Back to home

Last updated: 2026-03-11

Privacy Policy for the Hungry Eyes Platform

Effective date: March 11, 2026

This Privacy Policy describes how personal data is processed in connection with the use of the Hungry Eyes platform. This document is prepared with a view to compliance with the GDPR and Polish laws governing personal data protection and privacy in electronic services.

1. General provisions

1.1. This Privacy Policy sets out the rules for processing personal data of Platform Users and Guests visiting a Restaurant's public menu.

1.2. The Platform operates at https://hungryeyes.ai and is a web application available through an internet browser.

1.3. The Platform does not use data for behavioural marketing or retargeting and does not sell personal data to third parties.

1.4. The Platform is not directed to persons under 16 years of age and the Controller does not knowingly intend to process children's data. If a parent or legal guardian becomes aware of the processing of a child's data, they are requested to contact the Controller.

2. Data controller and contact details

2.1. The controller of personal data processed in connection with the Platform is:

Controller details
Name MAREK OMIOTEK
Legal form sole proprietorship
Address ul. Willowa 9A/26, 23-400 Biłgoraj, Poland
Tax ID (NIP) 9182102974
Registration number (KRS/CEIDG) entered in CEIDG
Contact e-mail [email protected]
Platform address https://hungryeyes.ai

2.2. For matters concerning personal data protection, the Controller may be contacted at: [email protected].

2.3. If the Controller appoints a Data Protection Officer, the DPO's contact details will be published on the Platform or provided in another appropriate manner.

3. Who the application is for

3.1. This Policy applies in particular to Users, meaning restaurateurs who register an Account and use the Dashboard, and to Guests visiting the public menu via link or QR code.

3.2. The Platform does not require Guests to create an account or provide directly identifying data such as a name, e-mail address, or payment details, unless a future functionality requires it and is described separately.

4. What data we process

4.1. In relation to Users, the Controller may process in particular the following categories of data:

  • Account data: e-mail address, password in hashed form, language preference,

  • Restaurant data: name, description, address, phone number, e-mail, opening hours, Google Maps link, identifier (slug),

  • Branding: logo, hero image, or a selected preset graphic,

  • Payment and Subscription data: Stripe identifiers, subscription status, plan, cycle, and billing period dates,

  • Technical and security data: IP address, browser identification (User-Agent), timestamps,

  • Legal acceptance records: version of the Terms and Privacy Policy, IP address, User-Agent, date and time of acceptance.

    4.2. In relation to Guests, the Controller may process limited technical data and pseudonymised device identifiers, in particular the device fingerprint, bucketed User-Agent, IP address, normalised referrer, and the source parameter provided in a QR code.

    4.3. Analytics events may include, among other things, QR code scans, menu item views, and menu item likes, associated with a pseudonymised device identifier and timestamp.

    4.4. Providing personal data is voluntary, but necessary to create an Account and use Platform functionality that requires such data. Failure to provide data required for Registration or for the provision of a given Service prevents the creation of an Account or the use of relevant Platform functionality.

5. Where the data comes from

5.1. User data comes primarily directly from the User, who provides it during Registration, Account configuration, maintenance of the Restaurant profile, and use of paid Platform functionality.

5.2. Technical, security, and audit data may be collected automatically when using the Platform, including from the browser, device, network layer, and security or monitoring systems.

5.3. Subscription and payment data may also come from external payment service providers, in particular Stripe, to the extent necessary for performance of the Agreement and settlements.

6. Purposes and legal bases for processing

6.1. The Controller processes personal data for the following purposes and on the following legal bases:

  • account creation, e-mail verification, authentication, and session maintenance - Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR (security),
  • onboarding and management of the Restaurant profile, publication of the digital menu, and generation of QR materials - Art. 6(1)(b) GDPR,
  • handling of Subscription, settlements, and payments - Art. 6(1)(b) GDPR and Art. 6(1)(c) GDPR where required by accounting or tax obligations,
  • contact, handling of enquiries and complaints, and transactional communication - Art. 6(1)(b) GDPR or Art. 6(1)(f) GDPR,
  • security, abuse prevention, audit logs, and logs - Art. 6(1)(f) GDPR,
  • recording acceptance of the Terms and Privacy Policy - Art. 6(1)(c) GDPR and Art. 6(1)(f) GDPR,
  • internal analytics of public menu usage and reporting statistics to the User - Art. 6(1)(f) GDPR,
  • error monitoring and service stability - Art. 6(1)(f) GDPR,
  • establishment, pursuit, or defence of claims - Art. 6(1)(f) GDPR.

