DPA and Data Access Appendix
Product: Qastio
Operator: CHATROOM DOO BEOGRAD
Website: https://menuwithai.com/
Version: v1.0
Publication date: 13 May 2026
Status: Final Website Version
Classification: Public / Website Legal Document
Governing law: Republic of Serbia
Operator Details
Legal name | CHATROOM DOO BEOGRAD |
|---|---|
Short name | CHATROOM DOO |
Company registration number | 21844616 |
Tax identification number (PIB) | 113317904 |
Registered seat | Vojvode Stepe 79, 11000 Belgrade, Vozdovac, Republic of Serbia |
ceo@inotium.com | |
Website / Platform domain | https://menuwithai.com/ |
Legal representative | Georgy Ronn, Director |
Contents
1. Purpose
This Data Processing Agreement and Data Access Appendix governs personal data processing and commercial/operational data access when a Restaurant, Supplier or other business user connects to Qastio, enables POS/API integration, uses analytics, participates in procurement, uses the voluntary payment module or gives Platform users dashboard access.
2. Roles
Processing activity | Typical role of Operator | Typical role of Restaurant / Supplier |
|---|---|---|
Guest order routing | Processor or independent controller depending on implementation | Restaurant is usually controller for fulfilment and customer relationship. |
Restaurant dashboard accounts | Controller for Platform account/security; processor for Restaurant staff data where instructed | Restaurant controls staff authorisations and account users. |
POS/API integration | Processor or joint/independent controller depending on purpose | Restaurant confirms lawful right to provide POS/API data. |
Aggregated procurement analytics | Independent controller for aggregated/anonymised commercial analytics | Restaurant provides business data under contractual access rights. |
Supplier procurement offers | Independent controller for supplier account and procurement coordination | Supplier controls product documents and supply data. |
Voluntary payment module | Controller for Platform logs/status; PSP is separate controller/processor under its terms | Restaurant remains seller/merchant where applicable; PSP processes payment data. |
3. Processor Obligations
- Process personal data only under documented instructions where acting as processor.
- Ensure confidentiality of authorised persons.
- Apply appropriate technical and organisational measures.
- Assist with data subject rights, incident response and compliance requests as required by law and contract.
- Use subprocessors only with required notice or authorisation where applicable.
- Delete or return personal data after service termination unless retention is required for legal, accounting, security, dispute or evidence purposes.
4. Data Access Matrix
Data category | Sensitivity | Permitted purpose | Disclosure |
|---|---|---|---|
Public Restaurant data | Low | Restaurant profile, QR menu, opening hours, menu display and promotion. | Displayed publicly. |
Order operational data | Medium | Order routing, status, support, analytics and dispute evidence. | Restaurant, Guest where relevant, support providers and PSP where applicable. |
SKU-level sales and procurement data | High | Demand aggregation, procurement recommendations, supplier negotiations and category strategy. | Aggregated or limited by role and purpose. |
Supplier pricing and offer data | High | Offer comparison, procurement orders, service fees and analytics. | Limited to relevant Restaurants and Platform roles. |
Guest personal data | High | Order fulfilment, support, security, refunds and legal duties. | Not sold; disclosed only for service and legal purposes. |
Payment status data | High | Payment confirmation, settlement support, refund, chargeback and accounting evidence. | PSP, Restaurant, Operator and advisers/authorities where required. |
Aggregated/anonymised data | Low to medium | Forecasting, supplier negotiations, market analysis and Platform improvement. | May be used commercially if it does not identify individuals or disclose protected individual Restaurant data. |
5. Security Measures
- Role-based access controls and account permissions.
- Logging of dashboard, POS/API and procurement actions.
- Secure credential handling and limited access to integration secrets.
- Backups, incident response, confidentiality commitments and supplier controls.
- Data minimisation for personal data and purpose limitation for commercially sensitive data.
- Segregation of individual Restaurant data from Supplier access unless disclosure is necessary for a specific order, logistics, claim, law or Restaurant consent.
6. Payment Data
The Operator does not store full card numbers or CVV. PSPs, banks or acquirers process card data under their own technical and legal framework. The Operator may process transaction status, PSP reference, amount, currency, refund status, chargeback status and limited card metadata where provided by the PSP for order confirmation, support, accounting, fraud prevention and dispute evidence.
7. Audit and Evidence
The Operator may retain technical logs, API logs, order evidence, consent records, security logs, payment-status logs and procurement confirmations for the period necessary to protect rights, comply with law, resolve disputes, support accounting and prevent fraud.
Operator Details
Field | Value |
|---|---|
Operator | CHATROOM DOO BEOGRAD |
Company registration number | 21844616 |
Tax identification number (PIB) | 113317904 |
Registered seat | Vojvode Stepe 79, 11000 Belgrade, Vozdovac, Republic of Serbia |
ceo@inotium.com | |
Website | https://menuwithai.com/ |
Legal representative | Georgy Ronn, Director |
Final Disclaimer
This document forms part of the Qastio legal documentation made available by the Operator. It does not limit any mandatory rights granted to users under applicable law. Where a specific onboarding, payment, procurement, POS/API integration or supplier arrangement is governed by an additional accepted document, that document applies together with this document and prevails within its specific scope.