Privacy Policy

Last updated: 21 June 2026 · Operated by DINAMIK d.o.o. · OIB 66166833677

This Privacy Policy explains how DINAMIK d.o.o. processes personal data when you use QStatus, our live order-status board service for food stalls ("QStatus" or the "Service"). We process personal data in accordance with the EU General Data Protection Regulation (GDPR, Reg. (EU) 2016/679) and applicable Croatian law.

1. Who we are (data controller)

The controller responsible for your personal data is:

  • DINAMIK d.o.o. (limited liability company)
  • OIB (personal identification number): 66166833677
  • Registered address: Šušnjevec 49, 10000 Zagreb, Hrvatska
  • Director: Jura Milković
  • Contact for privacy matters: info@dinamik.dev

For any question about this policy or to exercise your rights, contact us at info@dinamik.dev. We have not appointed a Data Protection Officer, as we are not legally required to.

2. Who this policy applies to

It applies to stall owners and staff who create an account and use the dashboard, and explains what happens to customers who scan a stall's QR code to view its public order board.

Board viewers (your customers): the public order board shows only anonymous order numbers and their status. We do not collect names, emails, contact details, or any other personal data from people who scan a QR code, and we set no tracking or analytics cookies on their devices (only a functional cookie remembering the page's language may be stored — see Cookies).

3. What personal data we collect

From stall owners/staff who register, we process:

  • Account data: your name, email address, and password (stored only as a salted hash, never in plain text).
  • Stall data: the stall name and an automatically generated stall code. Order numbers and their timestamps that you enter to run the board.
  • Billing data: subscription status, plan, billing period, and the identifiers needed to link your account to your payment. Card/payment details are handled by Paddle and are never stored on our systems.
  • Technical and security data: your IP address and request metadata, used transiently to operate the Service and to rate-limit sign-in/sign-up against abuse, and a strictly necessary session cookie (see Cookies below).

We do not intentionally collect special categories of personal data, and we ask you not to enter such data into order numbers or stall names.

4. Why we process your data and our legal bases

  • To provide the Service — create and manage your account, run your order boards (legal basis: performance of a contract, Art. 6(1)(b) GDPR).
  • To take payment and manage subscriptions — via our payment provider (Art. 6(1)(b) GDPR).
  • To meet legal obligations — issuing and keeping invoices and accounting records (Art. 6(1)(c) GDPR).
  • To keep the Service secure — authentication, abuse prevention, and rate limiting (Art. 6(1)(f) GDPR; our legitimate interest in protecting the Service and our users).
  • To send service emails — such as account verification (Art. 6(1)(b) GDPR).

5. Cookies

QStatus uses only strictly necessary and functional cookies — no tracking, advertising, or analytics cookies.

  • appwrite-session (strictly necessary) — keeps you signed in to the dashboard. It is HttpOnly (not readable by JavaScript), Secure, and SameSite=strict, and lasts for the duration of your session (up to ~30 days). Without it you could not stay logged in.
  • NEXT_LOCALE (functional) — remembers your language choice (English or Croatian) so the site loads in your preferred language. It holds only a two-letter language code, contains no identifying information, and is set when you use the site or switch language. It is set on all pages, including the public order board.

Because these cookies are strictly necessary or functional — needed to deliver a service you have requested or to remember a preference you have set — they are exempt from the consent requirement under the ePrivacy rules and Croatian electronic communications law. We show a brief informational notice about them the first time you visit. If we ever introduce analytics or other non-essential cookies, we will ask for your consent first.

6. Who we share data with (processors)

We do not sell your personal data. We share it only with service providers (processors) that help us run QStatus, under contracts that require them to protect it:

  • Appwrite — our backend platform for authentication, database, real-time updates, and sending account-verification emails. Our data is hosted in the European Union (Frankfurt, Germany).
  • Hetzner Online GmbH — our cloud hosting provider (Germany, EU) that runs the servers on which the QStatus application operates. It processes technical data such as the IP addresses contained in server logs.
  • Paddle — our payment and subscription provider, acting as Merchant of Record (the seller of record for your subscription). Paddle processes your email and payment details to take payment, issue invoices, and handle VAT. See Paddle's own privacy notice for details.

We may also disclose data where required by law or to establish, exercise, or defend legal claims.

7. International data transfers

Our database and authentication data are hosted within the EU/EEA. Where a processor (for example, for payment processing or support) transfers personal data outside the EU/EEA, that transfer is protected by an adequacy decision or by the European Commission's Standard Contractual Clauses together with appropriate safeguards.

8. How long we keep your data

  • Account and stall data: kept while your account is active, and deleted when you delete your account (see Your rights).
  • Invoices and accounting records: retained for the period required by Croatian tax and accounting law (currently 11 years), even after account deletion.
  • Security/technical logs: kept only for a short period as needed for security and troubleshooting.

9. Your rights

Under the GDPR you have the right to: access your data; rectify inaccurate data; erase your data; restrict or object to processing; and data portability. You can exercise most of these directly in the app or by emailing us.

  • Erasure (right to be forgotten): you can delete your account yourself at any time from your Profile page. This permanently removes your account, stalls, orders, and customer/subscription records from our systems and cancels any active subscription (statutory invoice records are kept as noted above).
  • Other requests: email info@dinamik.dev and we will respond within one month.

10. Right to lodge a complaint

If you believe we have processed your personal data unlawfully, you have the right to lodge a complaint with the Croatian supervisory authority:

  • Agencija za zaštitu osobnih podataka (AZOP)
  • Selska cesta 136, 10000 Zagreb, Hrvatska
  • https://azop.hr

11. Automated decision-making

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.

12. How we protect your data

We use encryption in transit (HTTPS), store passwords only as salted hashes, route all data changes through audited server-side checks, restrict access to authorised personnel, and apply the principle of least privilege. No system is perfectly secure, but we work to protect your data appropriately.

13. Children

QStatus is a business tool and is not directed at children. We do not knowingly create accounts for anyone under 16.

14. Changes to this policy

We may update this policy from time to time. We will post the updated version here and change the 'Last updated' date. Material changes will be communicated where appropriate.

Company details

DINAMIK d.o.o.
Šušnjevec 49, 10000 Zagreb, Hrvatska
Registered at
Trgovački sud u Zagrebu
Court register no. (MBS)
080014746
OIB
66166833677
VAT ID
HR66166833677
Share capital
2.654,00 EUR (paid in full)
Sole founder & director
Jura Milković
Bank
Raiffeisenbank Austria d.d.
IBAN
HR3824840081106801578
SWIFT/BIC
RZBHHR2XXXX
Email
info@dinamik.dev