7. Data recipients and subprocessors

7.1. Data may be transferred to service providers supporting the operation of the Platform under appropriate agreements, in particular providers of infrastructure, hosting, authentication, payments, e-mail delivery, and error monitoring.

7.2. The current list of main providers includes, in particular, Supabase, Stripe, DigitalOcean, Cloudflare, Resend, and Sentry.

7.3. The Controller does not sell personal data to third parties.

8. Transfers outside the EEA

8.1. Due to the use of global service providers, data may be transferred outside the European Economic Area.

8.2. The Controller applies compliance mechanisms provided for by the GDPR, in particular Standard Contractual Clauses (SCCs) and, where required, additional safeguards.

8.3. Upon request, the Controller may provide a description of the safeguards applied, to the extent permitted by law.

9. Storage of information on the device and tracking technologies

9.1. The Platform uses cookies and similar technologies to ensure the operation of the Service, maintain sessions, and conduct internal statistics.

9.2. The Controller does not use external tracking tools such as Google Analytics or Facebook Pixel and does not use marketing cookies.

9.3. The Platform may use, in particular, Supabase authentication cookies, the NEXT_LOCALE cookie to remember language preferences, and the he_device_id cookie for internal analytics and like restrictions.

9.4. Users or Guests may manage cookies in their browser settings. However, blocking necessary cookies may make it difficult or impossible to use the Dashboard.

10. Device permissions

10.1. Standard use of the Platform does not require granting special device permissions such as continuous access to location, contacts, or microphone.

10.2. If the User voluntarily uses browser or operating system functionality related to selecting and uploading files, access to those resources takes place in accordance with the device settings, browser settings, and the User's decisions.

11. Notifications

11.1. The Controller may send the User e-mails related to performance of the Agreement, including messages concerning Account verification, security, payments, Subscription status, changes to legal documents, and handling of support requests.

11.2. The Platform does not send marketing push notifications or device-level alerts to Guests and Users unless such functionality is separately introduced and described in the future.

12. Account deletion and data retention

12.1. The User may delete the Restaurant profile via functionality available in the Dashboard. Deletion of the Restaurant profile is not the same as automatic deletion of the User's Account in the Platform's authentication system.

12.2. To close the Account, the User should contact the Controller from the e-mail address assigned to the Account. The Controller may verify the identity of the requesting person if necessary for data security or abuse prevention.

12.3. Account data and Restaurant data are stored for the duration of the Account and for up to 30 days after its deletion, unless longer retention is necessary to establish, pursue, or defend claims or results from legal obligations.

12.4. Files such as logos and photos are generally stored for a period corresponding to the retention of Account data.

12.5. Payment documentation is stored for the period required by tax and accounting laws, generally for 5 years from the end of the tax year.

12.6. Legal acceptance records may be stored for the period necessary to demonstrate compliance with legal obligations and to defend against claims.

12.7. Analytics data and pseudonymised identifiers may be stored for the period necessary to ensure the proper operation, development, and reporting of the Platform, taking into account data minimisation principles.

13. User rights

13.1. The data subject has the rights provided for in the GDPR, in particular the right of access to data, rectification, erasure, restriction of processing, data portability, objection to processing based on legitimate interest, and withdrawal of consent where processing is based on consent.

13.2. Requests concerning the exercise of rights may be submitted to: [email protected].

13.3. The Controller will respond without undue delay and no later than within 30 days of receiving the request, unless the law provides for the possibility of extending that period.

13.4. A data subject has the right to lodge a complaint with the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland.

14. Data security

14.1. The Controller implements appropriate technical and organisational measures to protect data, including in particular TLS/HTTPS encryption, password hashing, access control, tenant isolation at the database level, infrastructure protection, and solutions supporting incident detection and handling.

14.2. Access to data is limited to authorised persons and providers acting under agreements and only to the extent necessary to perform their tasks.

14.3. The Controller strives for data minimisation and regularly analyses risks related to processing.

15. Automated decision-making and profiling

15.1. The Platform does not carry out profiling or automated decision-making producing legal effects or similarly significantly affecting data subjects within the meaning of Article 22 GDPR.

16. Changes to this Privacy Policy

16.1. The Controller may amend this Privacy Policy, in particular in the event of changes in law, technology, Platform functionality, or service providers.

16.2. The Controller will notify Users of planned changes by e-mail at least 14 days before they take effect, where possible. The current version is always available on the Platform.

17. Contact

17.1. In matters concerning this Privacy Policy, the Controller may be contacted at: [email protected].