Privacy Policy
Effective date: 2026-07-09
1. Who we are
ExcuseMe is operated by EXCUSEME DOO NIŠ, a Serbian limited liability company (društvo s ograničenom odgovornošću) trading as ExcuseMe, with registered office at Stanoja Bunuševca 73, Niš, Serbia, company registration number (matični broj) 22310968 and tax identification number (PIB) 115748813 ("ExcuseMe", "we", "us", "our"). If you have questions about this policy or about how we handle personal data, contact us at privacy@excuseme.pro.
We have not appointed a Data Protection Officer (DPO). Data protection inquiries are handled by our team at privacy@excuseme.pro.
2. Scope of this policy
This policy covers personal data we process when you:
- Visit our website at excuseme.pro.
- Create an admin account for a venue ("Admin User").
- Place an order as a customer at a venue using ExcuseMe ("Guest User").
- Sign in with Google to join the loyalty programme at a venue.
- Contact us for support, sales, or general enquiries.
It does not cover data that a venue collects from you outside ExcuseMe (their own booking system, their POS, their CRM). When a venue uses ExcuseMe, we act as a data processor for the personal data they control; our relationship with that venue is governed by a separate Data Processing Agreement.
3. What personal data we collect
3.1 From Admin Users (venue staff)
- Account data: name, email, password hash (when password auth is used), OAuth tokens (when Google, Microsoft, or Apple sign-in is used), role (owner / manager / location_manager / staff / runner), tenant + location assignments.
- Session data: cookies for authentication, IP address, browser user-agent, last-activity timestamps.
- Operational logs: which admin actions you performed (staff invites, role changes, loyalty adjustments, super-admin tenant configuration changes, and other privileged actions), timestamps, the tenant + location the action belongs to, and the IP address + user-agent of the request. Retained 12 months in active storage plus up to 10 years in a restricted archive, and visible only to staff at the relevant venue (owner / manager role) and to ExcuseMe super-admins.
3.2 From Guest Users (ordering customers)
- Order data: items ordered, quantities, modifier choices, payment method selected, total amount, order timestamps, the table / zone / location it's placed at.
- Device + geolocation data (for fraud prevention): device fingerprint (hash of browser + OS characteristics), coarse GPS location at scan time (latitude/longitude, distance from the QR code's registered location), fraud classification outcome.
- Loyalty data (if the guest signs in): Google account identifier, email, name (as returned by Google), points balance per venue, redemption history.
- AI conversation data: the text of what you type to the AI bartender, plus voice audio if you use voice ordering. Voice audio is streamed directly between your browser and the voice provider selected for the venue over an encrypted connection; ExcuseMe itself never stores the raw audio. The voice provider's own retention is governed by its commercial terms. See the Subprocessors list for the current provider list and transfer safeguards. Voice transcripts (text derived from the audio) are stored as chat messages and follow the 30-day retention in §5.
3.3 Technical + analytics data
- Server logs (request path, status code, latency, IP address, timestamp) retained for operational debugging — 30 days.
- Analytics: ExcuseMe does not use analytics cookies or trackers at the moment. If we add analytics in the future, this policy will be updated and, where required, a consent mechanism will be provided before non-necessary cookies or storage are used.
We do not sell personal data to third parties. We do not use personal data for advertising outside our own first-party marketing.
4. Why we process it (legal bases)
ExcuseMe wears two different hats, and the legal basis depends on which one applies:
- As a controller, we decide why and how the data is processed. This covers venue staff (Admin User) accounts, our billing relationship with the venue, platform fraud-prevention and security, and our own first-party marketing. For these we rely on the GDPR Article 6 bases in §4.1.
- As a processor, we handle data on a venue's documented instructions — the venue is the controller and decides the purpose and legal basis; we only act on its behalf under the Data Processing Agreement. This covers guest orders, the loyalty programme, and AI bartender / voice conversations tied to a venue's relationship with its guests (§4.2).
