This Privacy Policy ("Policy") explains how EasyLounge ("EasyLounge", "we", "our", or "us") collects, uses, shares, and protects personal data when you use the easylounge.io platform and any related websites, progressive web app, dashboards, APIs, and services (collectively, the "Services"). It also describes how we comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and equivalent data-protection laws of the European Economic Area (EEA), the United Kingdom, and Switzerland where applicable.
EasyLounge is a service operated by SIR PATRYK PEAS, ul. Długa 57c/45, 53-633 Wrocław, Poland (NIP / VAT: PL8982147972), who is the data controller for the processing described in this Policy where EasyLounge acts as controller.
By using the Services, you acknowledge that you have read and understood this Policy. This Policy is incorporated by reference into our Terms of Service. If you do not agree with this Policy, you must stop using the Services.
We may revise this Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you through the Services or by email. Continued use of the Services after a change constitutes acceptance of the revised Policy.
1. Roles — Controller and Processor
EasyLounge plays two different roles depending on the type of personal data involved:
(a) Controller. EasyLounge acts as the controller of personal data relating to:
- Account holders, administrators, and employees of Lounge Operators who register for or directly interact with the Services;
- Website visitors and prospective customers;
- Personal data processed for our own purposes (billing, security, fraud prevention, analytics, marketing of our own Services, legal compliance).
(b) Processor. Where a Lounge Operator uploads or generates Customer Data within the Services relating to its own employees, guests, or third parties, the Lounge Operator is the controller of that data and EasyLounge acts as a processor on the Lounge Operator's behalf, in accordance with the data-processing terms (or Data Processing Agreement, where applicable) entered into between EasyLounge and the Lounge Operator. In that role, EasyLounge processes such data only on the Lounge Operator's documented instructions and for the purposes of providing the Services.
This Policy primarily describes processing for which EasyLounge is the controller. Where EasyLounge is a processor, the Lounge Operator's own privacy notice governs the relationship with its data subjects.
2. Information We Collect
We collect personal data that you provide directly, data that is generated through your use of the Services, and limited data from third parties.
2.1 Information You Provide
- Account and contact details: name, email address, business/venue name, role, and login credentials.
- Venue information: opening hours, menu and product items, pricing, images, descriptions, and other content you upload.
- Billing information: handled by our payment processor, Stripe. Payment card data, billing address, VAT/tax identification number, and invoices are collected and stored by Stripe — not on our servers. We retain only your Stripe customer and subscription identifiers and your subscription status (plan, trial and renewal dates) needed to operate your account.
- Communications: support requests, survey responses, feedback, and other correspondence you send to us.
2.2 Information Collected Automatically
When you use the Services, we automatically collect:
- Device and technical data: IP address, device identifier and hardware label (recorded when a kiosk or tablet is enrolled), operating system, browser type and version, language and time-zone settings, and server/diagnostic logs.
- Usage data: pages viewed, feature usage, action timestamps, performance metrics, and error events (collected through our analytics and performance-monitoring providers).
- Cookies and similar technologies: as described in Section 9 below.
2.3 Location Data
We do not operate a map or venue-finder feature and do not collect precise GPS location from your device. When a kiosk or tablet is enrolled to a venue, we record an approximate location (city, region, and country) derived from the device's IP address via our hosting/edge provider. This is shown to the account owner as a security signal so they can recognise where a device was enrolled. We do not track ongoing device location.
2.4 Information from Third Parties
If you choose to sign in using a third-party identity provider, where such an option is offered, we receive limited profile data (such as name, email, and provider identifier) in accordance with your authorization. We may also receive information from payment processors, hosting providers, fraud-prevention services, and analytics providers in connection with the operation of the Services.
2.5 Biometric Data — Staff Face Check-In (Optional)
Where a Lounge Operator enables the optional face check-in feature, the Services process facial-geometry data in the form of a numerical "face descriptor" — a mathematical representation derived from a staff member's face — to recognise enrolled staff when they clock in and out at the venue kiosk. Because it is used to uniquely identify an individual, this is biometric data and a special category of personal data under GDPR Article 9.
