Request a demo
POS Fast, error-free payments
Digital menu Always up-to-date digital menu
Digital order pad Take orders on mobile, paperless
Order & Pay Guests order and pay from the table
KDS Real-time kitchen display
Reservations Manage tables without phone calls
Website Your professional site in minutes
Analytics Real-time data and reports
Marketing Campaigns to your customer base
Review management Boost your Google rating
Delivery & Takeaway Online orders and pickup
Uber Eats Marketplace integrations
Time tracking Clock-ins and shift records
Tax compliance Verifactu, TicketBAI and invoicing
Burger joints Fast food and smash burgers
Pizzerias Dine-in and delivery service
Kebab shops Fast food and takeaway
Cafés Breakfast, brunch and snacks
Brewpubs Beers, tapas and platters
Pubs Drinks and cocktails
Nightclubs Clubs and party venues
Ice cream shops Artisan ice cream and desserts
Beach bars Beach, terrace and seasonal
Hotels Room service and F&B
Learn
BlogCase studies
About us
TeamPressWork with us
Support
Contact
Español Français English Italiano
Pricing
Language
Español Français English Italiano
Request a demo
Product
To operate
POS Digital menu Digital order pad Order & Pay KDS
To grow
Reservations Website Analytics Marketing Review management
To deliver
Delivery & Takeaway Uber Eats
To manage
Time tracking Tax compliance
Solutions
Restaurants
Burger joints Pizzerias Kebab shops
Bars & cafés
Cafés Brewpubs Pubs
Leisure & seasonal
Nightclubs Ice cream shops Beach bars
Hospitality
Hotels
Resources
Learn
Blog Case studies
About us
Team Press Work with us
Support
Contact

Legal

Privacy Policy

How we collect, use and protect your information when you use Qamarero.

Updated Oct 2025

Privacy — Basic information

FieldInformation
Data ControllerQR PAYMENTS, S.L. — C/ Triana 4, Valencina de la Concepción, 41907, Seville — Tax ID B67982603
PurposeManaging and controlling contractual relationships, advertising (with consent), commercial prospecting on our products and services, recruitment selection processes, delivery of the POS Service and of the Google Business Profile Reviews Module.
Legal basisUnambiguous consent of the data subject; performance of a contract or pre-contractual measures (customers, suppliers, candidates); legitimate interest (business contacts, security); legal obligation (corporate and tax obligations).
RecipientsPublic bodies and authorities; service providers (cloud infrastructure, communications, payment gateways, support); Google (for the Reviews Module). No disclosures other than those foreseen are made without prior notice.
RetentionFor the duration of the contractual relationship and, where applicable, the years needed to fulfil legal obligations, always to the minimum necessary.
RightsAccess, rectification, erasure, objection, portability, restriction and, where applicable, withdrawal of consent. Exercisable at info@qamarero.com.

Extended privacy information

At Qamarero we care about your privacy. In compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) and Spanish Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), we provide the following detailed information on the processing of your data.

1. Who is the Data Controller?

  • Company name: QR PAYMENTS, S.L.
  • Trading name: Qamarero
  • Domain: qamarero.com
  • Registered office: C/ Triana 4, Valencina de la Concepción, 41907, Seville, Spain
  • Tax ID: B67982603
  • Email: info@qamarero.com

2. For which purposes do we process your personal data?

As Controller we process your data only to:

  • Manage and control contractual relationships with our hospitality customers.
  • Respond to queries sent via our contact email and web forms.
  • Carry out commercial prospecting for our hospitality software products and services.
  • Manage recruitment selection processes.
  • Provide technical support and customer service.
  • Operate the POS system and the functionalities of our software.
  • Provide the Google Business Profile Reviews Module, under the terms described in section 6.

