Privacy Policy
Last updated: April 12, 2026
Effective date: March 29, 2026
1. Introduction
PREEA ("we", "our", or "us") operates the PREEA QR Menu Platform, including the mobile application (PREEA Manager), the website at preea.com, and all related services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our Service, regardless of where you are located.
We are committed to protecting your privacy and processing your personal data in compliance with applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Thailand Personal Data Protection Act (PDPA), the Singapore Personal Data Protection Act (Singapore PDPA), the Malaysia Personal Data Protection Act 2010 (Malaysia PDPA), the Philippines Data Privacy Act of 2012 (DPA), the Indonesia Personal Data Protection Law (PDP Law), the Vietnam Personal Data Protection Decree (Decree 13/2023/ND-CP), the Brazil General Data Protection Law (LGPD), the Japan Act on Protection of Personal Information (APPI), the India Digital Personal Data Protection Act 2023 (DPDPA), the Australia Privacy Act 1988, the Canada Personal Information Protection and Electronic Documents Act (PIPEDA), and other applicable regional and national privacy legislation.
By using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please discontinue use of the Service.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to name, email address, phone number, IP address, device identifiers, and usage data.
- "Processing" means any operation performed on personal data, such as collection, recording, storage, retrieval, use, disclosure, or erasure.
- "Data Controller" means the entity that determines the purposes and means of processing personal data.
- "Data Processor" means an entity that processes personal data on behalf of the Data Controller.
- "Data Subject" means the individual whose personal data is being processed.
- "Business User" means a business owner or manager who uses PREEA to manage their establishment.
- "End User" means a customer who views a business menu through the PREEA platform (e.g., by scanning a QR code).
3. Data Controller
PREEA acts as the Data Controller for personal data collected through the Service. For any questions regarding our data processing activities, you may contact us at the details provided in Section 26.
When a Business User uses PREEA to manage their establishment, PREEA acts as a Data Processor on behalf of the Business User (the Data Controller) for customer data that the Business User collects through the platform.
4. Information We Collect
4.1 Information You Provide Directly
- Account registration: Name, email address, phone number, profile photo (via Google Sign-In or Apple Sign-In)
- Business information: Business name, address, category, operating hours, menu items, pricing, and descriptions
- Payment information: Billing details processed through our third-party payment providers (we do not store full payment card numbers)
- Communications: Messages, feedback, and support requests you send to us
- Media uploads: Images of menu items, business logos, and other media you upload to the Service
4.2 Information Collected Automatically
- Device information: Device type, operating system, browser type and version, screen resolution, and language preferences
- Usage data: Pages visited, features used, actions taken, time spent on pages, and interaction patterns
- Network information: IP address, approximate geolocation (city/country level only), and internet service provider
- Diagnostic data: Crash reports, error logs, and performance metrics (collected via our error monitoring service)
- Cookies and similar technologies: Session identifiers, preferences, and analytics data (see Section 21)
4.3 Information We Do Not Collect
We do not knowingly collect sensitive personal data such as racial or ethnic origin, political opinions, religious beliefs, genetic or biometric data, health information, or sexual orientation. We do not collect precise GPS location data unless you explicitly grant permission in the mobile application.
5. Legal Basis for Processing
We process your personal data based on the following legal grounds as required by GDPR Article 6 and equivalent provisions under other applicable laws:
| Processing Activity | Legal Basis |
|---|---|
| Providing and maintaining the Service | Contract performance (Art. 6(1)(b)) |
| Account management | Contract performance (Art. 6(1)(b)) |
| Payment processing | Contract performance (Art. 6(1)(b)) |
| Analytics and service improvement | Legitimate interest (Art. 6(1)(f)) |
| Security and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Cookies and tracking (non-essential) | Consent (Art. 6(1)(a)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
| Error tracking and diagnostics | Legitimate interest (Art. 6(1)(f)) |
Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us.
6. How We Use Your Information
- Service delivery: To provide, operate, and maintain the QR menu platform, including generating QR codes, displaying menus, and managing business profiles
- Account management: To create, manage, and authenticate your account
- Transaction processing: To process payments and manage billing for paid features
- Communications: To send service-related notifications, security alerts, and support responses
- Service improvement: To analyze usage patterns, diagnose technical issues, and develop new features
- Security: To detect, prevent, and respond to fraud, abuse, security incidents, and technical issues
- Legal compliance: To comply with applicable laws, regulations, and legal processes
- Marketing: To send promotional materials only with your prior opt-in consent (you may opt out at any time)
7. Data Sharing and Disclosure
We do not sell, rent, or trade your personal data. We may share your data only in the following circumstances:
7.1 Service Providers (Data Processors)
We engage trusted third-party service providers who process data on our behalf under strict contractual obligations, including Data Processing Agreements (DPAs) that require them to protect your data and limit its use to the services they provide to us:
- Cloud hosting and infrastructure providers
- Payment processing services
- Analytics and monitoring services
- Email delivery services
- Error tracking and diagnostic services
7.2 Legal Requirements
We may disclose your personal data if required by law, court order, or governmental regulation, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
7.3 Business Transfers
In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you before your data is transferred and becomes subject to a different privacy policy.
