FastQRMenu
HomeStart free

Privacy Policy

Privacy Policy

This page explains what the current FastQRMenu application collects, why it is processed, where it is stored, and how restaurant operators and diners can exercise their privacy choices.

Last updated April 16, 2026

01

What this policy covers

This Privacy Policy applies to FastQRMenu, a QR menu and restaurant ordering application used by restaurant operators and diners who place table orders through QR codes.

It covers the information processed through the current version of the application, including owner account creation, restaurant profile management, menu publishing, table QR routing, live order handling, and basic site analytics.

02

Information we collect

For restaurant operators, the app collects account and workspace information such as name, email address, restaurant name, logo, phone number, address, currency, and open or closed ordering status.

For diners using a QR code, the app processes table token information, selected menu items, quantities, item notes, optional guest count, optional order-level notes, order timestamps, and order status updates. The current product does not require diners to create accounts before submitting an order.

The current codebase also uses some publicly readable data paths to support table routing, checkout, and order-status lookups:

  • Authentication data is handled through Firebase Authentication for owner login and registration.
  • Restaurant and order records are stored in Firebase Firestore.
  • Cloudinary receives only restaurant owner-uploaded images such as logos and menu item photos. Diner order data is never sent to Cloudinary.
  • Umami analytics are loaded on the public marketing pages and the customer-facing order flow at /order. Umami is a privacy-friendly analytics tool that does not use cookies or collect personally identifiable information.
  • Public table-routing records (stored in a public data path) are used to send diners to the correct restaurant and table. These records contain the table name, table number, token, and a reference to the restaurant.
  • Public order-status mirror records (stored in a public data path) may be written when an order status is updated so diners can check order status without authentication. This feature is currently partial, and these writes may not always succeed.
  • A sequential order counter (stored in a public data path) is publicly readable to support order number generation during checkout.
03

Browser storage and session data

The diner cart is stored in browser local storage on a per-table basis so a guest can keep selected items, quantities, notes, and guest count while moving between the menu and cart screens.

This cart data remains in the browser until the user clears browser storage. Diners can clear it at any time through their browser's storage or privacy settings.

The cart is not transmitted to any server until the diner explicitly submits an order.

The application and its third-party providers may also use cookies, local storage, or similar technologies to maintain owner authentication sessions and support normal product functionality. Umami analytics are loaded on the public marketing pages and the customer-facing order flow at /order, but Umami does not use cookies or collect personally identifiable information.

04

How we use information

We use information to create and secure owner accounts, show restaurant branding and menu content, route diners to the correct table, create and display orders, deliver live order notifications, and keep the service functioning.

We may also use technical and analytics information to diagnose failures, investigate abuse, improve performance, and understand which parts of the product are being used.

05

Legal basis for processing

We process personal data on the following legal bases:

  • Contract performance: processing owner account and restaurant data is necessary to provide the service under our Terms and Conditions.
  • Legitimate interest: analytics and abuse prevention are processed based on our legitimate interest in operating and improving the service.
  • Consent: where required by applicable law, we rely on consent for optional data such as order notes provided voluntarily by diners.
  • These legal bases apply in addition to any requirements under Egypt's Personal Data Protection Law No. 151/2020.
06

When information is shared

Information is shared with infrastructure and software providers only as needed to operate the current product. In the present codebase, that includes Firebase for authentication and database services, Cloudinary for restaurant owner-uploaded images such as logos and menu item photos, and Umami for analytics on the public marketing pages and the customer-facing order flow. Diner order data is never sent to Cloudinary.

Information may also be disclosed when reasonably necessary to comply with law, enforce terms, respond to valid legal requests, or protect the rights, safety, and security of the service, restaurants, diners, or the public.

07

Retention

We retain information according to the following schedule:

  • Owner account and restaurant data are retained for the lifetime of the active account and deleted within 30 days of account closure on request.
  • Order records are retained for up to 12 months from the order date, after which they may be deleted or anonymized.
  • Diner cart data is stored only in the browser and cleared when browser storage is cleared.
  • Analytics data is subject to Umami's own retention policy.
08

Security

The product uses third-party infrastructure and authentication services intended to support secure access and data storage, but no internet service can guarantee absolute security.

Restaurant operators are responsible for safeguarding account credentials, limiting dashboard access to authorized staff, and avoiding entry of sensitive personal data into free-text order notes unless it is truly necessary.

09

Your choices

Restaurant operators can update restaurant profile information from the dashboard and can control whether a restaurant is marked open for new QR orders. Diners can choose not to add optional notes or guest counts when placing an order.

To request access to, correction of, or deletion of your data, contact us at [email protected]. We will respond to valid requests within 30 days.

10

Children and international use

This service is not designed for children to create owner accounts, and the current product is not intentionally built to collect sensitive information from children.

Data processed through this service may be transferred to and stored in servers located outside Egypt. Firebase (operated by Google) may store data in the United States or European Union. Cloudinary may store uploaded images in the United States. These providers maintain their own data protection certifications and safeguards. By using this service, restaurant operators and diners acknowledge that their data may be processed in these jurisdictions.

11

Changes to this policy

We may update this policy when the product changes, new providers are added, or legal requirements evolve.

We will notify users of material changes by updating the effective date on this page.