4.1 Where ExcuseMe is the controller
Under GDPR Article 6, we rely on the following legal bases:
| Purpose | Legal basis | Notes | |---|---|---| | Providing the service to a venue's admin account | Contract (Art. 6(1)(b)) | Necessary to deliver what the venue signed up for. | | Platform fraud detection (device fingerprint + geolocation) | Legitimate interest (Art. 6(1)(f)) | Prevents order fraud and false-delivery attacks against the platform and its venues. Geolocation only captured at scan time, with the user's device permission. | | Billing + invoicing the venue | Contract (with venue) + Legal obligation (tax records) | Handled by Paddle as Merchant of Record. | | Security, audit, incident response | Legitimate interest · Legal obligation | Log retention scoped to the minimum needed. |
4.2 Where ExcuseMe acts as a processor (on a venue's instructions)
For the processing below the venue is the controller and determines the purpose and the Article 6 basis; ExcuseMe processes only on the venue's documented instructions under the Data Processing Agreement. The basis column reflects the basis the venue typically relies on.
| Purpose | Controller's typical basis | Notes | |---|---|---| | Taking a Guest's order + routing it to the venue | Contract (Guest with venue) | Necessary to fulfil the order the guest placed at the venue. | | AI bartender conversations + voice STT/TTS | Contract (via the venue) · Consent where required | Voice permission is requested by the browser before any audio capture. | | Loyalty programme (points balance, redemption) | Consent (Art. 6(1)(a)) | Guests explicitly sign in to opt in; can delete their account any time. |
5. How long we keep it
We follow a two-stage retention model on transactional records. The active period (operational use, customer-visible history, fraud-dispute window) is short. After the active period, records move to a separate archive containing only what tax law requires us to retain; that archive is accessible only through controlled server-side processes, never via the regular app or public APIs. At the fiscal maximum (10 years) the archived records are deleted.
You can request that your personal data be anonymised at any time — see §8. Anonymisation removes the link between you and your past orders across both the active records and the archive, while preserving the de-identified transaction record we are required to keep for tax purposes.
| Data | Active retention | Archive retention | Mechanism | |---|---|---|---| | Admin accounts | Until you or the venue delete the account | — | Account deletion | | Orders | 12 months (live, customer-visible) | up to 10 years (fiscal record only) | Moved to a restricted archive at 12 months; deleted at 10 years | | Order items + modifiers | Same lifecycle as the parent order | Same lifecycle as the parent order | Follows the parent order | | Loyalty transactions (ledger) | 12 months (live) | up to 10 years (fiscal record only) | Moved to a restricted archive at 12 months; deleted at 10 years | | Chat messages (AI bartender text) | 30 days | — | Automatically deleted at 30 days | | Voice audio | Not stored — transcribed in transit and discarded immediately | — | No persistence | | QR sessions (device fingerprint, scan location) | 3 months | — | Automatically deleted at 3 months | | Server logs | 30 days | — | Operational debugging | | Analytics events | Not applicable — no analytics today | — | See §3.3 |
Backups of the database are retained for up to 90 days; deletion and anonymisation requests propagate to backups within that window.
Within the legal archive window, we minimise the identifying link to you. If you request anonymisation (§8), your personal identifiers are stripped from active records and the archive where legally possible, leaving only the de-identified transaction record needed to satisfy legal obligations.
6. Who we share it with
Sub-processors
We use third-party providers to run parts of the service. Each is bound by a data-processing agreement and reviewed for adequate safeguards. See the Subprocessors list for the full set.
Venues
When you order as a Guest, your order is delivered to the venue that owns the QR code you scanned. The venue acts as the data controller for that order.
Legal and regulatory
We will disclose personal data if we are legally required to (subpoena, court order, binding regulator request). We will push back on any request that appears overbroad.
Acquirers
If ExcuseMe is acquired, merged, or sold, personal data may transfer to the acquiring entity. The acquirer inherits the same obligations under this policy until a new policy is communicated with at least 30 days notice.
What we do NOT do
- We do not sell personal data.
- We do not share personal data with advertisers.
- We do not use Guest ordering data to train public AI models.