7.4 With Your Consent
We may share your data with third parties when you have given us explicit consent to do so.
8. Third-Party Services
We use the following third-party services that may collect and process your data. Each operates under its own privacy policy:
| Service | Purpose | Data Processed |
|---|---|---|
| Google Sign-In | Authentication | Google account email, name, profile photo |
| Apple Sign-In | Authentication | Apple ID email, name |
| Google Analytics (GA4) | Website analytics | Anonymized usage data, page views, device info |
| Product analytics service | Product analytics | Anonymized usage events, feature interactions |
| Error monitoring service | Error tracking and diagnostics | Crash reports, error data, device/browser info (no PII) |
| Cloud hosting providers | Cloud hosting | All data stored on our platform (encrypted) |
| Observability platform | Observability | Application logs, metrics, traces (no PII) |
We encourage you to review each third-party service's privacy policy. We have Data Processing Agreements in place with our service providers to ensure appropriate data protection.
9. International Data Transfers
As a globally operating platform, your personal data may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from those in your jurisdiction.
When we transfer personal data outside of the European Economic Area (EEA), United Kingdom, Thailand, or other jurisdictions with data transfer restrictions, we ensure appropriate safeguards are in place, including:
- Adequacy decisions: Transferring data to countries recognized as providing adequate data protection by the European Commission or other relevant authorities
- Standard Contractual Clauses (SCCs): Using EU-approved Standard Contractual Clauses with our service providers and partners
- Data Processing Agreements: Binding contractual obligations requiring our processors to protect personal data to the same standards
- Technical safeguards: Encryption in transit (TLS 1.2+) and at rest for all transferred data
You may request a copy of the safeguards we use for international transfers by contacting us.
10. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected. Specific retention periods are:
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 30 days after deletion |
| Business content (menus, images) | Duration of account + 30 days after deletion |
| Transaction records | 7 years (legal/tax requirements) |
| Analytics data | 26 months (anonymized) |
| Error/diagnostic logs | 90 days |
| Support communications | 2 years after resolution |
| Audit logs | 3 years |
When data is no longer needed, we securely delete or irreversibly anonymize it. Anonymized data that can no longer identify you may be retained indefinitely for statistical purposes.
11. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption: All data in transit is protected by TLS 1.2 or higher. Data at rest is encrypted using industry-standard encryption algorithms.
- Access controls: Strict role-based access controls and multi-tenant isolation ensure that only authorized personnel can access personal data.
- Authentication: Secure OAuth 2.0-based authentication via Google and Apple Sign-In, with token-based session management.
- Infrastructure security: Our infrastructure providers maintain SOC 2, ISO 27001, and other industry certifications.
- Monitoring: Continuous security monitoring, automated vulnerability scanning, and regular security audits.
- Incident response: Documented incident response procedures to detect, contain, and remediate security incidents.
While we strive to use commercially acceptable means to protect your personal data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.
12. Your Rights
Regardless of your location, we respect the following data protection rights for all users:
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Request correction of inaccurate or incomplete personal data.
- Right to erasure: Request deletion of your personal data, subject to legal retention requirements.
- Right to restriction: Request that we limit the processing of your personal data in certain circumstances.
- Right to data portability: Receive your personal data in a structured, commonly used, and machine-readable format.
- Right to object: Object to processing based on legitimate interests or for direct marketing purposes.
- Right to withdraw consent: Withdraw your consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days (or within the timeframe required by your applicable law). We may request verification of your identity before processing your request.
13. Additional Rights for EEA/UK Residents (GDPR)
If you are located in the European Economic Area (EEA) or United Kingdom, you have additional rights under the General Data Protection Regulation:
- Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority in your country of residence if you believe our processing of your personal data violates GDPR.
- Right regarding automated decisions: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.
- Data Protection Officer: You may contact our data protection team at [email protected] for any GDPR-related inquiries.
We will respond to GDPR-related requests within one month. This period may be extended by two further months where necessary, taking into account the complexity and number of requests.
14. Additional Rights for California Residents (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act provides you with additional rights:
Categories of Personal Information Collected
- Identifiers (name, email, phone number, IP address)
- Commercial information (transaction history, subscription details)
- Internet or network activity (browsing history, interactions with Service)
- Geolocation data (approximate, city/country level)
- Professional information (business name, business category)
Your CCPA/CPRA Rights
- Right to know: Request details about the categories and specific pieces of personal information we have collected about you.
- Right to delete: Request deletion of your personal information.
