TableQR

Data Processing Addendum

Last updated: 7 December 2025

This Data Processing Addendum (“DPA”) forms part of the agreement between:

  • LOGIX360 STUDIO W.L.L, trading as TableQR (“Processor”, “we”, “us”), and
  • The client that uses the TableQR service (“Controller”, “you”).

This DPA applies where we process personal data on your behalf in connection with the TableQR service.

1. Roles and scope

You are the controller of personal data you provide to us or that is collected on your behalf using the service. We are the processor of that personal data.

This DPA describes how we process that data, how we protect it and how we assist you in meeting your obligations under applicable data protection laws.

2. Subject matter, duration, nature and purpose

  • Subject matter: personal data processed in connection with setup, hosting and operation of your digital menus and related services.
  • Duration: from the start of our agreement until we stop processing personal data on your behalf.
  • Nature and purpose: storing, hosting, transmitting and displaying menu related data, providing support and maintenance, monitoring performance and security and generating usage statistics.

3. Categories of data subjects and personal data

Categories of data subjects may include:

  • Your employees, contractors and staff who interact with the service.
  • Your guests who access your menus.
  • Any other individuals whose data you choose to process using the service.

Categories of personal data may include:

  • Contact details of your staff, such as names, business emails and phone numbers.
  • Technical and usage data, such as IP addresses, device types, browser types, dates and times of access and menu pages viewed.
  • Any other personal data you choose to collect from guests through forms or links on your menus.

You are responsible for ensuring that you only process personal data that is necessary and lawful.

4. Instructions

We will process personal data only:

  • On your documented instructions, as set out in the main agreement, this DPA and any additional written instructions you provide, and
  • As required by law, in which case we will inform you unless the law prevents this.

If we believe an instruction from you breaches applicable data protection laws, we will inform you without undue delay.

5. Confidentiality

We will ensure that people who process personal data on our behalf are subject to confidentiality obligations.

6. Security measures

We will implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, taking into account the risks and the nature of the personal data.

Examples may include access controls, encryption in transit where appropriate, logging, backups and regular security reviews.

7. Sub processors

You give us general authorisation to appoint sub processors to support the provision of the service, such as hosting providers, analytics providers and support tools.

We will:

  • Use sub processors that offer sufficient guarantees of appropriate data protection.
  • Enter into written agreements with sub processors that require them to protect personal data to a standard that is no less protective than this DPA.
  • Remain responsible to you for the acts and omissions of sub processors.

We can provide a list of our main sub processors on request and will notify you of significant changes where required by law or by our agreement.

8. Assistance with data subject rights

Taking into account the nature of the processing, we will help you, as far as reasonably possible, to respond to requests from data subjects to exercise their rights, such as access, correction, deletion or objection.

If we receive a request directly from a data subject relating to data we process on your behalf, we will:

  • Inform you without undue delay, and
  • Not respond except according to your instructions or if required by law.

9. Assistance with compliance

We will provide reasonable assistance to help you meet your obligations regarding:

  • Security of processing.
  • Notification of personal data breaches to authorities and data subjects, where required.
  • Conducting data protection impact assessments, where required.
  • Consulting with regulators, where required.

10. Personal data breaches

If we become aware of a personal data breach affecting personal data we process on your behalf, we will notify you without undue delay and provide relevant information that we reasonably have available.

You are responsible for assessing whether to notify authorities or individuals and for making such notifications.

11. International transfers

Where we transfer personal data outside the country or region where it was originally collected, we will do so in compliance with applicable data protection laws and will use appropriate safeguards where required.

12. Return and deletion of data

Upon termination or expiry of the main agreement, or earlier if you request it in writing:

  • We will delete personal data processed on your behalf, or
  • If you request within 30 days of termination, return such data to you in a commonly used format where technically feasible.

We may retain personal data where required by law or where necessary for the establishment, exercise or defence of legal claims, subject to confidentiality and security obligations.

13. Audits and information

On your reasonable request, we will provide information that we have which is necessary to demonstrate our compliance with this DPA.

If that information is not sufficient, you may, at your own cost, conduct or commission an audit of our relevant processing activities, subject to:

  • Reasonable prior notice.
  • A mutually agreed scope.
  • Audits taking place during normal business hours and not unreasonably disrupting our operations.
  • Appropriate confidentiality protections.

14. Precedence

If there is any conflict between this DPA and the main agreement between you and us, this DPA will prevail regarding our obligations in relation to personal data.