Do guests need to download an app?

No. The whole ordering flow runs in the browser. Guests open the camera, scan, and the menu opens.

Which payment providers are supported?

Viva Wallet and Stripe. You choose in your dashboard settings. The guest does not see the difference.

Does TabbPay work with my existing POS?

Yes. TabbPay connects to the POS you already run, with no new hardware and no change to your kitchen workflow. We currently integrate with symPOSium and HIT POS, the systems most common in Greek hospitality, and we partner with your POS vendor during onboarding when you are on a different one. The kitchen ticket keeps printing the way it does today.

What happens after the sixty-day trial?

Your card is charged €49 a month (Basic) or €99 a month (Pro). We email you seven days before the trial ends. You can cancel from the dashboard at any point.

How is the data handled?

TabbPay does not store payment card data. Viva Wallet and Stripe handle that, both at PCI-DSS Level 1. We collect the minimum personal data we need to operate the service, under GDPR. You can request a full data export or deletion at any time by writing to privacy@tabbpay.com.

How does QR table ordering work, step by step?

Each table has a printed QR code. The guest opens their phone camera, scans it, and the menu opens instantly in the browser — no app download, no account needed. They browse, add items, and place the order. The kitchen receives it immediately. At the end of the meal the guest pays from the same screen with a card or digital wallet.

What is the transaction fee?

TabbPay charges a 0.50% platform fee per transaction. The bank interchange fee and the Viva Wallet or Stripe processing fee are separate and depend on card type. The combined cost is typically lower than a handheld POS terminal, which usually adds 1% or more on top of interchange.

Can guests split the bill between them?

Yes. Guests can split equally across the number of people at the table, or each person pays for the exact items they ordered. No calculator, no awkward cash rounding.

How long does it take to get set up?

Most venues finish onboarding in under an hour. You upload your menu, connect Viva Wallet or Stripe, and print QR codes for each table. The dashboard walks you through every step.

Privacy Policy

Version: 2.0 Effective date: 17 May 2026 Supersedes: version dated 7 May 2026

This Privacy Policy (the "Policy") describes the processing of personal data by TabbPay (the "Controller", "we", "us") in connection with: (a) the TabbPay platform offered to commercial venues ("Business Customers"); (b) the guest ordering and payment experience accessed by diners at participating venues at app.tabbpay.com ("Guests"); and (c) the TabbPay Staff application used by employees and contractors of Business Customers ("Staff"). Together these are referred to as the "Platform".

The Policy is issued in accordance with Articles 13 and 14 of Regulation (EU) 2016/679 (the "GDPR"), Greek Law 4624/2019 implementing the GDPR, and Directive 2002/58/EC (the "ePrivacy Directive") as transposed by Greek Law 4727/2020.

1. Identity and Contact Details of the Controller

The Controller is TabbPay, a company established under the laws of the Hellenic Republic.

Legal entity name, registered seat, General Commercial Registry (Γ.Ε.ΜΗ.) number and VAT identification number (ΑΦΜ) are to be inserted in the published version of this Policy prior to commercial release.

For all matters concerning this Policy and the exercise of data-subject rights, the Controller may be contacted at:

Privacy or security questions: privacy@tabbpay.com
General support: support@tabbpay.com

A Data Protection Officer has not been formally designated, as the Controller is not engaged in processing activities that require designation under Article 37 GDPR. The privacy mailbox is monitored by the team responsible for compliance.

2. Scope and Roles

Processing context	Capacity of TabbPay	Capacity of the Business Customer
Business Customer account, billing and platform administration	Controller	Data subject (where applicable)
Guest ordering and payment transactions placed at a venue	Processor on behalf of the Business Customer	Controller
Staff records held within a Business Customer's organisation	Processor on behalf of the Business Customer	Controller (employer)
Platform security, fraud prevention and statutory record-keeping	Controller (Articles 6(1)(c) and 6(1)(f) GDPR)	—

Where TabbPay acts as Processor, it processes personal data only on the documented instructions of the relevant Business Customer pursuant to Article 28 GDPR. A Data Processing Agreement is concluded with each Business Customer at the point of account creation.

