Privacy Policy

This Privacy Policy describes how Quickap collects, uses, stores, processes and protects the personal data of visitors, leads, platform users and the end customers of the establishments that use our services. Our goal is to be transparent about which data we process, for which purposes, on which legal bases and how the data subject can exercise their rights.

Quickap is a digital menu, direct ordering and AI-assisted service platform for restaurants, pizzerias, burger joints, delivery businesses and similar establishments. This Policy is part of the General Terms and Conditions of Use and was drafted considering the Brazilian General Data Protection Law (Law 13.709/2018 — “LGPD”), the Brazilian Internet Civil Framework (Law 12.965/2014) and the European Union General Data Protection Regulation (Regulation (EU) 2016/679 — “GDPR”), where applicable.

We aim to adopt good data protection practices, but this Policy is not a statement of absolute compliance: adequacy depends on ongoing legal validation and evolving internal processes.

Quickap is operated by Quicklab Desenvolvimento de Software Ltda., registered under CNPJ No. 42.885.072/0001-03, with its head office at Estrada do Rio Grande, No. 868, Block 4, Suite 806, Taquara, Rio de Janeiro/RJ, Brazil, ZIP 22.720-011. For the purposes of this Policy, Quickap may act as the controller of personal data when it determines the purposes and means of processing related to the website, sign-ups, marketing communications, support, billing and management of the platform.

Quickap is in the process of expanding into the European Union, with a planned establishment in Spain. When the processing of data of EU data subjects makes it required, Quickap will appoint as its EU representative, under Article 27 of the GDPR, the company partner, Thiago de Andrade Oliveira, reachable at contato@quicklab.tech.

In certain situations, especially when restaurants, pizzerias, burger joints, delivery businesses or other establishments use Quickap to manage menus, orders, customers, service and operations, the contracting establishment may be the controller of its own customers’ personal data, while Quickap acts as the processor, handling the data according to the establishment’s instructions and within the limits necessary to provide the contracted services.

For customers located in the European Union, or who process data of data subjects located in the European Union, it may be necessary to enter into a Data Processing Agreement (DPA), with specific clauses on processing, security, sub-processors, international transfers and handling of data subject rights.

We collect different categories of data depending on how you interact with Quickap:

Website visitors

• IP address;
• device identifiers;
• browser;
• pages visited;
• date and time of access;
• cookies and browsing data.

Leads and business contacts

• name;
• email;
• phone;
• company/restaurant name;
• messages sent through forms, WhatsApp, email or other channels.

Platform users

• name;
• email;
• phone;
• login data;
• establishment data;
• menu settings;
• usage history;
• access logs;
• support information.

Restaurant customers (end customers)

• name;
• phone;
• delivery address;
• order items;
• order notes;
• order history;
• data needed for service, delivery, pickup or communication about the order.

Payment data

Payments are made via PIX or directly with the establishment (for example, on delivery or pickup). Quickap does not process or store credit or debit card data. Any payment-related data is limited to information such as the chosen payment method and order status/confirmation, where applicable. Quickap does not request or store the full card number, security code (CVV) or password.

AI and service data

• messages sent;
• service context;
• history needed to respond to the customer;
• data used for automations and support.

Personal data may be collected in the following ways:

• Directly from the data subject: when filling out contact and sign-up forms, creating an account, configuring the establishment, sending messages via WhatsApp, email or other channels and requesting support;
• Automatically: through cookies and similar technologies, access logs, device identifiers and usage data while browsing the website and the platform;
• Through the establishments: when the restaurant or establishment enters or processes, on the platform, data of its own end customers (orders, deliveries and service);
• From third parties and integrations: messaging providers, payment methods, analytics tools and other integrations requested or authorized, as applicable.

We use personal data for, among others, the following purposes:

• Create and manage accounts and enable the use of the platform and its features;
• Process orders and operations of the establishments and their end customers (service, delivery, pickup and communication about the order);
• Provide support and respond to requests, complaints and questions;
• Improve and develop the platform, understand how the services are used and create new features;
• Send marketing communications and content about the services, according to the applicable legal basis;
• Comply with legal and regulatory obligations and exercise rights in judicial, administrative or arbitration proceedings;
• Ensure security and prevent fraud, abuse and incidents.

Processing of data for purposes not provided for in this Policy will only take place with prior notice to the data subject and, where required, on an appropriate legal basis.

Each processing activity relies on one or more legal bases. We do not use consent as a sole or generic basis: consent is applied where it makes sense, mainly for optional marketing, non-essential cookies and promotional communications.

When an establishment uses Quickap to receive and manage orders, the end customers’ data (such as name, phone, delivery address and order items) is processed by Quickap as a processor, following the instructions of the establishment, which acts as the controller of that data.

In these cases, the establishment is responsible for informing its end customers about the data processing, obtaining the appropriate legal bases and handling, in the first instance, data subject requests. Quickap supports the establishment within the applicable technical and contractual limits.

Quickap may use artificial intelligence resources and automations to assist with service, order organization, customer responses, support and improving the platform experience. The messages and information processed by these resources will be used only for purposes related to providing the service, support, security and improvement of the platform, according to the applicable legal bases.

To enable these resources, data may be processed by external artificial intelligence providers, currently OpenAI, according to the provider’s terms and privacy policies. Under OpenAI’s current terms for API use, data sent via the API is not used to train its models. Should this configuration change, this Policy will be updated.

The data subject may request additional information about automated processing and, where applicable, a review of decisions made solely on the basis of automated processing.

