Privacy Policy
Last updated: April 9, 2026
1. Introduction
1.1. Overview
This Privacy Policy explains how FOP TYKHOKHOD DMYTRO OLEKSANDROVYCH("Duckhub", "Platform", "we", "us", "our") collects, uses, discloses, and protects your personal data when you use the Duckhub service.
1.2. Commitment
We are committed to protecting your privacy and ensuring compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR) for users in the European Economic Area (EEA) and United Kingdom.
1.3. Acceptance
By using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Platform.
2. Data Controller
The data controller responsible for your personal data is:
FOP TYKHOKHOD DMYTRO OLEKSANDROVYCH
Email: [email protected]
For payment-related data processing, PayPro Global, Inc. acts as the Merchant of Record and an independent data controller. DuckHub does NOT store credit card data — all payment credentials are handled exclusively by PayPro Global in strict compliance with PCI-DSS security standards. See PayPro Global's Privacy Policy for details.
3. Data We Collect
3.1. Account Data (Platform Users)
When you register and use the Platform, we collect:
| Data Type | Purpose | Legal Basis |
|---|---|---|
| Email address | Account creation, authentication, communication | Contract performance |
| Password | Account security (stored encrypted) | Contract performance |
| Name (optional) | Account personalization | Consent |
| Profile picture (optional) | Account personalization | Consent |
3.2. Business Data
Information about your establishment:
| Data Type | Purpose | Legal Basis |
|---|---|---|
| Establishment name | Service provision, public menu display | Contract performance |
| Menu content | Service provision (products, prices, descriptions) | Contract performance |
| Media files | Service provision (images, logos) | Contract performance |
| Contact information | Public menu display (if you choose to display) | Consent |
| Address | Public menu display (if you choose to display) | Consent |
3.3. Integration Data
When you connect third-party services:
| Data Type | Purpose | Legal Basis |
|---|---|---|
| Telegram Chat ID | Sending notifications (waiter calls, bookings) | Consent |
3.4. Payment Data
Payment processing is handled by PayPro Global, Inc., which acts as the Merchant of Record for all DuckHub purchases. DuckHub does NOT store credit card numbers, bank account details, or full payment credentials. All such data is handled exclusively by PayPro Global in strict compliance with PCI-DSS Level 1 security standards.
PayPro Global may share with us: transaction records (amount, date, status), billing email address, country of purchase, and invoice URLs.
3.5. Technical Data
Automatically collected during Platform use:
| Data Type | Purpose | Legal Basis |
|---|---|---|
| IP address | Security, fraud prevention, analytics | Legitimate interest |
| Browser type and version | Service optimization | Legitimate interest |
| Device information | Service optimization | Legitimate interest |
| Access timestamps | Security, troubleshooting | Legitimate interest |
| Error logs | Debugging, service improvement | Legitimate interest |
3.6. Analytics Data
We use analytics services to understand Platform usage:
- Vercel Analytics: Page views, performance metrics
- Google Analytics: Usage patterns, traffic sources (anonymized)
- Sentry: Error tracking and debugging
This data is aggregated and does not directly identify you.
3.7. Public Menu Visitors
When restaurant guests view a public menu, we collect minimal data:
- Technical cookies for functionality (language preference)
- Anonymous analytics data (page views)
We do NOT:
- Collect personal data of menu visitors for marketing
- Share visitor data with third parties for advertising
- Use tracking cookies for behavioral advertising
4. How We Use Your Data
4.1. Service Provision
- Creating and maintaining your account
- Displaying your digital menu
- Processing your requests and transactions
- Sending service-related notifications
4.2. Communication
- Responding to your inquiries
- Sending important service updates
- Notifying you of policy changes
- Sending subscription renewal reminders
4.3. Security and Fraud Prevention
- Protecting against unauthorized access
- Detecting and preventing fraudulent activity
- Investigating security incidents
4.4. Service Improvement
- Analyzing usage patterns
- Fixing bugs and errors
- Developing new features
- Optimizing performance
4.5. Legal Compliance
- Complying with applicable laws
- Responding to legal requests
- Protecting our legal rights
5. Legal Basis for Processing (GDPR)
We process your personal data based on the following legal grounds:
| Legal Basis | When Applied |
|---|---|
| Contract Performance | Processing necessary to provide our services to you |
| Legitimate Interest | Analytics, security, service improvement (balanced against your rights) |
| Consent | Optional features, marketing communications |
| Legal Obligation | When required by law |
6. Data Sharing
6.1. We Share Data With:
Service Providers (Data Processors):
| Provider | Purpose | Location |
|---|---|---|
| PayPro Global, Inc. | Payment processing, invoicing | Canada / Global |
| Vercel Inc. | Hosting, analytics | USA (with safeguards) |
| Railway | Backend hosting | USA (with safeguards) |
| Neon | Database hosting | USA (with safeguards) |
| Cloudflare | CDN, security | USA (with safeguards) |
| Resend | Transactional emails | USA (with safeguards) |
| Google (Analytics) | Usage analytics | USA (with safeguards) |
| Sentry | Error tracking | USA (with safeguards) |
| GitHub | CI/CD automation | USA (with safeguards) |
| Telegram | Notifications (when enabled) | Various |
6.2. We Do NOT:
- Sell your personal data to third parties
- Share data for third-party marketing purposes
- Provide data to data brokers
6.3. Legal Disclosure
We may disclose data when required by law or to:
- Comply with legal processes
- Protect our rights and safety
- Prevent fraud or illegal activity
7. International Data Transfers
Your data may be transferred to and processed in countries outside your residence, including the United States and Canada. We ensure appropriate safeguards through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements with all service providers
- The EU-US Data Privacy Framework for transfers to certified US providers
- Adequacy decisions issued by the European Commission, where applicable
PayPro Global, Inc. (our payment Merchant of Record) is headquartered in Canada, which benefits from a partial GDPR adequacy decision for commercial organizations subject to PIPEDA. PayPro Global processes payments across 200+ countries and maintains GDPR compliance, PCI-DSS Level 1 certification, and uses Standard Contractual Clauses for any cross-border data transfers where required.