7. International transfers
Our primary infrastructure runs in the European Union — Supabase (Postgres + Auth + Storage + Realtime) on eu-central-1 (Frankfurt) and Vercel application hosting on fra1 (Frankfurt). All primary customer + venue data stays inside the EU/EEA at rest. Some sub-processors (notably Anthropic and OpenAI) may process data in the United States under Standard Contractual Clauses (SCCs) signed as part of our DPAs with them; the Subprocessors list names each one with its region and legal-transfer basis.
If you are in the UK, Switzerland, or another jurisdiction with adequacy considerations, those same SCCs plus the UK Addendum or Swiss equivalent are in place.
8. Your rights
Under GDPR (and comparable laws such as UK GDPR, CCPA, LGPD), you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Delete your data ("right to be forgotten"), subject to legal retention obligations.
- Port your data to another provider in a machine-readable format.
- Object to processing based on legitimate interest.
- Restrict processing while a dispute is resolved.
- Withdraw consent at any time (where consent is the legal basis).
- Complain to your local data-protection supervisory authority.
To exercise any of these, email privacy@excuseme.pro with the data subject's identity and the request. We respond within 30 days (GDPR limit) or sooner.
Self-service for Guest Users (signed in for loyalty):
- Download my data (Article 15 — access) — open the account sheet in any ordering flow and tap Download my data. We queue a request and email you a download link by the next morning. The link expires in 7 days. The ZIP contains a structured JSON bundle plus per-table CSVs (orders, loyalty ledger, chat sessions, QR scans) and a README explaining each file.
- Erase my data at this venue (Article 17 — right to be forgotten) — same account sheet, Erase my data at this venue button. The action is scoped to the venue you're currently ordering at; your data at other venues is unaffected, and your ExcuseMe account stays active. We process the erasure overnight and email a confirmation. Your past orders are anonymised (kept as fiscal records, but with your identity removed); your loyalty balance and AI chat history at this venue are deleted. The action is permanent. If you have active orders or open tabs at the venue, please complete or cancel them before requesting erasure.
Admin Users can export tenant-level reports from /api/loyalty/export
or delete their account from the settings page.
9. Security
We apply industry-standard safeguards:
- Encryption in transit — every connection uses TLS 1.2+.
- Encryption at rest — database, object storage, and backups are encrypted by the cloud provider.
- Row-level security — the database enforces per-tenant and per-role isolation on every read.
- Access control — employee access to production data is scoped to on-call duties and audited. Customer-support access requires an explicit customer-consented "impersonation" session.
- Incident response — we notify the competent supervisory authority within 72 hours of becoming aware of a personal-data breach where required, and notify affected data subjects directly when required by applicable law.
No system is 100% secure; use strong passwords and don't share credentials.
10. Children
ExcuseMe is designed for adult hospitality venues and their adult customers. We do not knowingly collect data from anyone under 16 years of age (the GDPR default for valid consent in the markets we operate in; member states may set the threshold lower, but we adopt 16 for cross-jurisdiction consistency). If you believe a minor has provided us data, contact us and we will delete it. Where a venue serves alcohol or other age-restricted products, the venue is responsible for verifying the customer's age at the point of order acceptance — ExcuseMe does not perform age verification.
11. Cookies and similar technologies
See our Cookie Policy for more detail. The short version: ExcuseMe runs without a cookie consent banner on the customer ordering flow because we use only necessary storage there, and we do not currently use analytics, tracking, or advertising cookies. If a future change adds non-necessary storage, we will provide an appropriate consent mechanism.
You can review and revise your preferences any time from Privacy preferences in the customer account sheet, which opens the Cookie Policy in a new tab.
12. Changes to this policy
We may update this policy from time to time. Material changes (expansions of what we collect, new sub-processors handling sensitive data, new purposes) will be communicated to Admin Users by email at least 30 days before they take effect.
The effective date at the top reflects the current version. A
full version history is kept in the public repository at
doc/public/legal/privacy-policy.md.
13. Contact
- General privacy enquiries: privacy@excuseme.pro
- Legal / data-subject requests: privacy@excuseme.pro (we have not appointed a DPO — see §1)
- Postal: EXCUSEME DOO NIŠ, Stanoja Bunuševca 73, Niš, Serbia.