QR Express Logo

Privacy Policy

Last updated:

How BYTEGEARS LTD (QR Express) collects, uses, and protects personal data for visitors, restaurant clients, and restaurant guests.

Draft — pending legal review

This document is currently a draft. It is published in good faith but has not yet been reviewed by qualified legal counsel. Please contact us if anything looks wrong or unclear.

This policy is currently in draft and pending legal review. Some details (subprocessor names, exact retention periods, DPO appointment) are marked as placeholders and will be confirmed when the policy is finalised.

1. Who we are

QR Express is a service operated by BYTEGEARS LTD, a company registered in England and Wales under company number 12638514, with its registered office at 27 Old Gloucester Street, London, WC1N 3AX, United Kingdom.

For the purposes of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation (Regulation (EU) 2016/679, “EU GDPR”), BYTEGEARS LTD is the data controller in respect of:

  • visitors to our websites (qrexpress.co.uk and qrexpress.pl),
  • prospective and current restaurant clients who register for or use QR Express, and
  • personal data we process for our own business purposes.

In respect of personal data belonging to guests of restaurants that use QR Express (for example, a diner scanning a QR code to place an order), the restaurant is the data controller and BYTEGEARS LTD acts as the data processor under a separate Data Processing Agreement. See section 3.

We have not appointed a Data Protection Officer; .

For any privacy-related question you can contact us at contact@qrexpress.co.uk.

2. What personal data we collect

2.1 Website visitors

When you submit one of our forms (contact, consultation request, reservation enquiry), we collect:

  • your email address (contact form), or
  • your name, restaurant name, email, phone number, preferred date/time and any free-text message you send us (consultation / reservation forms).

We also collect technical data automatically when you browse the site: IP address (truncated where possible), device and browser information, referring page, and pages viewed. See our Cookie Policy for detail.

2.2 Restaurant clients (dashboard users)

When a restaurant signs up for QR Express we process:

  • account contact details (name, business email, phone),
  • billing details (business name, address, VAT number where applicable, payment method metadata — full card data is held by our payment processor, not by us),
  • authentication data (hashed password, session tokens),
  • usage logs and support correspondence.

2.3 Restaurant guests (end users of the QR ordering flow)

When a diner uses a QR Express ordering or payment flow at a restaurant, we may process on the restaurant’s behalf:

  • name (if entered),
  • contact details (email or phone, where required for order confirmation),
  • order content (items, modifiers, table number),
  • payment metadata (transaction ID, amount, status — never full card data),
  • timestamps and device information.

This data is processed under the instructions of the restaurant, which is the controller.

3. Why we use it and our lawful basis

We rely on the following lawful bases under Article 6 UK/EU GDPR:

  • Performance of a contract (Art. 6(1)(b)) — to provide QR Express to restaurant clients, manage accounts, and process payments.
  • Legitimate interests (Art. 6(1)(f)) — to respond to enquiries, secure our service, prevent fraud and abuse, analyse aggregate usage, and contact business prospects who have asked to be contacted. Our legitimate interests are balanced against your rights, and you can object at any time.
  • Consent (Art. 6(1)(a)) — for non-essential cookies, marketing emails, and any optional features. Consent can be withdrawn at any time.
  • Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, and other statutory obligations.

4. Who we share data with

We share personal data only with categories of recipients that need it to deliver the service:

  • Hosting and infrastructure providers (cloud hosting, CDN, email delivery).
  • Payment processors for card and online payments — .
  • Analytics providers — self-hosted Umami-compatible analytics on stats.bytegears.com, and PostHog product analytics.
  • Customer support tools — Tawk.to live chat.
  • Professional advisers (accountants, lawyers) under duties of confidentiality.
  • Public authorities where required by law.

Some of these recipients act as our subprocessors under written contracts. A current list is available on request and will be published at .

5. International transfers

Some of our providers are located outside the UK and the European Economic Area. Where personal data is transferred internationally, we rely on appropriate safeguards, including the UK International Data Transfer Agreement / Addendum and the European Commission’s Standard Contractual Clauses (SCCs), supplemented by additional measures where necessary.

6. How long we keep it

We keep personal data only for as long as we need it:

  • Lead and enquiry data (form submissions): up to 24 months from last contact, unless you object earlier.
  • Account data: for the life of your QR Express account, plus 6 years afterwards to meet UK statutory record-keeping obligations.
  • Transaction and invoice data: retained for the period required by tax and accounting law (typically 6 years in the UK).
  • Support correspondence: up to .
  • Analytics data: aggregated or pseudonymised; see the Cookie Policy.

When the retention period ends, we delete or anonymise the data.

7. Your rights

Under UK/EU GDPR you have the right to:

  • access your personal data,
  • have inaccurate data corrected,
  • have your data erased (“right to be forgotten”),
  • restrict our processing of your data,
  • receive your data in a portable format,
  • object to processing based on legitimate interests or for direct marketing,
  • withdraw consent at any time where processing is based on consent,
  • lodge a complaint with the UK Information Commissioner’s Office (ICO, ico.org.uk).

To exercise any of these rights, email us at contact@qrexpress.co.uk. We will respond within one month.

8. Cookies

We use cookies and similar technologies to operate the website, remember preferences, and measure usage. Details, including the categories used and how to manage them, are set out in our Cookie Policy.

9. Children

QR Express is a B2B service intended for restaurant operators. It is not directed at children. We do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

10. Security

We use technical and organisational measures appropriate to the risk, including encryption in transit, restricted access, hashed credentials, and routine backups. No system is completely secure; if we become aware of a personal data breach affecting your rights, we will notify the ICO and you in line with our legal obligations.

11. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top shows when it was last changed. Material changes will be flagged on the website.

12. Contact

Questions, requests, or complaints:

BYTEGEARS LTD 27 Old Gloucester Street, London, WC1N 3AX, United Kingdom Email: contact@qrexpress.co.uk