- Controller and processor. The Lounge Operator decides whether to enable face check-in and who to enrol. The Lounge Operator is the controller of staff biometric data and EasyLounge acts as a processor on its behalf. EasyLounge does not use face descriptors for any purpose other than providing this feature.
- Legal basis. Biometric data is processed only on the basis of the enrolled person's explicit consent (Art. 9(2)(a)) or another valid Article 9 condition that the Lounge Operator is responsible for establishing under its local law. Enrolment is optional and a non-biometric alternative (PIN check-in) is always available.
- What we store. We store the numerical descriptor and an optional label. We do not retain the camera image used to generate it; the descriptor is computed on the device and only the descriptor is transmitted to us.
- Retention and erasure. Descriptors are retained until the Lounge Operator deletes them (the team admin includes a "Delete face data" action) or the staff member is removed. Withdrawing consent or deleting the descriptor stops all face matching for that person.
2.6 Children's Data
The Services are intended for users aged 18 and over. We do not knowingly collect personal data from minors. If you believe that a minor has provided us with personal data, please contact us at support@easylounge.io and we will take appropriate steps to delete it.
3. Purposes and Legal Bases for Processing
Under the GDPR, we process personal data only where we have a lawful basis. The legal bases on which we rely are set out below.
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Creating and managing your Account, providing the Services, and supporting you | Performance of a contract (Art. 6(1)(b)) |
| Processing payments and managing Subscriptions | Performance of a contract (Art. 6(1)(b)) |
| Sending transactional messages (verification codes, password resets, billing notices, security alerts) | Performance of a contract (Art. 6(1)(b)) / legal obligation (Art. 6(1)(c)) |
| Maintaining security, preventing fraud, abuse, and unauthorized access | Legitimate interests (Art. 6(1)(f)) |
| Improving and developing the Services, analytics, debugging | Legitimate interests (Art. 6(1)(f)) |
| Marketing our own Services to existing customers | Legitimate interests (Art. 6(1)(f)) — you can object at any time |
| Marketing to prospects and non-essential cookies / analytics | Consent (Art. 6(1)(a)) — you can withdraw at any time |
| Operating the optional staff face check-in (biometric identification), where a Lounge Operator enables it | Explicit consent (Art. 9(2)(a)) or another Art. 9 condition the Lounge Operator is responsible for establishing; the underlying feature is provided under Art. 6(1)(b) |
| Complying with legal, regulatory, accounting, and tax obligations | Legal obligation (Art. 6(1)(c)) |
| Establishing, exercising, or defending legal claims | Legitimate interests / legal claims (Art. 6(1)(f), Art. 9(2)(f)) |
Our legitimate interests are limited to what is reasonably necessary to operate, secure, and improve the Services, and we balance them against your rights and freedoms. You have the right to object to processing based on legitimate interests (see Section 8).
4. How We Use Personal Data
We use personal data to:
- Operate, maintain, secure, and improve the Services;
- Register and authenticate Accounts and manage access controls;
- Process payments, generate invoices, manage Subscriptions, and handle refunds where required;
- Provide customer and technical support;
- Communicate with you about your Account, the Services, security incidents, policy updates, and (where lawful) news and promotions;
- Analyze usage, conduct research, generate aggregated or anonymized statistics, and develop new features;
- Detect, prevent, investigate, and respond to fraud, abuse, security incidents, and breaches of these Terms;
- Comply with legal obligations, including tax, accounting, anti-money-laundering, and lawful requests from authorities;
- Establish, exercise, or defend legal claims.
We will not use personal data for materially different purposes without notifying you and, where required, obtaining your consent.
5. Sharing of Personal Data
We do not sell personal data. We share personal data only as set out below.
5.1 Service Providers (Sub-Processors)
We share personal data with carefully selected third-party providers that help us operate the Services. These include:
- Hosting, database, and authentication — Supabase and Vercel (cloud hosting, Postgres database, authentication, real-time sync, CDN);
- Payment processing — Stripe;
- Transactional email — Resend, and our authentication provider's email delivery;
- Push notifications — the browser/operating-system push services used to deliver kiosk order alerts;
- Bot protection — Cloudflare Turnstile (protects sign-up and sign-in forms);
- Analytics and performance monitoring — Vercel Analytics and Vercel Speed Insights;
- Professional advisers — legal, accounting, audit, or insurance advisers where reasonably necessary.
