PRIVACY POLICY

eMeni — Application for Digital Menu and Ordering

Definitions

For the purposes of this Privacy Policy, certain terms have the following meaning:

1. „Personal Data“ means any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to identifiers such as name and surname, identification number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, in accordance with PDPA.
2. „Data Subject“ means the natural person to whom personal data relates and whose personal data is processed within the Application (hereinafter: „User“).
3. „Data Processing“ means any operation or set of operations performed on personal data, whether automated or not, such as collection, recording, classification, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, restriction, deletion or destruction.
4. „Automated Processing“ means processing of personal data carried out by means of information systems, software solutions and algorithms without direct human involvement in each individual operation.
5. „Controller“ means a legal person which, alone or jointly with others, determines the purposes and means of personal data processing.
6. „Processor“ means a legal or natural person which processes personal data on behalf of the Controller.
7. „Sub-processor“ means a person who processes personal data on behalf of the Processor, with the prior authorization of the Controller.
8. „Personal Data Breach“ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
9. „PDPA“ means the Law on Protection of Personal Data of the Republic of Serbia („Official Gazette of the RS“, No. 87/2018).

1. Introductory Provisions

This Privacy Policy (hereinafter: „Policy“) governs the manner in which personal data of users of the eMeni application (hereinafter: „Application“) are collected, processed, used, stored and protected.

eMeni is an application that enables hospitality establishments to create a digital menu accessible via QR code, as well as functionality for ordering by guests/users.

Data processing is carried out in accordance with the Law on Protection of Personal Data of the Republic of Serbia („Official Gazette of the RS“, No. 87/2018 — hereinafter: „PDPA“), in particular taking into account the provisions governing processing on behalf of the Controller, including Articles 45 and 46 of the PDPA.

Within the functioning of the Application, the following entities are distinguished:

• Data Controller — a hospitality establishment or legal/natural person that uses the eMeni platform to provide digital menu and ordering services to its guests, and which determines the purposes and means of personal data processing (hereinafter: „Controller“).
• Data Processor — DARKO VUJIČIĆ PREDUZETNIK RAČUNARSKO PROGRAMIRANJE UNGASOFT BEOGRAD — VOŽDOVAC, Business Registration No. 66611248 (hereinafter: „Processor“), which provides services for the development, implementation and/or maintenance of the eMeni software solution and related infrastructure for the Controller, and in this capacity processes personal data solely on behalf of and at the instruction of the Controller.

The Processor does not determine the purposes or means of processing and has no right to use the data for its own purposes. If the Processor were to violate the PDPA by determining the purpose and manner of processing, the Processor would be considered a Controller with regard to such processing, in accordance with the PDPA.

2. Legal Nature of Processing and Controller-Processor Relationship

In accordance with Article 45 of the PDPA, the Controller shall only entrust processing to a Processor who provides sufficient guarantees to implement appropriate technical, organizational and personnel measures, in a manner that ensures processing is carried out in accordance with the PDPA and that the rights of data subjects are protected.

Processing of personal data by the Processor is regulated by a contract or other legally binding act concluded in writing (including electronic form) between the Controller and the Processor, which regulates the subject matter and duration of processing, the nature and purpose of processing, categories of data and categories of data subjects, as well as the rights and obligations of the Controller and Processor.

Processing is carried out in a manner that enables the Controller to fulfill its obligations with respect to the protection of personal data towards data subjects and towards competent authorities at all times.

3. Processing on Instruction and Written Instructions

The Processor shall process personal data solely on the basis of written and documented instructions from the Controller, including instructions regarding any transfer of data to other countries or international organizations, unless the Processor is required by law to carry out certain processing. In that case, the Processor shall, before commencing processing, inform the Controller of such legal obligation, unless notification is prohibited in order to protect an important public interest.

In accordance with Article 46 of the PDPA, the Processor, and any person authorized by the Controller or Processor to access the data, shall not process data without instruction from the Controller, except where processing is required by law.

If the Processor believes that the Controller’s instruction is not in accordance with the PDPA or other data protection regulations, the Processor shall promptly alert the Controller.

4. Categories of Data Processed

In the course of using the eMeni application, depending on the configuration determined by the Controller, the following categories of personal data of users may be processed:

• name and/or nickname (if input is provided during ordering);
• table number or location within the establishment;
• order data (menu items, quantities, notes, order time);
• email address (if registration or invoice delivery is provided);
• telephone number (if provided for order confirmation or contact);
• technical data (e.g., IP address, device and browser data, application version, access logs for security and system stability).

The Controller may, in written instruction, specify other categories of personal data that the Processor is required to process, provided that such data is necessary for the defined purposes of processing and that the Controller provides the appropriate legal basis for their processing.

5. Purposes of Processing

The purposes of processing are determined solely by the Controller. Personal data is processed in particular for:

• enabling access to the digital menu via QR code;
• receipt, processing and fulfillment of user orders;
• identification of table or ordering location within the hospitality establishment;
• communication with the user regarding order status and application functionality;
• recording and displaying order history;
• prevention of misuse, fraud prevention and protection of system integrity;
• fulfillment of the Controller’s legal obligations.

