Privacy
Adisora Business — Privacy Policy
Last updated: April 27, 2026
1. Who we are
Adisora Business is a business-to-business (B2B) mobile operations app for restaurant owners and their staff to run menu, table, and order workflows. It is not a consumer product — you do not sign up with a personal email or phone number; your restaurant employer creates a work-issued account and provides your credentials.
The app is published and operated by DebuggerTR Consulting SIA (Latvia). This policy applies solely to the Adisora Business application.
No in-app sales or purchases. Adisora Business does not sell, distribute, or provide access to any digital content, services, or subscriptions. The app does not process payments, in-app purchases (IAP), or any transactions. It is staff-only operations tooling — not a consumer commerce application. Full scope: /business#scope.
Contact: info@debuggertr.com
2. Controller / processor split (B2B)
Adisora Business runs in a two-layer privacy model:
- Your restaurant employer is the data controller for your staff account (email, display name, app activity, audit logs). They sign a Data Processing Agreement (DPA) with DebuggerTR that governs how we handle this data on their behalf.
- DebuggerTR is data controller only for: (i) the contracting natural person's contact info, and (ii) crash diagnostics collected by our tooling.
To exercise data subject rights for your work-issued account, contact your restaurant employer first.
3. Data we collect
- Account: work-issued email, display name, Firebase user id (uid), assigned role (owner, manager, staff, kitchen).
- Authentication metadata: sign-in timestamps, device platform (iOS/Android), IP address (for security), failed-login counters.
- Business data: restaurants, branches, menu categories, items (name, description, price, allergens), tables, orders, line notes, comp/discount actions, receipts.
- Media (optional): photos you upload for menu items (Firebase Storage).
- Diagnostics: crash logs, performance traces (when enabled).
- Contracting-party info: restaurant business name, registration number, billing address, contact person name and signature.
4. What we do NOT collect
- Personal emails, phone numbers, or home addresses of restaurant staff.
- Customer (diner) personal data.
- Payment card, bank account, or any payment instrument data.
- Special-category data under GDPR Art. 9 (health, biometric, religious, political).
- Location (GPS), advertising IDs (IDFA/GAID), contacts, calendar, microphone, messages.
- Behavioural analytics or cross-app tracking.
5. Camera and gallery permissions
The CAMERA and photo-library permissions are used only at the moment you choose to attach a photo to a menu item. Uploaded photos are stored in Firebase Storage and belong to your business. No background capture or monitoring takes place.
6. Purpose and lawful basis
| Purpose | Lawful basis |
|---|---|
| Operating Adisora Business under your restaurant's contract | Performance of contract — GDPR 6(1)(b) |
| Authentication & account security | Legitimate interest — GDPR 6(1)(f) |
| Audit logs (who did what) | Legitimate interest — operational integrity |
| Crash diagnostics | Legitimate interest — service stability |
| Invoicing the restaurant | Legal obligation — GDPR 6(1)(c) |
We do not process data for advertising, behavioural profiling, automated decision-making with legal effects, or sale.
7. Where data is stored
Production data is hosted on Google Firebase in the europe-west1 (Belgium, EU) region. Google acts as a processor / sub-processor under GDPR Art. 28; Google's Data Processing and Security Terms are signed.
8. International transfers
For EU/EEA users: no transfer outside the EU/EEA happens during normal operation.
For Turkish users: data temporarily transits Google's globally distributed network. The cross-border transfer relies on KVKK Article 9 explicit consent obtained during onboarding combined with Google's Standard Contractual Clauses.
9. Retention
| Data | Period |
|---|---|
| Active account (email, display name, uid) | While the restaurant's contract is active |
| After contract termination | Soft-delete within 30 days + hard-delete after a further 60 days |
| Audit logs | 90-day rolling window |
| Order receipts (financial records) | 7 years — Latvian Accounting Law / Turkish Tax Procedure Law |
| Crash diagnostics | 90 days |
| Menu / category / table content | While the restaurant's contract is active |
10. Third-party sharing
We do not sell, rent, or share your data with advertisers or data brokers. Google Firebase is the only sub-processor. Disclosure to authorities only where strictly required by law (court order, etc.).
11. Security
- TLS 1.2+ encryption in transit.
- Google-managed encryption at rest.
- Firestore tenant-isolation rules — each restaurant only reads/writes its own documents.
- Cloud Function server-side validation (client SDK cannot bypass).
- Firebase App Check anti-abuse protection.
- Audit trail with userId + timestamp on every mutating action.
- Mandatory first-login password change + 10-character minimum policy.
12. Your rights
- Access to your personal data
- Rectification of inaccurate data
- Erasure ("right to be forgotten")
- Restriction of processing
- Objection to processing based on legitimate interest
- Data portability — JSON export
- Lodge a complaint with your supervisory authority — Latvia: Datu valsts inspekcija · Turkey: KVKK
Send requests for your work-issued account to your restaurant employer first (we support them within 5 business days). For data DebuggerTR controls directly: info@debuggertr.com — answered within 30 days.
13. Children
Adisora Business is a B2B operations tool for adult restaurant operators and staff. We do not knowingly process personal data of anyone under 18 years.
14. Cookies and tracking
The mobile application does not use cookies, web beacons, advertising SDKs, behavioural analytics, or cross-app tracking.
15. Changes to this policy
When we update this policy, the "Last updated" date at the top is renewed. Material changes (new data categories, new sub-processors, new purposes) are communicated to the contracting restaurant owner by email at least 14 days before they take effect.