Data Processing Agreement

Data Processing Agreement

Last updated: 2026-04-28

This Data Processing Agreement ("DPA") forms part of your Scannoli subscription agreement and applies to the processing of personal data by Scannoli (Cactus Group) on your behalf.

1. Roles

You (the customer) are the Data Controller. Scannoli is the Data Processor. We process personal data only on your documented instructions.

2. Subject matter and duration

Processing relates to your menu, customer interactions, and analytics data, for the duration of your subscription. Upon termination, data is deleted within 30 days unless retention is legally required.

3. Categories of data subjects

Restaurant operators, staff, and end-diners interacting with the menu.

4. Categories of personal data

Account credentials, billing details, menu content, and aggregated diner analytics (no individual diner identification).

5. Sub-processors

Hosting on EU-region infrastructure. Payment processing via Viva Wallet S.A. (Greece). Translation processing (when enabled in Phase 3) via an EU-region AI provider. We will notify you of any change before adding a new sub-processor.

6. Security measures

TLS for all data in transit, AES-256 at rest, role-based access controls, audit logging, and regular backups. Personnel are bound by confidentiality.

7. International transfers

No transfers outside the EEA. If this changes, we will rely on Standard Contractual Clauses (Decision (EU) 2021/914).

8. Data subject rights

We will assist you in responding to access, rectification, erasure, portability, and objection requests within 30 days.

9. Personal data breach notification

We notify you within 48 hours of becoming aware of a breach affecting your data, with all information required for your Art. 33 GDPR notification.

10. Audit rights

Once per year, you may audit our processing activities or accept an independent third-party audit report (e.g., ISO 27001) where available.

11. Contact

Data protection contact: privacy@scannoli.gr.