The Processor processes data solely for the purpose of fulfilling its contractual obligations to the Controller and does not use the data for its own purposes.

6. Automated and System Processing

The Application functions as an integrated information system that enables automated and systematic processing of data according to rules defined by the Controller.

Automated processing may include:

• display of the digital menu based on QR code or link;
• receipt and forwarding of orders to the hospitality establishment’s system;
• generation of confirmations and order status notifications;
• recording and updating of order history.

The Processor provides the technical infrastructure and software support for the aforementioned processes, but does not make decisions that produce legal consequences for the user, nor does it independently determine service parameters.

7. Data Storage Location and Access

Data is stored on cloud infrastructure within the European Union (Microsoft Azure — Germany), in accordance with the technical solution that has been contracted and approved by the Controller.

Access to data is organized so that only authorized persons have access, to the extent necessary for the fulfillment of contractual obligations and system maintenance.

8. Sub-processors and Entrusting Processing to Another Processor

In accordance with Article 45 of the PDPA, the Processor may entrust processing to another Processor only if authorized by the Controller on the basis of general or specific written authorization.

If processing is carried out on the basis of general authorization, the Processor shall inform the Controller of the intended choice of another Processor, or replacement of another Processor, so that the Controller has the opportunity to object to such change.

In the event of engagement of another Processor, the Processor shall ensure that the other Processor assumes the same personal data protection obligations as the Processor, by means of a written contract or other legally binding act. If the other Processor fails to fulfill its obligations, the Processor shall be liable to the Controller for fulfillment of the other Processor’s obligations in accordance with the PDPA.

9. Confidentiality and Authorized Persons

The Processor shall ensure that any natural person authorized to process personal data is bound by an obligation of confidentiality or is subject to a legal obligation of confidentiality. Access to data is limited to authorized persons who have a need to access within their job responsibilities („need to know“).

10. Technical and Organizational Security Measures

The Processor shall implement all necessary measures in accordance with Article 50 of the PDPA, taking into account the nature, scope, context and purpose of processing, as well as the risk to the rights and freedoms of users.

The measures, among other things, include:

1. protection of premises, equipment and software used for processing personal data;
2. prevention of unauthorized access to personal data;
3. ensuring pseudonymization and encryption of personal data, to the extent applicable and technically feasible;
4. ensuring ongoing confidentiality, integrity, availability and resilience of systems and processing services;
5. establishing the ability to restore availability and access to data in the event of physical or technical incidents in the shortest possible time;
6. procedures for regular testing, evaluation and assessment of the effectiveness of technical, organizational and personnel security measures of processing.

11. Personal Data Breach and Notification

In the event of a personal data breach within the Processor’s scope of work, the Processor shall notify the Controller without undue delay, and in any case no later than 72 hours from becoming aware of the breach.

The Processor’s notification shall contain, to the extent information is available:

• description of the nature of the breach;
• categories and approximate number of affected data subjects;
• categories and approximate number of affected data;
• description of likely consequences;
• measures taken or planned to remedy the breach and/or mitigate adverse consequences;
• contact details of the responsible person or contact point of the Processor.

The Processor shall assist the Controller in timely action in accordance with the PDPA (including possible notification of the Ombudsman and data subjects), taking into account the nature of processing and the information available to it.

12. Assistance to Controller in Exercising Rights and Fulfilling Legal Obligations

Taking into account the nature of processing, the Processor shall assist the Controller, by applying appropriate technical, organizational and personnel measures (to the extent possible), in fulfilling the Controller’s obligations towards data subject requests under Chapter III of the PDPA.

The Processor shall also assist the Controller in fulfilling obligations relating to the security of processing and action in case of data breach, taking into account the nature of processing and the information available to it.

If a user submits a request to the Processor, the Processor shall forward the request to the Controller without delay and act in accordance with its instructions.

13. Deletion or Return of Data Upon Completion of Processing

Upon completion of the contracted processing activities, and on the basis of the Controller’s decision, the Processor shall:

• delete all personal data and delete all copies of this data, or
• return to the Controller all personal data,

unless data retention is required by law.

14. Information, Control and Demonstration of Compliance

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the Processor’s obligations stipulated by the PDPA and the data processing contract, as well as information that enables and facilitates the Controller’s audit of the Processor’s work or the work of a person authorized by the Controller, to the extent and in the manner governed by contract.

15. Contact and Communication

For questions regarding the exercise of the rights of data subjects, users shall contact the Controller, whose contact details are available within the Application and/or terms of use.

16. Final Provisions

All matters not governed by this Policy shall be governed by the PDPA and other relevant regulations of the Republic of Serbia. The Controller is responsible for the existence of a legal basis and the lawfulness of the purpose of processing, as well as for informing users in accordance with the PDPA, while the Processor is responsible for acting in accordance with the Controller’s instructions, the data processing contract and the application of adequate security measures within its scope of work.

This Privacy Policy shall enter into force on the date of its adoption.

In Belgrade, on 01.01.2026.

__________________________
DARKO VUJIČIĆ PREDUZETNIK RAČUNARSKO PROGRAMIRANJE UNGASOFT BEOGRAD — VOŽDOVAC