- Right to correct: Request correction of inaccurate personal information.
- Right to opt-out of sale/sharing:We do not sell or share your personal information for cross-context behavioral advertising. If this changes, we will provide a "Do Not Sell or Share My Personal Information" link.
- Right to non-discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
- Right to limit use of sensitive personal information: We do not use sensitive personal information beyond what is necessary to provide the Service.
To exercise these rights, contact us at [email protected] or use the in-app privacy settings. We will verify your identity and respond within 45 days.
15. Additional Rights for ASEAN Residents
If you are located in a member state of the Association of Southeast Asian Nations (ASEAN), the following additional provisions apply based on your country of residence:
15.1 Thailand (Personal Data Protection Act, PDPA)
- We process your personal data in compliance with the Thailand Personal Data Protection Act B.E. 2562 (2019), obtaining opt-in consent before collection and providing clear purpose-based choices.
- You have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.
- You have the right to access your personal data, request correction, request deletion or anonymization, restrict processing, object to processing, and request data portability in a machine-readable format.
- You have the right to lodge a complaint with the Personal Data Protection Committee (PDPC) if you believe your data has been mishandled.
- In the event of a data breach, we will notify the PDPC within 72 hours. Cross-border data transfers from Thailand are conducted only with appropriate safeguards in place.
15.2 Singapore (Personal Data Protection Act)
- We obtain your consent before collecting, using, or disclosing your personal data, and notify you of the purposes at or before the time of collection.
- You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.
- You have the right to request access to and correction of your personal data held by us.
- In the event of a data breach that could result in significant harm, we will notify the Personal Data Protection Commission (PDPC) and affected individuals within 3 calendar days of assessing the breach.
- We implement reasonable security arrangements to protect your personal data against unauthorized access, collection, use, disclosure, or similar risks.
- We retain your personal data only for as long as necessary for business or legal purposes, and securely dispose of it when no longer needed.
15.3 Malaysia (Personal Data Protection Act 2010)
- We process your personal data in accordance with the General Principle, Notice and Choice Principle, Disclosure Principle, Security Principle, Retention Principle, Data Integrity Principle, and Access Principle of the Malaysia PDPA.
- You have the right to access your personal data, request corrections, and withdraw consent for processing.
- From June 2025, you have the right to data portability, allowing you to request that your personal data be transmitted to another data controller where technically feasible.
- Cross-border transfers of your data are conducted only to jurisdictions with substantially similar data protection laws or with adequate safeguards in place, following a Transfer Impact Assessment.
- In the event of a data breach, we will notify the Personal Data Protection Department (PDPD) within 72 hours and affected individuals within 7 days thereafter.
15.4 Philippines (Data Privacy Act of 2012)
- We process your personal information in compliance with the principles of transparency, legitimate purpose, and proportionality as required by the Data Privacy Act.
- You have the right to be informed, to access, to object, to erasure or blocking, to rectification, to data portability, and to file a complaint with the National Privacy Commission (NPC).
- We implement reasonable and appropriate organizational, physical, and technical security measures to protect personal information.
- Any data breach that may pose risk to the rights and freedoms of data subjects will be reported to the NPC and affected individuals within 72 hours of discovery.
15.5 Indonesia (PDP Law No. 27 of 2022)
- We process your personal data based on a valid legal basis: consent, contractual necessity, legitimate interest, or legal obligation, in accordance with the PDP Law.
- You have the right to obtain information about your data processing, access your data, request correction, request deletion, withdraw consent, object to automated decision-making, and request data portability.
- We distinguish between general personal data and specific (sensitive) personal data, applying enhanced protections to sensitive categories including financial data and children's data.
- Cross-border transfers are conducted only where the receiving country has an adequate level of data protection or with appropriate contractual safeguards.
- Data breach notifications will be made to affected individuals within 3 x 24 hours of the breach being discovered, as required by the PDP Law.
15.6 Vietnam (Decree 13/2023/ND-CP and PDP Law)
- We obtain your explicit, voluntary consent based on a full understanding of the purpose, type of data collected, entities involved, and your rights before processing your personal data.
- You have the right to access, correct, delete, restrict, and object to the processing of your personal data. We will respond to your requests within 72 hours as required by Decree 13.
- We classify personal data into basic personal data and sensitive personal data, with enhanced protections applied to sensitive categories.
- Cross-border transfers of personal data of Vietnamese residents are conducted only with appropriate safeguards, including Data Protection Impact Assessments and Transfer Impact Assessments.
16. Additional Rights for Brazil Residents (LGPD)
If you are located in Brazil, the Lei Geral de Protecao de Dados (LGPD) provides you with additional rights:
- Confirmation and access: You may request confirmation of whether we process your data and access to your personal data.
- Correction: You may request correction of incomplete, inaccurate, or outdated personal data.