Cookies are small files sent to the user’s device with information related to browsing. We use cookies and similar technologies organized into the following categories:

Necessary cookies

• login;
• security;
• platform operation;
• basic preferences.

Analytics cookies

• access metrics;
• pages visited;
• site performance.

Marketing cookies

• personalization;
• campaigns;
• ad measurement.

Third-party cookies

• analytics;
• paid media;
• support and chat;
• integrations.

When you access the site, we display a cookie notice with the Accept and Reject options. You may also configure your browser to refuse cookies or delete existing ones. In regions where prior consent is required, non-essential cookies will only be used after the user’s authorization. Some platform features may not work correctly if certain cookies are disabled.

We may share personal data with categories of vendors and partners when necessary to provide the services:

• hosting and cloud infrastructure;
• database;
• email providers;
• WhatsApp/Meta or other messaging services;
• analytics;
• customer service and support tools;
• artificial intelligence providers;
• accounting, legal and compliance;
• operational integrations requested by the customer.

The main vendors and sub-processors currently used include, without being exhaustive:

• Hosting and infrastructure: DigitalOcean, Vercel, Amazon Web Services (AWS) and Redis;
• Backend and content management: Strapi;
• Artificial intelligence: OpenAI;
• Messaging and WhatsApp: Evolution API and automations via n8n;
• Analytics and marketing: Google (Analytics, Maps and reCAPTCHA), Meta (Pixel) and MapTiler;
• Social sign-in: Google and Meta/Facebook;
• Delivery and POS integrations connected at the establishment’s instruction: iFood, 99Food/DiDi Food, Keeta, Delivery Direto and Saipos.

The list of vendors may vary according to the features contracted and the integrations enabled by each establishment.

Quickap does not sell personal data.

When third parties act as processors/sub-processors, reasonable contractual and technical measures will be adopted to protect the data.

Personal data may be stored or processed in Brazil, in the European Union or in other countries where the technology providers used by Quickap are located. Where applicable, Quickap will adopt appropriate legal mechanisms for international transfers, such as adequacy decisions, contractual clauses, technical and organizational measures and other safeguards provided for in the LGPD and the GDPR.

Due to the providers used (such as DigitalOcean, Vercel, AWS, Google and OpenAI), data may be processed, among other locations, in Brazil, the United States and the European Union. [CONFIRM EXACT REGIONS/DATA CENTERS FOR EACH VENDOR]

We keep personal data only for as long as necessary to fulfill the purposes for which it was collected, observing the applicable legal and regulatory periods.

Where there is no specific legal period, we use as a reference periods proportional to the purpose — for example, up to 5 years after the relationship ends for the defense of potential claims, and a minimum of 6 months for application logs (art. 15 of the Internet Civil Framework). After the retention period ends, data is deleted or anonymized, except in cases of legal retention.

We adopt reasonable technical and organizational measures to protect personal data against unauthorized access and situations of destruction, loss, alteration, improper communication or disclosure — including access controls, encryption in transit, log recording and minimization and anonymization practices where applicable. No system is entirely immune to incidents; therefore, we work continuously to improve our controls and respond appropriately to any security incidents, in accordance with applicable law.

Rights under the LGPD

• confirmation that processing exists;
• access to the data;
• correction of incomplete, inaccurate or outdated data;
• anonymization, blocking or deletion of unnecessary, excessive data or data processed in non-compliance with the law;
• data portability to another provider;
• information about data sharing;
• information about the possibility of not consenting and about the consequences of refusal;
• withdrawal of consent;
• objection to processing carried out in breach of the law;
• review of decisions made solely by automated means.

Additional rights under the GDPR (where applicable)

• access;
• rectification;
• erasure (“right to be forgotten”);
• restriction of processing;
• portability;
• objection;
• withdrawal of consent;
• lodging a complaint with the competent supervisory authority;
• not to be subject to decisions based solely on automated processing, where applicable.

Handling a request may not be immediate or complete due to possible legal impediments or retention obligations.

To exercise your rights, you may contact us at contato@quicklab.tech or through another channel indicated by Quickap. The request must contain enough information to confirm the requester’s identity and locate the related data. Quickap will respond to requests within the periods provided for in applicable law.

When Quickap acts as a processor on behalf of a restaurant or establishment, some requests may be forwarded to the responsible controller.

Quickap may send marketing communications, news, offers and content related to its services, according to the applicable legal basis. You may unsubscribe from these communications at any time through the unsubscribe link, a reply requesting removal or by contacting the privacy channel (contato@quicklab.tech).

Quickap’s services are directed at companies, restaurants and users with the capacity to contract. Quickap does not intend to collect children’s data. If we identify the processing of children’s or adolescents’ data without an appropriate legal basis or required authorization, we will take reasonable measures to delete or regularize it, in accordance with applicable law.

We may modify this Privacy Policy at any time, and it is advisable that you review it periodically. Changes take effect after publication. When changes are significant, we may use additional forms of communication. The date of the last update is shown at the top of this page.

This Policy will be interpreted in accordance with Brazilian law, especially the LGPD and the Internet Civil Framework, without prejudice to the application of data protection rules of other jurisdictions where mandatory, including the GDPR for data subjects located in the European Union, where applicable. In Brazil, the competent authority is the National Data Protection Authority (ANPD). Data subjects in the European Union may also lodge a complaint with the supervisory authority of their country.

For questions, requests or to exercise rights related to personal data, contact our DPO at contato@quicklab.tech.

Data Protection Officer (DPO): Thiago de Andrade Oliveira, reachable at contato@quicklab.tech.