Skip to content

Privacy Policy

Last updated · v2026-07-13 · 2026-07-13

VexaServe operates the VexaServe platform at https://vexaserve.com. This Privacy Policy explains what personal data we process, where it comes from, why we process it, the legal bases we rely on, who we share it with, how long we keep it, and the rights you have under the General Data Protection Regulation (GDPR) and applicable ePrivacy laws.

For some activities we act as an independent data controller. For data we process on behalf of a business customer, we may act as a processor, as described below, in the Terms of Service, and in the applicable data-processing terms.

1. Who we are

Platform operator and controller for our own processing: VexaServe.

Registered address: [REGISTERED ADDRESS] · Company registration number: [COMPANY REGISTRATION NUMBER] · VAT / Tax ID: [VAT / TAX ID]

You can reach us through the contact page at https://vexaserve.com/en/contact or from within your account.

No separate Data Protection Officer is appointed; data-protection requests are handled through the contact above.

2. Our role and the role of business customers

VexaServe acts as an independent controller for account administration, subscriptions and billing, security, abuse prevention, operational analytics, service improvement, legal compliance, finance administration and our own business operations.

When a business customer configures, collects or processes Member, Guest, customer, staff or end-user data for its own business purposes through the platform, that business is responsible for its legal basis, notices, consents, marketing rules, retention periods and obligations toward data subjects.

Where we process that data on behalf of the business as a processor, we act only on the business customer's documented instructions and the applicable data-processing terms. If a business exports data or connects it to third-party services for its own purposes, the business remains responsible for that use.

3. Sources of personal data

We receive personal data from the following sources:

  • Directly from you when you create an account, use the platform, scan a QR code, enrol in a loyalty program, submit a review, place an order or reservation, or contact us.
  • From business customers, staff, agency users or partners when they invite users, lawfully import customer lists, configure programs or serve customers.
  • From devices, browsers and technical systems, such as cookies, logs, push tokens, session identifiers, IP addresses and security signals.
  • From the platform providers currently used by us and from services a business customer lawfully chooses to connect, only when the relevant feature is enabled.

4. What data we process

Depending on your role and the features used, we process the following categories of personal data:

  • Account, identity and access data: name, email, phone, sign-in credentials, role, permissions, invitation status, team, tenant, location and access audit records.
  • Business and billing data: legal name, trading name, VAT/tax ID, company registration number, address, billing details, contact details, subscription plan, invoices and email or domain settings.
  • QR, catalogue, service, order and reservation data: customer details, items, quantities, notes, preferences, dates, times, locations, order/reservation status, receipts, amounts, taxes and related operational metadata.
  • Loyalty and membership data: membership, points, stamps, member class, preferred language, consents, preferences, campaigns, rewards, challenges, wallet passes, push tokens and interaction history.
  • Referral data: referral codes and links, attribution sessions, public landing and code-entry interactions, referral source and reward-history records, status history, fraud/abuse signals and retention metadata.
  • Purchase and item-preference data: items purchased from QR orders or scanned receipts, used to derive preferences, personalised rewards, eligible segments and aggregate insights.
  • Payments and subscriptions: amounts, currency, payment status, transaction identifiers, limited card details such as last 4 digits when supplied by a payment provider, receipts, invoices, charges, refunds and tax details.
  • Reservation card-on-file data: where a venue requires it, a saved card credential held against a reservation (card brand, last 4 digits, expiry and a payment-provider reference — never the full card number) used only to charge a later no-show or cancellation fee under the venue's reservation policy.
  • Reviews, communications and support: review content, messages, contact email, communication preferences, support requests, replies and related metadata.
  • Device, security and log data: IP address, user agent, locale, timezone, cookies, identifiers, security events, error logs, audit logs, anti-abuse signals and technical diagnostics.
  • Files, imports and exports: CSV or other files uploaded by authorised users, images, logos, receipts, attachments and file metadata.
  • Staff benefit eligibility data: where a workspace links an employee's staff account to their loyalty membership to grant shift-limited staff benefits, the employment link and the employee's work-schedule times (weekday and time windows), used only to determine whether a staff benefit applies during the employee's rostered shift.