- Anonymization, blocking, or deletion: You may request anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in violation of the LGPD.
- Data portability: You may request portability of your personal data to another service provider.
- Deletion: You may request deletion of personal data processed with your consent.
- Information about sharing: You may request information about which public and private entities we have shared your data with.
- Consent withdrawal: You may withdraw consent at any time, and we will inform you of the consequences of withdrawal.
- Right to petition: You have the right to petition the Autoridade Nacional de Protecao de Dados (ANPD) regarding our data processing practices.
17. Additional Rights for Japan Residents (APPI)
If you are located in Japan, the Act on the Protection of Personal Information (APPI) provides you with additional rights:
- You may request disclosure of your retained personal data, the purpose of its use, and records of third-party provision.
- You may request correction, addition, or deletion of your personal data if it is inaccurate.
- You may request cessation of use or deletion of your data if it was acquired improperly or is no longer necessary.
- You may request cessation of third-party provision of your data.
- Cross-border transfers of your data require your informed consent specifying the destination country, or confirmation that the recipient maintains APPI-equivalent protections.
- We specify and publicly announce (or notify you of) the purposes for which we use your personal information, and do not use it beyond those purposes without your consent.
18. Additional Rights for India Residents (DPDPA)
If you are located in India, the Digital Personal Data Protection Act 2023 (DPDPA) provides you with additional rights:
- We process your personal data based on your consent or for legitimate uses as defined under the DPDPA.
- You have the right to access information about your personal data being processed, request correction and erasure, and nominate another person to exercise your rights in case of death or incapacity.
- You may withdraw consent at any time with the same ease as it was given. We will cease processing and delete your data upon withdrawal (unless retention is required by law).
- You have the right to a grievance redressal mechanism, and we will respond to your grievances within a reasonable timeframe.
- We will notify the Data Protection Board of India and affected individuals of any personal data breach regardless of the magnitude.
- For children's data (under 18), we obtain verifiable parental consent before processing.
19. Additional Rights for Australia Residents
If you are located in Australia, the Privacy Act 1988 and the Australian Privacy Principles (APPs) provide you with additional rights:
- We only collect personal information that is reasonably necessary for our functions or activities (APP 3).
- You have the right to know why we collect your personal information, what we do with it, and who we disclose it to (APP 5).
- You have the right to access your personal information (APP 12) and request correction if it is inaccurate, out of date, incomplete, or misleading (APP 13).
- We will not use or disclose your personal information for direct marketing unless you have consented or it is impractical to obtain consent, and you may opt out at any time (APP 7).
- Cross-border disclosures are made only where the overseas recipient is subject to similar privacy obligations or you have consented (APP 8).
- We will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of eligible data breaches likely to result in serious harm (Notifiable Data Breaches scheme).
- You may complain to the OAIC if you believe we have breached the APPs.
20. Additional Rights for Canada Residents (PIPEDA)
If you are located in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation provide you with additional rights:
- We obtain your meaningful consent before collecting, using, or disclosing your personal information, and we identify the purposes at or before the time of collection.
- You have the right to access your personal information held by us and to challenge its accuracy and completeness.
- You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.
- We collect only the personal information necessary for the identified purposes and retain it only as long as necessary.
- We protect your personal information with security safeguards appropriate to the sensitivity of the information.
- We report breaches of security safeguards involving personal information that pose a real risk of significant harm to the Office of the Privacy Commissioner of Canada (OPC) and affected individuals.
- You may file a complaint with the OPC if you believe we have violated your privacy rights under PIPEDA.
22. Automated Decision-Making and Profiling
We do not use your personal data for automated decision-making or profiling that produces legal effects or similarly significantly affects you. Our analytics services collect anonymized data for the sole purpose of improving the Service and do not make automated decisions about individual users.
If we introduce automated decision-making in the future, we will update this policy, provide meaningful information about the logic involved, and ensure you have the right to obtain human intervention.
23. Children's Privacy
Our Service is not directed to individuals under the age of 16 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal data from children. In the EEA/UK, the minimum age is 16 under GDPR. In the United States, the minimum age is 13 under COPPA. In Thailand, the minimum age is 10 (with parental consent required for those under 20) under PDPA.
If you are a parent or guardian and believe your child has provided us with personal data, please contact us at [email protected]. We will take immediate steps to delete such information from our systems.
24. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR and PDPA)
- Notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms
- Document all breaches, including their effects and the remedial actions taken
- Take immediate steps to contain and mitigate the impact of the breach
25. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Post the updated policy on this page with a new "Last updated" date
- Notify you via email or in-app notification at least 30 days before the changes take effect
- Where required by law, obtain your consent to material changes
We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of changes constitutes your acceptance of the updated policy.
26. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Privacy inquiries: [email protected]
- General inquiries: [email protected]
- Website: preea.com
We aim to respond to all privacy-related inquiries within 30 days.