8. Data Retention
8.1. Retention Periods
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 30 days after deletion |
| Business data (menus) | Duration of account + 30 days after deletion |
| Payment records | 7 years (legal requirement) |
| Technical logs | 90 days |
| Analytics data | 26 months (anonymized) |
8.2. Account Deletion
When you delete your account:
- Personal data is deleted within 30 days
- Backups are purged within 90 days
- Some data may be retained if required by law
9. Your Rights (GDPR)
If you are in the EEA or UK, you have the following rights:
9.1. Right of Access
Request a copy of your personal data we hold.
9.2. Right to Rectification
Request correction of inaccurate or incomplete data.
9.3. Right to Erasure ("Right to be Forgotten")
Request deletion of your personal data, subject to legal retention requirements.
9.4. Right to Restrict Processing
Request limitation of how we use your data.
9.5. Right to Data Portability
Receive your data in a structured, machine-readable format.
9.6. Right to Object
Object to processing based on legitimate interests, including profiling.
9.7. Right to Withdraw Consent
Withdraw consent at any time for processing based on consent.
9.8. Right to Lodge a Complaint
File a complaint with your local data protection authority.
9.9. Exercising Your Rights
To exercise any of these rights, contact us at: [email protected]. We will respond within 30 days. We may request verification of your identity before processing requests.
10. Cookies and Tracking
10.1. Cookies We Use
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential | Authentication, security, language preference | Session / 1 year |
| Analytics | Understanding usage (anonymized) | Up to 2 years |
10.2. We Do NOT Use:
- Marketing or advertising cookies
- Third-party tracking for behavioral advertising
- Social media tracking pixels
10.3. Managing Cookies
You can control cookies through your browser settings. Note that disabling essential cookies may affect Platform functionality.
11. Data Security
11.1. Security Measures
We implement industry-standard security measures:
- Encryption in transit (TLS/HTTPS)
- Encryption at rest for sensitive data
- Secure password hashing (bcrypt)
- Regular security updates
- Access controls and authentication
- DDoS protection via Cloudflare
11.2. Incident Response
In case of a data breach affecting your personal data, we will:
- Notify affected users within 72 hours
- Report to relevant authorities as required by law
- Take immediate steps to mitigate the breach
11.3. Your Responsibility
You are responsible for:
- Keeping your login credentials secure
- Using strong, unique passwords
- Reporting any suspected unauthorized access
12. Children's Privacy
The Platform is not intended for users under 18 years of age. We do not knowingly collect data from children. If we discover we have collected data from a child, we will delete it promptly.
13. Third-Party Links
The Platform may contain links to third-party websites. We are not responsible for their privacy practices. We encourage you to review their privacy policies.
14. Changes to This Policy
14.1. Updates
We may update this Privacy Policy to reflect changes in our practices or legal requirements.
14.2. Notification
Material changes will be communicated via:
- Email notification
- Prominent notice on the Platform
14.3. Effective Date
Changes take effect on the "Last updated" date unless otherwise specified.
15. Contact Us
For privacy-related questions or to exercise your rights:
Email: [email protected]
Data Controller: FOP TYKHOKHOD DMYTRO OLEKSANDROVYCH
Payment Data (PayPro Global): For payment-related privacy inquiries, contact PayPro Global at: [email protected]
16. Additional Information for Specific Regions
16.1. European Economic Area (EEA) and United Kingdom
This Privacy Policy is designed to comply with GDPR. Our lead supervisory authority is in Ukraine, but you may contact your local data protection authority.
16.2. California Residents
California residents may have additional rights under CCPA. Contact us for more information.
By using Duckhub, you acknowledge that you have read and understood this Privacy Policy.