3. Categories of Personal Data Processed

3.1 Business Customer Account Data

Category	Examples	Source
Identification data	First name, last name	Provided by the data subject upon sign-up
Contact data	Business email, business telephone, registered address	Provided by the data subject
Authentication metadata	Clerk user identifier, organisation identifier and role	Generated by Clerk Inc. on sign-up
Tax and commercial identifiers	VAT number (ΑΦΜ), General Commercial Registry number (Γ.Ε.ΜΗ.), legal form	Provided by the data subject
Payment-account references	Stripe Connect account identifier, Viva Wallet merchant identifier, subscription identifiers, billing-period dates	Returned to the Controller by the relevant payment processor
Platform configuration	Venue, table, menu, modifier, session-mode and notification settings	Created by the data subject through the dashboard

Card numbers, card-verification codes, bank account numbers and IBANs are not stored by the Controller. Such data is held exclusively by Stripe Payments Europe Limited and/or Viva Wallet Single Member S.A. under their respective PCI-DSS Level 1 certifications.

3.2 Guest Data

The Controller deliberately minimises Guest data. The following data is collected at the point of QR-code scan or subsequent interaction with the ordering interface:

Category	Examples	Source
Session identifier	Randomly generated opaque token (e.g. `s_<uuid>`)	Generated by the Controller's server
Device identifier	Randomly generated UUID v4 stored in browser `localStorage`	Generated by the Controller's client code
Device-binding token	HMAC-signed credential persisted as an `httpOnly` cookie (`__tabbpay_dt`)	Generated by the Controller's server
IP address	IPv4 or IPv6 address of the connecting device	Transmitted by the device at the network layer
User-Agent string	Browser and operating-system identifier	Transmitted by the device at the application layer
Order content	Items, quantities, modifiers and order timestamps	Provided by the Guest
Order notes	Free-text instructions optionally entered by the Guest, which may contain dietary or allergen information	Provided by the Guest
Payment reference	Stripe or Viva Wallet transaction identifier confirming settlement	Returned to the Controller by the payment processor
Tip amount and allocation	Numeric value optionally entered by the Guest, attributed to a Staff member	Provided by the Guest
Service rating and review	One-to-five star rating and optional free-text comment	Provided by the Guest

The Controller does not collect Guest names, email addresses, telephone numbers, geolocation data or any biometric identifier. The Controller does not store payment card data at any point.

3.3 Staff Data

Category	Examples	Source
Identification data	First name, last name, display name	Provided by the Business Customer (employer)
Contact data	Email address, telephone number (optional)	Provided by the Business Customer
Employment metadata	Role, status, hire date, tip-share configuration	Provided by the Business Customer
Authentication metadata	Clerk user identifier (where applicable), one-way bcrypt-hashed device PIN	Generated by Clerk and the Controller respectively
Payout references	Stripe Connect account identifier (only if direct tip payouts are enabled)	Provided by the Staff member
Push notification credentials	Firebase Cloud Messaging (FCM) token or VAPID subscription, platform identifier, device identifier, last-seen timestamp	Generated by the device upon granting notification permission
Performance data	Orders accepted, prepared and served; tips received per shift; ratings received	Recorded by the Platform during operation

PIN values are stored as bcrypt hashes only; the plaintext PIN is never persisted.

4. Purposes of Processing and Legal Basis

The legal basis for each processing activity, by reference to Article 6(1) GDPR, is set out below.

Processing activity	Legal basis
Creating and operating a Business Customer account	Performance of contract — Article 6(1)(b)
Processing subscription payments and recurring billing	Performance of contract — Article 6(1)(b)
Issuing invoices and maintaining accounting records	Compliance with a legal obligation (Greek Law 4308/2014; Law 4174/2013) — Article 6(1)(c)
Providing customer support	Performance of contract — Article 6(1)(b)
Platform security, fraud detection and abuse prevention	Legitimate interest — Article 6(1)(f)
Operational error monitoring (Sentry) with PII disabled and key-based redaction	Legitimate interest — Article 6(1)(f)
Sending service-related communications (trial expiry, payment retry, billing notices)	Performance of contract — Article 6(1)(b)
Operating the Guest ordering and payment service at a venue	Performance of contract between the Guest and the Business Customer — Article 6(1)(b) (Controller acts as Processor)
Retaining order and payment records for tax and accounting purposes	Compliance with a legal obligation (Greek Law 4308/2014 Art. 7) — Article 6(1)(c)
Delivering push notifications to Staff devices	Consent — Article 6(1)(a) (granted via the operating system permission prompt; withdrawable at any time)
Optional analytics (Vercel Web Analytics)	Consent — Article 6(1)(a) (recorded by the cookie banner)
Optional session-replay error diagnostics (Sentry Replay)	Consent — Article 6(1)(a) (recorded by the cookie banner)

Consent for ePrivacy-regulated technologies (non-essential cookies, similar technologies, session replays) is obtained through the consent banner prior to the relevant technology being activated. The banner offers an Accept option and a Reject option of equivalent prominence; the absence of a decision is treated as a refusal.

