Privacy Policy
Summary
How we collect, use, store, and share personal data under GDPR and KVKK.
1. Summary
This Privacy Policy explains how Flexton LLC, the operator of the Qoro platform, collects, uses, stores and shares personal data when you use the Service. It is aligned with the EU General Data Protection Regulation (GDPR) for users in the European Economic Area and with the Turkish Personal Data Protection Law (Law No. 6698 / KVKK) for users in Turkey. In brief: we process Tenant account data under the contract we have with you; for End Customer order data, the Tenant is the Controller and we are the Processor; we transfer data to international infrastructure providers (payment, database, hosting) under appropriate safeguards.
2. Controller & Representatives
Data Controller:
Flexton LLC
7901 4th St N, Suite 300, St. Petersburg, FL 33702, United States
Email: hello@qoro.cc
Businesses using the platform as Tenants are the Controllerfor their End Customers' personal data; Flexton acts as the Processor on the Tenant's instructions. See Data Processing Agreement.
3. Data We Collect
3.1 Tenant Account Data
- Identity & contact: Name, email, business name, phone (optional).
- Authentication: Hashed password, 2FA device info, passkey public key.
- Financial: Subscription plan, billing address, tax ID. Card details are not stored on Flexton servers — they are tokenised by the Payment Processor.
3.2 Tenant Data (Content Uploaded to the Platform)
- Menu categories, products, prices, portions, allergen/diet labels
- Product images and videos
- Table / floor plan, QR codes
- Staff (tenant_staff) records — name, role, PIN hash, invitation email
3.3 End Customer (Guest) Data
- Order content, table info, order notes, applied promotions
- Session identifier (browser local storage). Name, phone and email are not requested by default — but the Tenant may enable these fields optionally.
- Optional: product likes, reviews, Google-review redirect click counts.
3.4 Technical & Usage Data
- IP address (security logs, rate limiting)
- Device / browser (User-Agent)
- Page access, error reports (Sentry — only active with cookie consent)
4. Purposes & Legal Bases
Our processing purposes and the corresponding legal basis under KVKK Art. 5 / GDPR Art. 6:
- Provide the Service (accounts, orders, payments): KVKK Art. 5/2-c (contract performance) / GDPR Art. 6(1)(b).
- Billing & subscription management: KVKK Art. 5/2-c + 5/2-a (legal obligation, tax law) / GDPR Art. 6(1)(b) + 6(1)(c).
- Security, fraud prevention, system improvement: KVKK Art. 5/2-f (legitimate interest) / GDPR Art. 6(1)(f). IP and User-Agent logs fall under this basis.
- Marketing communications, product announcements: KVKK Art. 5/1 (explicit consent) + Turkish ETK Art. 6 / GDPR Art. 6(1)(a). Opt-in collected separately at onboarding; revocable at any time.
- Analytics / performance cookies: Explicit consent via cookie banner / GDPR Art. 6(1)(a) + ePrivacy Directive Art. 5(3).
- Legal claims and defence: KVKK Art. 5/2-ç, e / GDPR Art. 6(1)(c), 6(1)(f).
5. International Transfers
5.1 Infrastructure & Sub-processors
We rely on the following infrastructure providers (sub-processors). Full list and contract details in DPA Exhibit A: /legal/dpa.
- Application hosting: US and EU-West edge regions (processed in the data centre geographically closest to the user).
- Database & authentication: EU-West (Frankfurt / Ireland).
- Payment processing: US/Ireland-based PCI-DSS Level 1 certified infrastructure.
- Email delivery: EU-West.
- Error monitoring: EU-West (active only with cookie consent).
5.2 Transfer Safeguards
For users in Turkey, personal data is transferred with explicit consent or under appropriate safeguards (cross-border transfer commitment/agreement) as required by KVKK Art. 9. For users in the EEA, we rely on Standard Contractual Clauses (SCC) 2021/914 under GDPR Art. 46.
6. Retention Periods
- Active account: retained while the account is active.
- After account closure: 30-day read-only export window, then deletion.
- Statutory invoice retention: 10 years (Turkish Tax Procedure Law, US IRS) — archived in anonymised form.
- Security & audit logs: 90 days to 1 year, depending on type.
- Marketing email list: until opt-out; post-opt-out, an unsubscribe suppression hash is retained to avoid re-adding.
7. Your Rights
Under KVKK Art. 11 and GDPR Art. 15–22 you have the right to:
- know whether your personal data is being processed;
- know the purposes of processing and whether they are being met;
- know the third parties to which data is disclosed domestically or abroad;
- request correction of incomplete or inaccurate data;
- request deletion or destruction (KVKK Art. 7 / GDPR Art. 17 “right to be forgotten”);
- request restriction of processing (GDPR Art. 18);
- data portability — receive data in a structured, commonly used, machine-readable format (GDPR Art. 20);
- object to automated decision-making and profiling (GDPR Art. 22);
- claim compensation for damages;
- lodge a complaint with the supervisory authority (Turkish KVKK Authority or the relevant EU DPA).
8. How to Exercise Your Rights
To exercise your rights, send a written request to hello@qoro.cc. Under KVKK Art. 13 you may also submit a request via KEP (registered electronic mail) or a signed physical letter to our postal address. Requests are free of charge; a reasonable fee may apply for manifestly unfounded or repetitive requests. Requests are resolved within 30 days (KVKK) or one month (GDPR, extendable by two months for complex requests).
We may request additional information to verify your identity. Account holders may also use the in-platform self-service deletion/export flow (roadmap — arrives with Blok G-II).
9. Security Measures
Principal technical and organisational measures we apply:
- Encryption: AES-256 at rest, TLS 1.2+ in transit.
- Row-Level Security (RLS): database-level isolation by tenant_id; no Tenant can access another Tenant's data.
- Access control: least-privilege for staff, mandatory 2FA, audit logs.
- Passwords: bcrypt/argon2 hashing; plaintext passwords are never stored.
- Backups: daily automated backups with a tested disaster recovery plan.
- Infrastructure monitoring: 24/7 anomaly and security alerting; rate limiting; bot defence via Cloudflare Turnstile.
- Privacy by design: data collection is minimised; no unnecessary fields.
10. Children's Data
The Qoro platform is not directed at children under 13. In line with the US COPPA and KVKK age thresholds, we do not knowingly collect personal data of a child under 13. If we learn we have collected such data, we delete it promptly. Where a Tenant's menu is opened by a minor End Customer, data collection is limited to the Tenant's business flow and is the Tenant's responsibility.
11. Breach Notification
In the event of a personal data breach, we notify the Turkish KVKK Authority and, under GDPR Art. 33, the competent supervisory authority within 72 hours. Where the breach is likely to result in a high risk to individuals, affected users are notified directly (GDPR Art. 34 / KVKK Art. 12/5). Internal incident runbook: (internal — docs/incidents/data-breach-runbook.md).
12. Changes
We reserve the right to update this policy. For material changes, we give at least 30 days' prior notice by email and in-platform notification. The version is visible via the chip at the top of each page; version history will be published alongside the next material revision.
13. Language & Binding Version
This policy is published in Turkish and English. For users resident in Turkey, the Turkish version is binding; for users elsewhere, the English version is binding. Translations into other languages are provided for convenience only.
14. Contact
For privacy questions: hello@qoro.cc
Flexton LLC, 7901 4th St N, Suite 300, St. Petersburg, FL 33702, United States.