We respect the principle of data minimisation, so processing will always be adequate, relevant and limited to what is strictly necessary. No individual automated decisions with legal or similarly significant effects on data subjects under article 22 GDPR will be taken. Without prejudice to the above, Qamarero may apply automated processing of aggregated or analytical nature (e.g. metrics, sentiment classification or reply suggestions within the Reviews Module) that do not produce legal effects nor significantly affect data subjects; the scope is described in section 6.

During the management of orders and reservations through our POS software, Qamarero receives personal data as data processor. To optimise the customer experience and avoid order duplication, our customers authorise us to perform a data cross-reference (solely email and phone number associated with orders).

3. How long will we keep your data?

Personal data provided will be retained for the duration of the contractual relationship or, where applicable, for the minimum and necessary years to comply with the company’s legal obligations, and always for the time strictly necessary for the purpose for which they were collected. The above applies provided that the data subject does not exercise the right to erasure, restriction or cancellation.

Specific retention periods apply to data obtained through Google APIs in the context of the Reviews Module, as described in section 6.

The legal basis for processing your data is:

  • Unambiguous and express consent for marketing and commercial prospecting activities.
  • Performance of a contract for the provision of POS software services and the Reviews Module.
  • Legitimate interest for commercial contacts, online reputation management and security measures.
  • Legal obligation for compliance with tax (Verifactu, TicketBAI) and labour regulations.

5. Who are the recipients of your personal data?

Except for legal obligations and the cases foreseen by current data protection law, we will never transfer your data to third parties for their own processing without informing you beforehand and obtaining your consent.

To provide our services Qamarero relies on a number of providers (processors and sub-processors). For service efficiency reasons some of these providers are located in territories outside the European Economic Area that do not provide a level of protection equivalent to that of the EU. In such cases we transfer your data with appropriate safeguards and always maintaining data security.

Main providers:

  • Email and communication services: sending commercial communications and technical support.
  • Cloud infrastructure providers: secure hosting of our SaaS software.
  • Payment gateways: secure payment processing (without access to full banking data).
  • Technical support tools: ticket management and customer service.
  • Communication services (WhatsApp, SMS): support and service notifications.
  • Google LLC: Google OAuth 2.0 and Google Business Profile API services, used for authentication and reviews management in the Reviews Module (see section 6).

International data transfers.

  • In general, where data are transferred to processors or sub-processors located outside the EEA, those transfers are covered by adequacy decisions of the European Commission, Standard Contractual Clauses (SCCs) approved by the Commission, or any other legally valid mechanism, together with supplementary measures where necessary.
  • In particular, for transfers of data to Google LLC in the USA (Google OAuth and Google Business Profile API), the transfer is covered by Google LLC’s certification under the EU-US Data Privacy Framework (DPF) approved by the European Commission through Implementing Decision (EU) 2023/1795, which provides an adequate level of protection. Additionally and subsidiarily, the transfer is covered by Standard Contractual Clauses (SCCs) signed with Google, applicable in the event of revocation or invalidation of the DPF.

For the management of payments through our POS, we will transfer the necessary data directly to the relevant Payment Service Provider. Qamarero never obtains the full card number or sensitive banking data.

6. Use of data obtained through Google (OAuth and Google Business Profile)

Qamarero uses Google services (Google OAuth 2.0 and Google Business Profile API) to enable secure access to our platform and the management of business profiles on Google.

6.1. Data we receive from Google

When you sign in with a Google account we access:

  • Email address.
  • Name and basic profile information.
  • Unique user identifier (Google ID).
  • Profile picture (if set to public).

If you decide to connect your Google Business Profile with Qamarero, we also access:

  • The locations of your business you have selected (name, address, phone and hours).
  • The reviews your customers leave on Google about those locations (text, rating, author, date and associated images).
  • The responses you publish to those reviews.

6.2. Permissions we request

  • Identify you (email, name and Google profile picture) to create your account and identify you when you enter the platform.
  • Manage your Google Business Profile: read the reviews of your business on Google and publish, edit or delete responses on your behalf.

We only request these permissions. We do not access your email, calendar, contacts, personal photos or any other data of your Google account.