5. Cookies, Local Storage and Similar Technologies

A complete inventory of the cookies and localStorage items used across the Platform is set out in the Cookie Policy. The principles applied are:

Strictly necessary technologies — used without consent and limited to authentication, session integrity, cross-site request forgery protection, language preference and the storage of the consent decision itself. These include the Clerk session cookie (__session) and the device-binding cookie (__tabbpay_dt).
Optional technologies — Vercel Web Analytics and Sentry session replay. These are inactive by default and only run after the user has selected Accept on the consent banner. Selecting Reject prevents the corresponding scripts from being loaded.
No advertising, behavioural-targeting or cross-site tracking technology is used.

The consent decision is recorded in localStorage under the key tabbpay_cookie_consent and is shared across the tabbpay.com family of properties. The decision may be withdrawn at any time, with the same ease as it was given, by selecting the "Cookie Preferences" link in the footer of any TabbPay surface; the banner reappears so that a fresh decision can be made.

6. Retention Periods

Personal data is retained only for as long as is necessary for the purpose for which it was collected, or for the period required by applicable Greek tax and accounting law, whichever is longer. Retention is enforced automatically by a scheduled task that runs daily at 03:00 UTC and is documented in the source code under apps/api/src/modules/data-retention/.

Data category	Retention period	Basis for the period
Business Customer account record	For the duration of the subscription, then 6 years from account closure	Article 13 of Law 4174/2013 (tax procedure) read with Law 4308/2014 Article 7 (5 years from the end of the fiscal year), plus a 1-year safety margin
Invoices, billing events and payment records (Business Customer)	6 years from the end of the fiscal year of issuance	Same as above
Guest order, payment and tip records	6 years from the order date	Same as above (records of taxable supply)
Guest session record	90 days from session opening	No legal-retention purpose beyond fraud investigation of the previous quarter
Guest device-binding token, IP address and User-Agent	90 days from creation	Fraud prevention and abuse investigation only
Guest review and rating	Retained with the associated order record	Forms part of the service record for that transaction
Staff record	For the duration of the employment relationship as configured by the Business Customer, then for as long as required by Greek employment law (typically 5 years for payroll-related entries)	Greek Labour Code; Law 4308/2014
Staff push-notification subscription	While active; once marked inactive (gateway error or unsubscribe), deleted after 30 days	Operational utility expires upon deactivation
Event log (`events_raw`) used for audit and replay	365 days	Annual review cycle
Sentry error reports	90 days	Provider's default retention; sufficient for diagnostic purposes

Where it is technically impractical to delete a single record from a backup, the backup itself is retained no longer than 30 days from creation, after which the data ceases to be processed.

7. Recipients and Sub-processors

The Controller engages the following sub-processors. Each is bound by a written Data Processing Agreement that imposes the obligations of Article 28(3) GDPR.

Sub-processor	Role	Location of processing
Clerk, Inc.	Authentication, identity and organisation management	United States (Standard Contractual Clauses)
Stripe Payments Europe Limited	Subscription billing for Business Customers; optional Guest checkout	European Union, Ireland
Viva Wallet Single Member S.A.	Recurring subscription billing for Business Customers; Guest checkout via Viva Smart Checkout	European Union, Greece
Amazon Web Services EMEA SARL	Application hosting, database storage (RDS), object storage (S3) and content delivery (CloudFront)	European Union, Frankfurt (eu-central-1)
Vercel Inc.	Hosting of the landing and consumer-facing Next.js applications	European Union (Frankfurt) with US fallback for the platform layer (Standard Contractual Clauses)
Functional Software, Inc. d/b/a Sentry	Application error monitoring with PII disabled by SDK configuration and key-based redaction applied via `beforeSend`	United States (Standard Contractual Clauses)
Google Ireland Limited (Firebase Cloud Messaging)	Delivery of push notifications to Staff devices	European Union and global (Standard Contractual Clauses)
Resend Labs, Inc.	Delivery of transactional and operational email (trial reminders, billing notices, dunning correspondence)	United States (Standard Contractual Clauses)
Web3Forms (Profile Software)	Receipt of contact-form submissions from the public-facing site only	European Union (Bulgaria)
symPOSium / HIT POS providers	Forwarding of order content to the venue's point-of-sale system, where the Business Customer has enabled integration	European Union