5. Special-category data and free text

The platform is not designed for systematic collection of special-category data, such as health data, biometric data, political opinions or religious beliefs. You must not upload such data unless it is necessary, lawful and supported by an appropriate legal basis and notice.

Some free-text fields, such as order notes, reservation notes, review text or support messages, may contain allergy, safety or other sensitive details. We process that content only to provide the relevant feature, maintain safety and compliance, or follow the business customer's instructions.

6. Purposes and legal bases

We process personal data on the following legal bases, depending on context:

  • Performance of a contract: creating and operating accounts, providing access to the platform, subscriptions, payments, orders, reservations, loyalty programs, support and requested features.
  • Referral processing: recording invite-code attribution, preventing abuse, linking a referral to signup or later qualifying activity, showing referral reward history, and operating referral rewards configured by the business customer.
  • Legitimate interests: security, fraud and abuse prevention, audit logs, debugging, service availability, internal reporting, product improvement, protection of rights and business continuity.
  • Consent: non-essential cookies, analytics/advertising tracking, web push where required, direct marketing communications and specific tenant-configured connections that rely on consent.
  • Legal obligation: tax and accounting records, lawful requests, and compliance with consumer, commercial, tax or other applicable laws.
  • Controller instructions: when we act as processor for a business customer, we process personal data for the purposes and on the instructions of that business, under the applicable data-processing terms.
  • Staff benefit eligibility: processing the employment link and work-schedule times to operate employer-configured staff benefits rests on the performance of the employment relationship and the legitimate interest of the employer and the workspace in administering staff benefits; it is not based on employee consent.

7. Personalisation and automated processing

The platform may calculate segments, preferences, reward eligibility, member status, reports, suggestions and operational signals based on real interactions, consents and business settings.

We do not use the platform for decisions based solely on automated processing that produce legal or similarly significant effects for you.

8. Who we share data with

We share personal data only where necessary for the purposes described in this Policy:

  • With business customers, authorised staff and agency users within the tenant, location, role and permission boundaries that apply to them.
  • With service providers and subprocessors that host, secure, deliver, support, analyse or process the platform for us.
  • With payment providers, banks, accounting or tax providers and authorities where needed for payments, invoices, taxes, compliance or dispute handling.
  • With third-party services enabled or connected by a business customer, where that business is responsible for the specific connection and processing.
  • With professional advisers, insurers, lawyers, auditors, buyers or successors in connection with a corporate transaction, reorganisation or legal claim.
  • With public authorities, courts or third parties where required by law or necessary to protect rights, safety or service integrity.

9. Current subprocessors and providers

The core subprocessors and providers we currently use to operate the platform are:

  • Supabase for database, authentication, storage, realtime and server-side platform functions.
  • Railway for hosting, deployment, runtime, networking, logs and custom domains.
  • Stripe for subscriptions, cards, payments, invoices, webhooks, charges, refunds and related financial metadata.
  • Stripe Connect for referral payout account onboarding, connected-account operations and related payout metadata.
  • Cloudflare Turnstile for bot, abuse and automated public-submission protection.
  • Sentry for crash reports, diagnostics, performance and debugging.

10. Services chosen by business customers

Each business customer may enable or connect its own third-party services. When it does so, the business is responsible for having the legal basis, notice, consent and contractual coverage required for those services.

We do not present those services as current platform subprocessors unless they are actually used in production. Before a new provider processes personal data on our behalf, this Policy and the relevant contractual coverage must be updated.

If you use the platform as a member, guest or customer of a business, that business's privacy notices may also apply. This Policy explains our own processing and how we support the business through the platform.

11. International transfers

Some providers and connected services may process data outside Greece, the European Union or the European Economic Area. Where such transfers occur, we rely on appropriate safeguards such as adequacy decisions, Standard Contractual Clauses, supplementary technical/organisational measures or other mechanisms recognised by applicable law.

Business customers that enable their own third-party services or exports are responsible for checking whether those connections involve international transfers and applying the corresponding safeguards.

12. Cookies, analytics and tracking

We use essential cookies and similar technologies for login, security, routing, language, sessions, preferences and core platform operation.

Non-essential analytics or advertising tags are enabled only where configured by the business and permitted by the applicable consent or privacy setting. You can manage or withdraw consent through the banner or available settings. The Analytics category is optional and disabled by default; there are currently no app-owned cookies in the Analytics category.

