Privacy Policy

1. Introduction

CaterQ ("we", "our", or "us") is committed to protecting your privacy and personal data in accordance with the General Data Protection Regulation (GDPR - Regulation EU 2016/679) and Belgian privacy laws.

This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our catering management platform.

2. Data Controller

3. Data We Collect

3.1 Account Information

• • Name and email address
• • Organization/business name
• • Password (encrypted)
• • Payment information (processed securely by Stripe)

3.2 Business Data

• • Event information (names, dates, locations)
• • Menu items and pricing
• • Inventory data
• • Customer orders and names

3.3 Customer Contact Information (Optional)

When customers place orders, they may optionally provide:

• • Email address (for order status updates)
• • Phone number (for order status notifications)
• • Explicit consent to receive updates via email and/or SMS

This information is collected only with explicit opt-in consent and is used solely for sending order-related updates.

3.3 Technical Data

• • IP address and browser information
• • Session data and authentication tokens
• • Usage analytics (anonymized)

4. Legal Basis for Processing

Under GDPR, we process your data based on:

• • Contract Performance: To provide our catering management services
• • Legitimate Interests: To improve our platform and prevent fraud
• • Legal Obligations: To comply with tax and accounting requirements
• • Explicit Consent: For sending order status updates via email or SMS (customers must opt-in)
• • Consent: For other marketing communications (you can withdraw anytime)

5. How We Use Your Data

• • To provide and maintain the CaterQ platform
• • To process payments and subscriptions
• • To send service-related notifications
• • To send order status updates to customers (with explicit consent)
• • To provide customer support
• • To improve our services and develop new features
• • To comply with legal obligations

6. Data Sharing and Third Parties

We share your data only with trusted service providers who have committed to GDPR compliance through Data Processing Agreements:

• • Stripe: Payment processing (PCI-DSS compliant, DPA in place)
• • Supabase: Database hosting (EU servers, DPA available)
• • Vercel: Application hosting (US-based with standard contractual clauses)
• • Resend: Transactional email service (GDPR-compliant, DPA available)

All service providers have Data Processing Agreements in place ensuring GDPR compliance. We never sell your personal data to third parties.

6.1 Sub-processors

Our service providers may use the following sub-processors:

• • Stripe & Stripe Partners: Payment processors, fraud detection providers (see stripe.com/partners)
• • Supabase & AWS: Amazon Web Services (infrastructure provider, EU Frankfurt region)
• • Vercel & Vercel Partners: Cloudflare (CDN/DDoS protection), Google Cloud (backup/logging)
• • Resend & Email Infrastructure: Amazon SES (email delivery infrastructure)

We maintain an up-to-date list of all sub-processors. For the complete current list, please contact us at privacy@caterq.com.

7. Your Rights Under GDPR

As a data subject in the EU/Belgium, you have the following rights:

• • Right to Access (Article 15): Request a copy of your personal data in JSON format
• • Right to Rectification (Article 16): Correct inaccurate data
• • Right to Erasure (Article 17): Request deletion of your data ("right to be forgotten")
• • Right to Restrict Processing (Article 18): Limit how we use your data
• • Right to Data Portability (Article 20): Receive your data in machine-readable format (JSON/CSV)
• • Right to Object (Article 21): Object to processing, including unsubscribe from emails
• • Right to Withdraw Consent (Article 7): Withdraw consent for any consent-based processing
• • Right Not to be Subject to Automated Decision-Making (Article 22): We do not use automated profiling

7.1 How to Exercise Your Rights

To exercise any of these rights, use our automated data subject request system:

• • Request Access: POST to /api/data-subject-request/access
• • Request Portability: POST to /api/data-subject-request/portability
• • Request Erasure: POST to /api/data-subject-request/erasure
• • Check Status: GET /api/data-subject-request/status?email=you@example.com

Or contact us at privacy@caterq.com and we will process your request within 30 days.

Note: Unsubscribe links in our emails also allow you to exercise the right to object. Data subject requests are logged and tracked for compliance purposes.

8. Data Retention

We retain your data for as long as your account is active. After account deletion:

• • Account data is deleted within 30 days
• • Financial records are retained for 7 years (Belgian tax law requirement)
• • Anonymized analytics may be retained indefinitely

8.1 Customer Order Contact Information

For customer contact information provided during order checkout:

• • Retention Period: 30 days from order date
• • Purpose: To send order status updates (when customer has consented)
• • Automatic Deletion: Email addresses and phone numbers are automatically deleted 30 days after order creation
• • Manual Unsubscribe: Customers can unsubscribe from updates anytime by clicking the unsubscribe link in any email
• • Non-PII Retained: Order ID and call number are retained for business records without personal contact information

This short retention period ensures we comply with privacy best practices by minimizing data storage and automatically respecting customers' privacy after the order fulfillment period.

9. Data Security

We implement industry-standard security measures:

• • Encryption in Transit: HTTPS/TLS 1.2+ for all data transmission
• • Encryption at Rest: Database encryption for sensitive data fields
• • Access Control: Role-based access control (RBAC) with principle of least privilege
• • Authentication: Multi-factor authentication (MFA) available for staff accounts
• • Service Keys: Service role keys required for sensitive API operations
• • Secure Data Centers: EU-hosted data centers (Supabase - Frankfurt, Ireland)
• • Regular Security Audits: Security reviews conducted regularly
• • Dependency Updates: Regular patching and security updates
• • Audit Logging: All data access and modifications are logged
• • Vendor Security: All service providers are SOC 2 or ISO 27001 certified

9.1 Payment Card Security

Payment processing is handled exclusively by Stripe, which is PCI-DSS Level 1 certified. We never store or process credit card information directly.

9.2 Data Breach Response

In the event of a data breach, we will:

• • Notify affected users within 72 hours (as required by GDPR Article 33)
• • Notify relevant authorities if required by law
• • Document the breach and remediation steps taken
• • Contact: security@caterq.com

10. International Transfers

Your data is primarily stored on EU servers. When we use services outside the EU, we ensure adequate safeguards are in place through:

• • Standard Contractual Clauses (SCCs)
• • Privacy Shield certified providers (where applicable)
• • Data Processing Agreements

11. Data Processing Agreements (DPA)

We maintain Data Processing Agreements with all third-party service providers as required by GDPR Article 28. These agreements ensure that:

• • Data is processed only as instructed by CaterQ
• • Appropriate security measures are in place
• • Sub-processors are disclosed and approved
• • Data subject rights are respected
• • Assistance is provided for data subject requests

Our service providers with DPAs in place include:

• • Stripe (stripe.com): Privacy & DPA Information
• • Supabase (supabase.com): Data Processing Agreement
• • Resend (resend.com): Privacy & DPA Information
• • Vercel (vercel.com): Data Processing Agreement

For a copy of our Data Processing Agreement or to discuss data processing practices, please contact us at privacy@caterq.com.

12. Cookies

We use essential cookies for authentication and functionality. See our Cookie Policy for details.

13. Children's Privacy

CaterQ is not intended for individuals under 16 years of age. We do not knowingly collect data from children.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through the platform.

15. Complaints

If you have concerns about how we handle your data, you have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit/Autorité de protection des données):

16. Contact Us

For any privacy-related questions or to exercise your rights: