Privacy Policy
Last updated: April 8, 2026
1. Introduction
ordiza.com ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share information when you use our Service.
We comply with the General Data Protection Regulation (GDPR) for users in the EU/EEA, and applicable data protection laws in Bosnia and Herzegovina.
2. Data Controller
ordiza.com is the data controller for personal data processed through the platform. For data protection enquiries, contact us at: privacy@ordiza.com
3. Data We Collect
3.1 Account Data (Restaurant Owners)
- Name and email address
- Restaurant name, address, phone number
- Billing information (processed by Paddle — we do not store card details)
- Login credentials (password stored as a secure hash)
3.2 Usage Data
- IP address, browser type, device information
- Pages visited, actions performed within the Service
- Error logs and diagnostic data
3.3 Customer Data (End Customers of Restaurants)
When end customers use QR menus and place orders, we may process:
- Optional name and contact information (only if provided)
- Order details and preferences
- Table session tokens (temporary, non-personal identifiers)
Restaurant operators act as independent data controllers for their customers' data. They are responsible for their own privacy obligations toward end customers.
4. How We Use Your Data
| Purpose | Legal Basis |
|---|---|
| Providing and improving the Service | Contract performance |
| Processing subscription payments | Contract performance |
| Sending service notifications and updates | Legitimate interest / consent |
| Security, fraud prevention, and compliance | Legitimate interest / legal obligation |
| Analytics and platform improvement | Legitimate interest |
5. Data Sharing and Third Parties
We do not sell your personal data. We share data only with trusted service providers necessary to operate the platform:
- Paddle.com — payment processing and subscription management (Merchant of Record)
- Hosting provider — cloud infrastructure for running the Service
- Email service provider — transactional and system emails
All third-party processors are bound by data processing agreements and are required to protect your data.
We may disclose data if required by law or to protect our legal rights.
6. Data Retention
- Account data is retained for as long as your account is active, plus up to 3 years after closure for legal and accounting purposes
- Order data is retained for 5 years for accounting compliance
- Log data is retained for up to 90 days
- Table session tokens expire after 3 hours
7. Your Rights
If you are in the EU/EEA, you have the following rights under GDPR:
- Access — request a copy of your personal data
- Rectification — correct inaccurate data
- Erasure — request deletion of your data ("right to be forgotten")
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interest
- Restriction — request we limit processing of your data
To exercise any of these rights, contact us at privacy@ordiza.com. We will respond within 30 days.
8. Cookies
We use essential cookies required for the Service to function (session management, CSRF protection). We do not use third-party tracking or advertising cookies.
9. Security
We implement appropriate technical and organizational measures to protect your data, including encrypted data transmission (HTTPS), hashed passwords, and access controls. However, no method of transmission over the internet is 100% secure.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via email or a notice in the Service. Continued use of the Service after changes constitutes acceptance.
11. Contact and Complaints
For privacy-related questions: privacy@ordiza.com
If you believe we have not handled your data correctly, you have the right to lodge a complaint with your national data protection authority.