and debug | Legitimate interests |
| Improve the Service and develop features | Legitimate interests |
| Send service and administrative messages | Performance of a contract; legitimate interests |
| Comply with legal, accounting, and tax obligations | Legal obligation |
When we act as processor, we process End Customer data only to provide the Service to the Customer and on the Customer's documented instructions, as described in the DPA.
4. Sub-processors and third parties
We use a small number of trusted service providers ("sub-processors") to deliver the Service. They process personal data only as needed to provide their services to us and under appropriate data-protection terms:
| Sub-processor | Purpose | Location |
|---|---|---|
| DigitalOcean | Cloud hosting and data storage | Frankfurt, Germany (EU) |
| Stripe | Payment processing | EU / international |
| OpenAI | AI translation of interface and menu text (via TransDuck) | United States |
| Fiskaly | Fiscalisation and tax-compliance services | EU |
We do not sell personal data, and we do not share it with third parties for their own marketing.
5. Where your data is stored and international transfers
Our primary hosting and data storage is located in Frankfurt, Germany, within the European Union.
Some sub-processors (for example, OpenAI) may process limited data outside the European Economic Area, including in the United States. Where personal data is transferred outside the EEA, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses (SCCs), to protect it.
6. How long we keep personal data
We keep personal data for as long as your account is active and as needed to provide the Service. After your account is closed, we delete or anonymise personal data within approximately 90 days, except where we are required to retain certain records (for example, invoices and accounting records) to comply with legal obligations, or where data must be retained to establish, exercise, or defend legal claims.
When we act as processor, we retain and delete End Customer data in accordance with the Customer's instructions and the DPA.
7. How we protect personal data
We use technical and organisational measures appropriate to the risk, including encryption of data in transit, access controls, network isolation, and restricted administrative access. No system is completely secure, but we work to protect personal data against unauthorised access, loss, or misuse.
8. Your rights
Subject to applicable law, you have the right to:
- access the personal data we hold about you;
- request rectification of inaccurate data;
- request erasure of your data ("right to be forgotten");
- request restriction of processing;
- object to processing based on legitimate interests;
- receive your data in a portable format (data portability); and
- withdraw consent at any time where processing is based on consent (without affecting prior processing).
To exercise these rights, contact us at [email protected]. You also have the right to lodge a complaint with a supervisory authority — in Estonia, the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), or the authority in your country of residence.
End Customers: if your data was collected by a restaurant using Chequo, please contact that restaurant to exercise your rights; as processor, we will assist the restaurant in responding.
9. Cookies and similar technologies
The Service uses only cookies and similar technologies that are necessary to operate the Service and keep you signed in. We do not use third-party advertising cookies.
10. Children
The Service is intended for businesses and is not directed to children. We do not knowingly collect personal data from children.
11. Changes to this Policy
We may update this Privacy Policy from time to time. If we make material changes, we will provide reasonable notice (for example, by email or through the Service). The "Effective date" above indicates when this Policy was last updated.
12. Contact us
For any questions about this Privacy Policy or our handling of personal data, contact:
Chequo OÜ
[REGISTERED ADDRESS], Estonia
Email: [email protected]
The original of this document is written in English. Where Chequo provides translations of this Privacy Policy, the English version governs and prevails in the event of any conflict.