Strictly necessary cookies shown in cookie preferences

NameProviderPurposeExpiry
nq_consentVexaServeStores your cookie consent choice1 year
NEXT_LOCALEVexaServeStores your selected language1 year
nq_active_locationVexaServeStores your active location preferenceSession
sb-*-auth-tokenSupabaseKeeps your secure session activeSession
cf_*CloudflareSupports bot and abuse protection checks30 minutes

13. Payments and payment providers

We do not store full card numbers. Payments, cards, 3D Secure, refunds, disputes and related data are processed by Stripe for the current payment and subscription flows.

Payment providers may act as independent controllers for some activities, such as fraud prevention, regulatory compliance, anti-money-laundering controls, reporting and payment administration. Their own privacy policies and terms may apply alongside ours.

Where a venue requires it, a card credential may be saved against your reservation so that a no-show or late-cancellation fee can be charged later, when you are not present, in line with the venue's reservation policy that you accept at booking. We retain only limited card descriptors (card brand, last 4 digits and expiry) and a payment-provider reference — never the full card number — and this saved credential is removed or revoked once the fee window has passed or the reservation is completed without a fee. The legal basis is performance of the reservation contract and our and the venue's legitimate interest in enforcing the reservation policy. This card credential is processed by the same payment providers listed above and adds no new sub-processor.

14. Data retention

We keep personal data only for as long as necessary for the processing purposes, the service relationship, the business customer's instructions, tenant retention settings, security, dispute resolution and legal obligations.

  • Account and tenant data is usually kept while the account or contract remains active and for a reasonable period afterward for compliance, security and finance administration.
  • Tax, accounting, invoice and payment data is kept for the periods required by law.
  • Audit logs, security logs, anti-abuse signals and technical diagnostics are kept for limited periods needed for security, investigation, debugging and compliance.
  • Member, loyalty, campaign, order, reservation and review data may be subject to the business customer's retention settings or the business's legal obligations.
  • When data is no longer needed, we delete, anonymise or restrict it unless further retention is required or permitted by law.

15. Security

We use technical and organisational measures designed to protect personal data, including access controls, tenant isolation, RLS, server-side authorisation, audit logging, encryption in transit, secure secret handling, bot/abuse protection, monitoring and permission checks.

No service can guarantee absolute security. If we identify a personal-data incident, we will assess the risk and notify competent authorities, business customers or affected individuals where required by applicable law.

16. Your rights

Depending on our role and applicable law, you have rights of access, rectification, erasure, restriction, portability, objection, withdrawal of consent and lodging a complaint with a supervisory authority.

In Greece, the competent supervisory authority is the Hellenic Data Protection Authority. You may also contact the supervisory authority where you live or work.

17. How we handle rights requests

You can submit a request using the contact details in this Policy or, where available, from within your account. We may need to verify your identity and the context of the request.

If your request concerns data controlled by a business customer, we may refer you to that business or work with it to respond according to its instructions and obligations. Withdrawal of consent does not affect processing that was lawful before withdrawal.

We respond to privacy rights requests and handle personal-data incidents within the timeframes required by applicable law.

18. Marketing and consent

Accepting this Privacy Policy is required to create an account or enrol in a program where personal-data processing is needed. Consent to marketing or promotional communications is optional, separate and may be withdrawn at any time.

Marketing consent is recorded separately for each business you enrol with. Opting in to one business's communications does not opt you in to another. Email, push or external-channel campaigns are sent only where there is suitable consent or another lawful basis and the business settings allow it.

19. Children

The platform is intended for business users who are at least 18 years old and is not directed at children. Where business customers use customer-facing features involving minors, they are responsible for having the required legal basis, notices, and parental consent or authorisation where required by applicable law.

20. Changes to this policy

We may update this Privacy Policy for changes to the service, providers, purposes, law or our practices. Each version carries a version number and effective date. For material changes, we may notify you through the platform, by email or another reasonable method and, where required, ask for a new acceptance or consent.

21. Contact

You can reach us through the contact page at https://vexaserve.com/en/contact or from within your account.

No separate Data Protection Officer is appointed; data-protection requests are handled through the contact above.