Privacy Policy
Last updated: May 30, 2026
1. Who We Are
OneScan ("we", "us", "our") is operated by OneScan, a company registered in Varna, Bulgaria (company / EIK number and VAT number available on request). We are the data controller for personal data of account holders processed through the OneScan platform at onescan.menu (the "Service").
For any questions about this Privacy Policy or your personal data, contact us at onescan.menu@outlook.com. We have not appointed a Data Protection Officer because we are not legally required to do so under GDPR Art. 37 (we are not a public authority, our core activities do not consist of large-scale systematic monitoring, and we do not process special-category data at scale).
2. Our Role and Your Role
For account holders (you): we act as the data controller for the personal data described in section 3, because we decide why and how we process it (running your account, billing, security, customer support).
For content you publish: the menus, item descriptions, images, and business information you upload are your content. If you choose to include personal data of third parties in that content (for example, naming an employee on a menu, or uploading a photo of an identifiable person), you are the controller of that personal data and we act only as a processor on your behalf, storing and displaying it as instructed. You are responsible for having a lawful basis to publish such data. Business customers who require a written Data Processing Agreement (DPA) under GDPR Art. 28 may request one at onescan.menu@outlook.com.
For diners scanning a QR menu: we deliberately collect no personal data from diners. Page views are recorded as a counter only, without IP address, device fingerprint, cookies, or any other identifier.
3. What Data We Collect
We collect the following categories of personal data:
Account data
- Name, email address, and hashed password (or Google OAuth profile data)
- Email verification status
- Account preferences (locale, theme, plan)
Business content
- Business names, descriptions, and locations you enter
- Menu names, items, prices, categories, and descriptions
- Images you upload for menu items (EXIF metadata is stripped on upload)
- Translations you provide for menu content
Technical data
- IP address and user-agent string (collected automatically during sign-in for session security and abuse prevention)
- Session tokens (stored in an httpOnly, secure cookie)
- Server logs containing the above for a short retention window
Payment data
- Stripe customer ID and subscription ID (stored on our server)
- Payment card details are collected and processed entirely by Stripe - we never see or store your card number
Usage data
- Anonymous page-view counts for public menus (we record that a view happened, not who viewed it - no IP, cookie, or device data is stored for views)
4. How We Use Your Data
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Provide and operate the Service (account management, menu hosting, QR codes) | Performance of contract |
| Process payments and manage subscriptions | Performance of contract |
| Send transactional emails (welcome, password reset, email verification, billing notices) | Performance of contract |
| Maintain session security and prevent abuse (IP address, user agent, rate limiting) | Legitimate interest (security) |
| Display anonymous view counts on dashboard | Legitimate interest (analytics) |
| Improve the Service and develop new features using aggregated and anonymised data that cannot be linked back to you | Legitimate interest (product development) |
| Reference your business name or publicly visible menu page as a customer example, unless you opt out by email | Legitimate interest (marketing) |
| Comply with legal obligations (tax records, fraud prevention, lawful requests) | Legal obligation |
We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you within the meaning of GDPR Art. 22.
5. Third-Party Services (Sub-processors)
We share personal data with the following third-party services, solely to provide the Service:
| Service | Purpose | Data Location |
|---|---|---|
| Hetzner Online GmbH | Server hosting, database, image storage | Germany (EU) |
| Stripe Payments Europe Ltd. | Payment processing, subscription billing | EU / US (with EU SCCs) |
| Resend, Inc. | Transactional email delivery | US (with EU SCCs) |
| Google LLC (OAuth, optional) | Sign-in with Google, if you choose this method | US (with EU SCCs) |
We do not sell, rent, or trade your personal data. We do not use third-party advertising or analytics services. We may engage additional sub-processors as the Service evolves; an up-to-date list is available on request, and we will not engage any sub-processor that does not offer equivalent data-protection guarantees. We do not share data with any other parties except as required by law or court order.
6. International Data Transfers
Your data is primarily stored on servers in Germany (EU). Where data is transferred to processors outside the EU/EEA (Stripe, Resend, Google), we rely on the European Commission's Standard Contractual Clauses (SCCs, Decision 2021/914) as the transfer mechanism, together with the technical and organisational safeguards imposed on those processors. A copy of the SCCs in force with each processor is available on request.
7. Cookies
OneScan uses only strictly necessary cookies:
- An authentication session cookie (httpOnly, secure) that keeps you logged in for up to 7 days.
- A theme preference cookie that remembers your dark/light mode choice for up to 1 year.
We do not use any tracking or advertising cookies. We run a privacy-respecting, self-hosted analytics tool (Umami) that derives session identifiers from a daily-rotating, non-personally-identifying hash and stores no cookies. Because all our cookies are strictly necessary for the Service to function and analytics is cookieless, no cookie consent banner is required under the ePrivacy Directive (2002/58/EC, Art. 5.3).
8. Data Retention
- Account data and content: retained for as long as your account is active. We may delete inactive free accounts and their associated content after 12 months of inactivity following email notice. Deleted within 30 days of a valid account-deletion request, except where retention is required by law.
- Session data (IP, user agent): retained for the duration of the session (up to 7 days). Server access logs containing IP addresses are retained for up to 90 days for security and abuse-prevention purposes.
- Payment records: Stripe customer and subscription IDs, invoices, and related billing records are retained for as long as required by tax and accounting laws (typically 10 years under Bulgarian law).
- Anonymous view counts and aggregated analytics: retained indefinitely (no personal data is associated with views).
- Backups: data may persist in encrypted backups for up to 30 days after deletion from the live system, after which it is purged on rotation.
9. Your Rights (GDPR)
As a data subject under the General Data Protection Regulation (GDPR), you have the following rights:
- Right of access: request a copy of the personal data we hold about you.
- Right to rectification: correct inaccurate data (you can update your name and email directly in the app).
- Right to erasure: request deletion of your account and all associated data, subject to legal retention requirements.
- Right to data portability: request an export of your data in a structured, machine-readable format.
- Right to restrict processing: request that we limit how we use your data while a complaint or correction is pending.
- Right to object: object to processing based on legitimate interest, including marketing use of your business name (see section 4).
- Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting prior lawful processing.
- Right to lodge a complaint: you may lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP / Комисия за защита на личните данни, www.cpdp.bg) or with your local EU supervisory authority.
To exercise any of these rights, contact us at onescan.menu@outlook.com. We will respond within one month (extendable by two further months for complex requests under GDPR Art. 12(3)). We may ask you to verify your identity before acting on a request, and we may decline or charge a reasonable fee for manifestly unfounded or excessive requests.
10. Data Security and Breach Notification
We implement appropriate technical and organisational measures to protect your personal data, including: encrypted connections (TLS/HTTPS) for all data in transit; hashed passwords (never stored in plain text); httpOnly, secure session cookies; database hosted in EU data centres with access controls; rate limiting and abuse monitoring; and regular security updates to our infrastructure. No system is 100% secure, but we take reasonable precautions to protect your data.
In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the Bulgarian CPDP within 72 hours of becoming aware of it where feasible, and will inform affected users without undue delay where the breach is likely to result in a high risk, in accordance with GDPR Articles 33 and 34.
11. Children
The Service is not directed at individuals under the age of 18 and is intended for business use. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice on the Service. The "Last updated" date at the top reflects the most recent revision. Non-material changes (clarifications, formatting, sub-processor list updates) may be made without prior notice.