This Privacy Policy explains how Served HQ handles personal data for platform users, business staff, customers who interact with Served HQ-powered pages, and visitors to our public website.
1. Data roles
For business account and platform administration data, Served HQ generally acts as controller. For customer data submitted to a specific business through menus, bookings, orders, loyalty or forms, the business is usually the controller and Served HQ acts as processor or service provider, except where we process data for security, fraud prevention, legal compliance, analytics, billing or platform operations.
2. Information we collect
- Account data: name, email, password credentials, verification status, role, business association and support messages.
- Business data: business name, address, contact details, settings, service/menu content, logos, images, domains, opening hours, add-ons and billing status.
- Customer data: details submitted through a business page, including order, booking, loyalty, contact, delivery or collection information where enabled.
- Payment data: payment status, customer references, checkout identifiers, invoices, subscription metadata and connected account status. Full card data is handled by payment providers where applicable.
- Technical data: IP address, browser, device, operating system, pages visited, timestamps, referrers, logs, cookies, session identifiers and security events.
- QR and analytics data: scan timestamps, QR code identifiers, approximate technical context, source or campaign information and aggregated engagement reporting.
3. IP addresses, logs and device data
We may collect and store IP addresses and related technical logs to operate the service, protect accounts, detect abuse, investigate fraud, rate-limit requests, diagnose errors, measure QR activity, comply with legal obligations and maintain security. IP data may sometimes be considered personal data.
Businesses may receive analytics or security views that include QR scan trends, visit counts, timestamps, sources, approximate location signals or technical metadata where this is necessary to provide the feature. We do not intend businesses to use IP addresses to identify individuals unless there is a lawful basis and a legitimate operational or security need.
4. How businesses can see customer details
Businesses can view customer details submitted to their own workspace, such as order names, contact details, reservation requests, loyalty records, notes, fulfilment information and payment status. This access exists so the business can provide the requested service, handle support, comply with records obligations, manage loyalty and understand operational activity.
Businesses are responsible for limiting staff access, using strong passwords, training their team, exporting data responsibly and responding to customer privacy requests that relate to their business operations.
5. How we use data
- Provide, maintain and improve Served HQ.
- Create accounts, authenticate users and manage permissions.
- Process orders, bookings, loyalty activity, QR scans and business settings.
- Send transactional emails, service updates, security notices and support replies.
- Enable billing, subscriptions, connected payments, invoices and payment provider checks.
- Prevent fraud, abuse, security incidents, policy breaches and unlawful activity.
- Comply with legal, tax, accounting, regulatory, dispute and enforcement obligations.
- Produce aggregated or anonymised insights that do not reasonably identify an individual.
6. Sharing data
We may share data with hosting providers, email providers, payment providers, analytics and security tools, support systems, professional advisers, authorities where legally required, and businesses whose customers submitted the relevant information. We do not sell personal data.
7. Retention
We keep data for as long as needed to provide Served HQ, maintain records, support businesses, resolve disputes, prevent abuse, comply with law and enforce agreements. Businesses may also have their own retention obligations for customer, order, booking and tax records.
8. Customer rights
Depending on applicable law, individuals may have rights to access, correct, delete, restrict or object to certain processing, request portability, or complain to a regulator. Requests about a specific order, booking or loyalty account may need to be handled by the business that owns that customer relationship.
9. Security
We use reasonable technical and organisational measures to protect data, but no online service is completely risk-free. Businesses must protect their own devices, accounts, staff access, exports and customer communications.