6.3. What we use the information for

Data obtained from Google is used exclusively to:

  • Authenticate you and create or manage your account in Qamarero.
  • Show you the reviews your business receives on Google.
  • Allow you to respond, edit or delete responses to those reviews.
  • Show you metrics and analysis on your own reviews.

We do not use Google data for any other purpose.

For GDPR purposes, Qamarero’s role and the applicable legal basis are specified by purpose:

PurposeQamarero’s roleLegal basis
Customer authentication and identification via Google OAuth (email, name, picture, Google ID)Data ControllerPerformance of contract (art. 6.1.b GDPR)
Functionality of the Reviews Module for the Customer (connection with GBP, viewing, publishing responses, own metrics)Data Controller with respect to the CustomerPerformance of contract (art. 6.1.b GDPR)
Processing of personal data contained in reviews (authors, aliases, profile pictures, text and rating of the opinion, date)Data Processor on behalf of the CustomerProcessing agreement (art. 28 GDPR); the Customer’s legal basis as Controller is legitimate interest in managing its online reputation

Processing as Processor is governed by the corresponding Data Processing Agreement signed between Qamarero and the Customer, which is an integral part of the General Terms of Use.

6.5. Limited use of information (Google API Services User Data Policy)

Qamarero’s use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

In particular, Qamarero:

  • Does not sell, rent or transfer your data to third parties.
  • Does not use your data for advertising or profiling purposes.
  • Does not transfer your data except where strictly necessary to provide the service, comply with a legal obligation, or with your express consent.
  • Does not use your data to train artificial intelligence or machine learning models.
  • Does not allow humans to read your data, except with your express consent, for security reasons, to comply with the law, or in an aggregated and anonymised manner for internal operations.

6.6. Retention and deletion

The specific retention periods applicable to data obtained through Google APIs are as follows:

  • OAuth tokens (access token and refresh token): remain valid and encrypted as long as the Customer keeps the connection active. Upon disconnection of the Reviews Module or revocation of permissions from Google, tokens are revoked and deleted immediately.
  • Cached data for reviews, responses and location information: after disconnection of the Reviews Module they will be kept for a maximum of thirty (30) calendar days to allow the Customer to export them. After that period they will be deleted or securely anonymised.
  • Immediate deletion upon request: the Customer may request the immediate deletion of their data at any time by writing to info@qamarero.com, without waiting for the period above.
  • Aggregated or anonymised statistical data (e.g. counts or metrics without identification of natural persons) may be retained for service improvement purposes, as they are not considered personal data.

6.7. Automated processing and artificial intelligence

In the Reviews Module, Qamarero may apply automated analytical processing on reviews and responses, with the following characteristics and limits:

  • Permitted purposes: calculation of aggregated metrics (volume, average rating, temporal distribution), sentiment classification (positive, neutral, negative), thematic categorisation and suggestion of response drafts for review and manual approval by the Customer.
  • No legal or significant effects: these processings are not automated individual decisions under article 22 GDPR and do not produce legal effects nor significantly affect the data subjects (review authors or Customers).
  • Human intervention: publishing, editing or deleting responses to reviews always requires express approval by the Customer or their Authorized Users. Qamarero does not publish responses in a fully automated manner.
  • No model training: pursuant to Google’s Limited Use Policy, data obtained through Google APIs is not used to train artificial intelligence or machine learning models. AI models used are provided by third parties and operate on the data exclusively during inference (no retention or retraining).
  • Transparency: the Customer may request additional information on the logic applied in automated processings by writing to info@qamarero.com.

6.8. User control and exercise of rights

You can revoke Qamarero’s access to your Google account at any time:

You may also request the deletion of your data by contacting us through the channels indicated in this policy.

Exercise of the remaining GDPR rights (access, rectification, erasure, objection, portability, restriction and complaint before the Spanish Data Protection Agency) shall take place as set out in section 8 of this Privacy Policy. Regarding review authors’ data, where Qamarero acts as Data Processor, requests will be forwarded without delay to the Customer (Data Controller) and Qamarero will assist the Customer in complying with its obligations under article 28.3.e GDPR.