Personal data is not sold to third parties. Personal data is not used for advertising or behavioural profiling. Personal data is disclosed to public authorities only where the Controller is required to do so by a binding legal instrument (for example a court order or a request from the Hellenic Data Protection Authority).

8. International Data Transfers

Personal data is primarily processed within the European Economic Area. Where a sub-processor's processing occurs in a third country, the transfer is supported by one of the safeguards listed in Article 46 GDPR — in particular, the European Commission's Standard Contractual Clauses (Decision 2021/914). The Controller assesses the equivalence of the destination jurisdiction's data-protection regime prior to engagement, applies supplementary measures where appropriate, and re-assesses the position upon any material change of circumstance.

9. Security

The Controller implements the following technical and organisational measures:

Transport-layer encryption (TLS 1.2 or higher) for all data in transit.
At-rest encryption of databases and object storage hosted on Amazon Web Services.
Role-based access control with least-privilege defaults; production access is logged.
One-way bcrypt hashing of all Staff device PINs; plaintext PINs are never persisted.
HMAC-signed device-binding tokens, allowing per-device revocation by Business Customer Staff.
Sentry error monitoring configured with sendDefaultPii: false and a beforeSend redaction hook that removes known sensitive keys (email addresses, telephone numbers, names, authorisation tokens, payment-account references, tax identifiers, PINs and card-related fields) from error payloads.
Daily automated retention sweeps as specified in Section 6.
Quarterly review of sub-processors and access privileges.

Vulnerabilities may be reported to privacy@tabbpay.com. The Controller commits to acknowledging coordinated-disclosure reports within 5 business days.

10. Data-Subject Rights

Data subjects whose personal data is processed by the Controller are entitled to exercise the following rights under the GDPR:

Right	Reference
Right of access	Article 15
Right to rectification	Article 16
Right to erasure	Article 17
Right to restriction of processing	Article 18
Right to data portability	Article 20
Right to object	Article 21
Right to withdraw consent (where processing is based on consent)	Article 7(3)
Right not to be subject to automated decision-making	Article 22 (the Platform does not engage in automated decision-making within the meaning of Article 22)

Requests may be submitted to privacy@tabbpay.com. The Controller will respond within one month from receipt of the request (Article 12(3) GDPR), extendable by two further months where the request is complex or numerous. Verification of identity may be required prior to disclosure of personal data.

Guests who have not provided identifying data may be required to supply the session identifier or, in its absence, the approximate date, venue and table associated with the visit, in order to enable the Controller to locate the relevant records.

Staff requesting access, correction or erasure of personal data held by their employer are directed in the first instance to that employer, which is the Controller of that data. The Controller will action such requests upon the Business Customer's instruction in accordance with the applicable Data Processing Agreement.

11. Right to Lodge a Complaint

A data subject who considers that the Controller has processed their personal data in contravention of the GDPR has the right to lodge a complaint with the Hellenic Data Protection Authority (Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα):

Address: Kifissias Avenue 1-3, 11523 Athens, Greece
Telephone: +30 210 6475600
Web: https://www.dpa.gr

Data subjects resident in another EEA Member State may also lodge a complaint with the supervisory authority of their place of habitual residence.

12. Changes to this Policy

The Controller will notify Business Customers by email at least 14 days in advance of any material change to this Policy. Non-material changes (for example a change of contact address, a clarification or a change in formatting) take effect on publication. The version number and effective date appearing at the top of this Policy reflect the version currently in force.

13. Contact

Subject	Address
Privacy or security questions, including the exercise of data-subject rights	privacy@tabbpay.com
Subscription billing and general support	support@tabbpay.com
Postal correspondence	To be inserted in the published version of this Policy prior to commercial release.