GoLoko — Privacy Policy and GDPR

1. Who we are

S.C. Fiddmark Tech S.R.L. (hereinafter "the Provider"), with its registered office in Budureasa, Bihor County, Str. Principală, No. 77, Tax ID 43886386, J20/2100/0325278, is the developer and operator of the GoLoko platform.

E-mail: fiddweb@gmail.com | Phone: 0771 360 134

2. GDPR roles

Under the General Data Protection Regulation (EU) 2016/679 (GDPR), there are three distinct roles within the GoLoko ecosystem:

GDPR role	Who	Responsibility
Data Controller	The Client (the restaurant, bar, café)	Decides what data is collected from End Customers, for what purpose, and on what legal basis. Is directly accountable to data subjects.
Data Processor	S.C. Fiddmark Tech S.R.L. (GoLoko)	Processes data exclusively on behalf of and following the Controller's (the Client's) instructions. Does not use the data for its own purposes.
Data Subject	The End Customer (the person placing the order)	Has the rights provided by GDPR: access, rectification, erasure, portability, objection.

2.1 SaaS vs. Stand-Alone distinction

How data is stored depends on the type of plan chosen:

SaaS plans (Appetizer, Main Course, Feast): Data is stored on the Provider's servers. The Provider has technical access to all data in the Client's account for service delivery, technical support and maintenance. The Provider does NOT use this data for its own purposes and does not sell, rent or share it with third parties.

Stand-Alone license: Data is stored on the Client's own server. The Provider only has access when the Client requests technical assistance or custom development, and exclusively for the duration of the intervention.

3. What data we collect and why

3.1 Client data (the restaurant)

Collected at registration and throughout use:

Data	Purpose	Legal basis
Contact name, phone, e-mail	Communication, invoicing, support	Contract performance
Company name, Tax ID, address, IBAN	Invoicing, proforma generation	Legal obligation + contract performance
Restaurant name, logo, slug	Customizing the platform	Contract performance
Password (stored encrypted, never in plain text)	Authentication	Contract performance

3.2 End Customer data (those who order)

The categories of data collected depend on the chosen plan and on how the End Customer interacts with the Platform.

3.2.1 "Appetizer" plan

On this plan, End Customers can only view the menu shown at the table (after scanning the QR code). Orders are not placed through the Platform; they are placed verbally with the serving staff. Consequently, no personal data of End Customers is collected.

3.2.2 "Main Course" plan

On this plan, End Customers place orders directly from their phone (after scanning the QR code at the table). The categories of data collected are minimal:

Data	Purpose	Legal basis
Table number (taken from the QR code)	Identifying the order and routing it to staff	Contract performance (the order)
Order content and notes	Processing the order	Contract performance
Order history (linked to the session/table)	Record-keeping, analytics, "Add to order"	Legitimate interest of the Client

On this plan, the Platform does not request the End Customer's name, phone, e-mail or other contact details.

3.2.3 "Feast" plan and Stand-Alone license

On these options, End Customers can also place home or office delivery orders, which requires collecting contact details:

Data	Purpose	Legal basis
Name, phone, e-mail	Order processing, delivery contact	Contract performance
Delivery address	Order delivery (delivery orders only)	Contract performance
Order history	Record-keeping, analytics, support	Legitimate interest of the Client

We do not collect financial data (bank cards), biometric data, health data, or any special categories of personal data.

3.3 Ads shown to End Customers on the "Appetizer" plan

On the Free plan, the Platform displays advertising banners interspersed within the product list of the public menu. These ads:

Are not personalized based on data about the End Customer or the Client. All visitors to a menu on the Appetizer plan see the same ads, regardless of their browsing history
Are served by the Provider directly from its own servers, without calls to third-party ad networks
Do not set tracking cookies or retargeting pixels in the End Customer's browser
Can only be measured in aggregate (total number of impressions, total number of clicks), without identifying individual visitors

On the "Main Course" and "Feast" plans and on the Stand-Alone license, no ads are shown to End Customers.

3.4 HoReCa Marketplace (in the Client's admin panel)

The Platform includes a HoReCa marketplace accessible from the Client's admin panel, available on all plans. The marketplace lists products the Client (the restaurant) can buy from partner stores, through affiliate links.