Each sub-processor is bound by written contractual obligations consistent with GDPR Article 28, including confidentiality, security, sub-processing controls, and assistance with data-subject rights. A current list of sub-processors is available on request via support@easylounge.io.
5.2 Business Transfers
If EasyLounge is involved in a merger, acquisition, financing, reorganization, asset sale, bankruptcy, or similar transaction, personal data may be transferred as part of that transaction, subject to standard confidentiality protections and applicable law. We will notify affected users where required.
5.3 Legal Obligations and Protection of Rights
We may disclose personal data where we believe in good faith that disclosure is necessary to:
- Comply with applicable law, regulation, court order, subpoena, or other legal process;
- Cooperate with law enforcement, regulators, or governmental authorities;
- Enforce our Terms of Service or other agreements;
- Protect the rights, property, safety, or security of EasyLounge, our users, or the public;
- Detect, prevent, or otherwise address fraud, security, or technical issues.
5.4 With Your Direction
We may share personal data with third parties where you explicitly direct us to do so (for example, when you connect a third-party integration to your Account).
6. International Data Transfers
EasyLounge is operated from within the European Economic Area (EEA), and our primary database and hosting are located in Switzerland. Switzerland benefits from a European Commission adequacy decision, so transfers of personal data to Switzerland do not require additional safeguards. Certain other sub-processors (for example, payment, email, analytics, and bot-protection providers) may process limited personal data outside the EEA, including in jurisdictions that have not been recognized by the European Commission as providing an adequate level of data protection.
Where we transfer personal data outside the EEA / UK / Switzerland, we implement appropriate safeguards in accordance with applicable law, including:
- European Commission adequacy decisions, where available;
- Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional technical and organizational measures where necessary;
- UK International Data Transfer Agreement / Addendum for UK data, where applicable;
- Derogations under GDPR Article 49, where strictly applicable.
You may request a copy of the relevant transfer mechanisms by contacting support@easylounge.io.
7. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, regulatory, tax, or reporting obligations. In particular:
- Account data — retained while your Account is active and for a reasonable period thereafter to handle wind-down, disputes, or restoration requests;
- Billing, invoicing, and payment data — we do not store this on our own systems; it is held by Stripe under its own terms and retention practices. We keep only the Stripe customer/subscription identifiers and your subscription status, retained while your account is active and for a reasonable period thereafter. Any accounting records we are legally required to keep are retained for the period required by Polish tax and accounting law;
- Support communications — retained for as long as necessary to resolve the matter and for a reasonable period thereafter for audit and quality purposes;
- Security, audit, and access logs — retained for the period necessary to maintain platform security and investigate incidents;
- Marketing data — retained until you object or withdraw consent;
- Anonymized and aggregated data — may be retained indefinitely as it no longer identifies any individual.
When the retention period expires, personal data is securely deleted, destroyed, or irreversibly anonymized.
8. Your Rights Under the GDPR
If you are located in the EEA, UK, or Switzerland, you have the following rights in respect of personal data we process about you as a controller:
- Right of access (Art. 15) — obtain confirmation that we process your personal data and a copy of that data;
- Right to rectification (Art. 16) — correct inaccurate or incomplete data;
- Right to erasure / "right to be forgotten" (Art. 17) — request deletion of your data, subject to legal retention requirements;
- Right to restriction (Art. 18) — limit how we process your data in certain circumstances;
- Right to data portability (Art. 20) — receive data you provided to us in a structured, commonly used, machine-readable format and, where technically feasible, have it transmitted to another controller;
- Right to object (Art. 21) — object to processing based on legitimate interests or for direct marketing purposes;
- Right to withdraw consent (Art. 7(3)) — where processing is based on consent, withdraw it at any time, without affecting the lawfulness of processing carried out before withdrawal;
- Right not to be subject to solely automated decision-making (Art. 22) — we do not engage in solely automated decision-making that produces legal or similarly significant effects on you; if this changes, we will inform you;
- Right to lodge a complaint with a supervisory authority — typically the data-protection authority of the EU Member State of your habitual residence, place of work, or place of the alleged infringement.