7. Summary table of processing carried out by Qamarero

PurposeData subjectsCategory of dataLegal basis
Commercial prospecting (Newsletter)Business representatives of hospitality establishmentsName, email, industryConsent for new sign-ups; LSSI art. 21 exception for existing customers
Commercial requests (Demo)Business owners interested in our softwareName, email, phone, establishment nameExpress consent
Selection processesPeople interested in working at QamareroPersonal data, professional information, CVExpress consent
POS software customersOwners and staff of establishmentsIdentification data, establishment data, tax dataPerformance of contract
Technical support and customer serviceSoftware usersContact data, technical establishment informationPerformance of contract and legitimate interest
Order management and invoicingEnd customers of establishmentsOrder data, email, phoneProcessor on behalf of the establishment
Google Authentication (OAuth)Platform users signing in with GoogleEmail, name, profile picture, Google IDPerformance of contract (art. 6.1.b GDPR)
Reviews Module (GBP) — CustomerGoogle Business Profile account holdersAccount and location identifiers, public location info (name, address, phone, hours), published responses, encrypted OAuth credentialsPerformance of contract (art. 6.1.b GDPR)
Reviews Module (GBP) — review authorsGoogle review authors about Customer’s locationsPublic name or alias, profile picture, text and rating of the review, date, associated imagesProcessor on behalf of Customer (art. 28 GDPR); Customer’s legal basis as Controller: legitimate interest in online reputation management (art. 6.1.f GDPR)
Automated analytics of the Reviews ModuleCustomers and review authorsAggregated metrics, sentiment classification, thematic categorisation, suggested response draftsPerformance of contract (Customer); processor on behalf of Customer (authors). No automated decisions under art. 22 GDPR

8. What are your data protection rights and how can you exercise them?

Under current data protection law, the rights you can exercise against Qamarero are:

  • Right of access: request information on the personal data we process.
  • Right to rectification: request correction of inaccurate or incomplete data.
  • Right to erasure: request deletion of your data when no longer necessary.
  • Right to object: object to the processing of your data.
  • Right to portability: receive your data in a structured format to transfer to another controller.
  • Right to restriction: restrict processing in certain circumstances.
  • Right to withdraw consent: in processings based on consent.

To exercise these rights, contact us at info@qamarero.com.

At any time you may lodge a complaint with the Spanish Data Protection Agency (www.aepd.es).

9. What security measures do we apply?

Qamarero maintains the highest security standards to protect your personal data, including:

  • Data encryption: both in transit (TLS) and at rest.
  • Firewalls and intrusion detection systems.
  • Strict access controls: only authorised staff, with the principle of least privilege.
  • Regular backups to ensure availability.
  • Continuous monitoring of our systems.
  • Periodic risk assessments.
  • Staff training in data protection.

We apply these same technical and organisational measures to personal data obtained through Google APIs, against unauthorised access, loss, alteration or disclosure.

10. Confidentiality

Qamarero undertakes to treat personal data with absolute confidentiality, keeping secret of them and adopting all necessary measures to avoid alteration, loss, processing or unauthorised access.

11. Use of cookies

Qamarero uses first-party and third-party cookies to optimise the operation of our website and software. You can consult our Cookie Policy for detailed information.

12. Responsibility

The user is the only party responsible for the truthfulness and accuracy of the data provided through our forms and systems.

13. Updates

Qamarero reserves the right to modify this Privacy Policy when necessary. Modifications will be published on this web page, where you can consult the most recent version.

Contact

For privacy questions: info@qamarero.com

© 2026 QR Payments, S.L. All rights reserved.

Logos institucionales: Kit Digital, Unión Europea, Red.es, Gobierno de España Ganador territorial Premios Emprende CaixaBank 2025