The marketplace is aimed exclusively at the Client (the restaurant), not at End Customers. End Customers do not interact with the marketplace — they do not see it on the public pages of the menu and are not exposed to its associated tracking.

Categories of data processed through the marketplace:

Clicks on product links — recorded with user-agent, IP address, timestamp and the ID of the product accessed, for correct attribution of affiliate commissions and for the Provider's internal reports
The ID of the Client (the restaurant) that accessed the link — for internal reports and to calculate any bonuses or discounts triggered

Third-party sharing on click: when the Client clicks on a marketplace link, they are redirected to a partner store (e.g., Profitshare, eMag, Booking or other affiliate networks). The partner store may set cookies in the Client's browser to attribute the commission. This behavior is standard in affiliate advertising and does not affect the price of the products purchased.

4. Rights of data subjects

Under GDPR, End Customers have the following rights:

Right of access — to find out what data is stored about them
Right to rectification — to request correction of inaccurate data
Right to erasure ("right to be forgotten") — to request deletion of the data
Right to data portability — to receive the data in a structured format (JSON)
Right to restriction — to request limitation of processing
Right to object — to object to processing under certain conditions

4.1 How to exercise these rights

Procedure: The End Customer sends the request to the restaurant (the Client/Controller) they ordered from. The restaurant passes the request on to us. We carry out the request (data export, deletion/anonymization) within a maximum of 30 days of receiving the request.

Reason for this procedure: the Provider is a Data Processor, not a Controller. The End Customer has a direct relationship with the restaurant, not with GoLoko. An End Customer may order from multiple restaurants — only the specific restaurant can identify and manage the relevant data.

Upon deletion, existing orders are anonymized (personal data is removed, but the order record remains — without name, phone or address — for accounting purposes).

5. Data security

The Provider implements appropriate technical and organizational measures to protect data:

Communication exclusively over HTTPS (TLS/SSL)
Encrypted passwords (never stored in plain text)
Protection against CSRF attacks
Rate limiting on authentication attempts
Full data isolation between companies
Periodic backups
Restricted administrative access

6. Sharing data with third parties

We do not sell, rent or share personal data with third parties, except:

The hosting provider — data is stored on servers in the European Union
Payment processors (if integrated by the Client) — payment data is processed directly by the respective processor, it does not transit through GoLoko
Affiliate networks (e.g., Profitshare, eMag, Booking) — exclusively for the HoReCa marketplace feature, only at the moment the Client accesses a marketplace link, and exclusively for affiliate commission attribution (see section 3.4)
Legal obligations — if required by competent authorities, in accordance with the law

7. Data retention period

Data type	Retention
Client account data (restaurant)	For the duration of the subscription + 30 days after termination (for export). Exception: data needed to fulfill legal obligations (invoices) — as per fiscal legislation.
End Customer data	For the duration of the collaboration with the restaurant. On request to delete — immediately (with anonymization of orders).
Accounts downgraded to "Appetizer" (non-payment of SaaS plan)	Data remains indefinitely while the account has activity. After 12 months of complete inactivity, the Client is notified 30 days before the data is permanently deleted.
Suspended accounts (breaches of the Terms)	Data is kept for 90 days after suspension for any disputes. After this interval, it may be deleted with prior notice.

8. International transfers

Data is stored and processed on servers located in Bucharest, Romania (European Union), in the Electromagnetica data center, operated by CHML Web Services through the provider Gazduire.net. We do not transfer personal data outside the European Economic Area. Should such a transfer become necessary in the future (for example, by using third-party services), it will be carried out exclusively on the basis of appropriate safeguards, in accordance with Article 46 GDPR.

9. Data breaches

In the event of a data security breach, the Provider:

Will notify the Client (the Controller) within a maximum of 48 hours of becoming aware of the breach
Will provide all the information required under Art. 33 GDPR
Will take immediate remedial and preventive action

10. Supervisory authority

If you believe the processing of your personal data violates GDPR, you have the right to lodge a complaint with:

The Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest
www.dataprotection.ro

11. Contact details for privacy-related matters

S.C. Fiddmark Tech S.R.L.
E-mail: fiddweb@gmail.com
Phone / WhatsApp: 0771 360 134