To exercise any of these rights, contact us at support@easylounge.io. We may need to verify your identity before responding. We will respond within one (1) month of receiving a valid request, extendable by a further two months for complex requests in accordance with GDPR Article 12(3). Requests are free of charge unless manifestly unfounded or excessive.
If you are a customer or employee of a Lounge Operator and your data is held in the Lounge Operator's account, you should direct your request to the Lounge Operator, who is the controller of that data. We will assist the Lounge Operator in responding as required by our processing agreement.
9. Cookies and Similar Technologies
The Services use cookies and similar tracking technologies (such as local storage, pixels, and SDKs) to:
- Maintain your session and remember your preferences (strictly necessary — no consent required);
- Measure performance, diagnose errors, and improve the Services (functional / analytics — relies on consent where required);
- Where applicable, deliver marketing content (marketing — relies on consent).
Where required by law, we display a cookie banner allowing you to accept, reject, or manage non-essential cookies. You can also change cookie settings via your browser. Blocking certain cookies may impair the functionality of the Services.
We respect Do-Not-Track (DNT) signals where supported by applicable law and where we are technically able to do so.
10. Security
We implement appropriate technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, including:
- Encryption of data in transit (TLS) and at rest, where appropriate;
- Role-based access controls and the principle of least privilege;
- Network segmentation, firewalling, and intrusion-detection systems;
- Regular security testing, vulnerability scanning, and patching;
- Audit logging and monitoring of administrative actions;
- Employee confidentiality obligations and security training;
- Documented incident-response procedures.
No security measure can guarantee absolute security. You acknowledge that any transmission or storage of data over the internet carries inherent risks. In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, in accordance with GDPR Articles 33–34.
11. Third-Party Links and Services
The Services may contain links to, or integrate with, third-party websites, applications, and services that are not operated by us. We are not responsible for the privacy practices, content, or security of any third party. We encourage you to review the privacy notices of any third party before providing personal data to it.
12. Marketing Communications
Where permitted by law, we may send you marketing communications about our own Services. You can opt out at any time by clicking the unsubscribe link in any marketing email or by contacting us at support@easylounge.io. This does not affect transactional or service-related communications (such as billing, security, or policy updates), which we must send in order to provide the Services.
13. Automated Decision-Making and Profiling
We do not currently make decisions about you based solely on automated processing (including profiling) that produce legal or similarly significant effects on you. Any limited automated processing we perform (for example, fraud detection or abuse prevention) is subject to human review before any material adverse action is taken. If this changes, we will update this Policy and provide the disclosures required under GDPR Article 22.
14. Special Categories of Data
Other than the optional staff face check-in described in Section 2.5 — which processes biometric data on the legal basis set out there — we do not request and do not knowingly process special categories of personal data (such as health, racial or ethnic origin, religious beliefs, or political opinions) within the Services. You should not submit such data through the Services. If you believe that special-category data has been inadvertently provided to us, please contact us at support@easylounge.io and we will arrange its deletion.
15. Updates to this Policy
We may update this Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date above;
- Take reasonable steps to notify you, for example by a notice within the Services or by email to the address associated with your Account;
- Where required by law, obtain your consent.
Continued use of the Services after a change becomes effective constitutes your acknowledgement of the revised Policy.
16. Consent
By using the Services, you confirm that you have read this Policy and, where applicable, you provide your consent to the processing of personal data as described herein. You may withdraw any consent given at any time by contacting support@easylounge.io or by using the in-product controls. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal and may limit the functionality of the Services available to you.
17. Contact and Data Protection Inquiries
For any question, concern, or request relating to this Policy, your personal data, or your GDPR rights, please contact:
SIR PATRYK PEAS (operating as EasyLounge) — Data Protection Address: ul. Długa 57c/45, 53-633 Wrocław, Poland NIP / VAT: PL8982147972 Email: support@easylounge.io Website: https://easylounge.io
We are committed to addressing your concerns in good faith and within the timeframes required by applicable law.