Finroa

Privacy Policy

Effective date: January 14, 2025

1) Who we are & scope

This Privacy Policy explains how Finroa (“Finroa”, “we”, “us”, “our”) collects, uses, shares, and protects personal information related to:

Restaurants/Customers using our software-as-a-service (the “Service”) and purchasing NFC keychains (the “Hardware”), and
Restaurant guests whose email addresses are captured at the table for follow-up marketing operated by Finroa on behalf of the restaurant.

This Policy applies to our website, app, and related services.

B2B only: Finroa is intended for business use by restaurants.

2) Roles & responsibilities

For restaurant account/billing/website data, Finroa is the controller.
For guest data (emails/names captured at the table and marketing sent to those guests), the restaurant is the controller, and Finroa acts as the processor/service provider on the restaurant’s behalf.

A Data Processing Addendum (DPA) is available upon request.

3) Information we collect

3.1 Restaurants (customers)

Identity & business: first name, last name, phone number, email address, business name, business address, website (if any).
Location & listing: Google Business Profile URL and Google Place ID.
Account & usage: login credentials, role/permissions, settings, support tickets, activity logs, device/browser info (standard HTTP logs).
Billing: payment method and billing details processed by Stripe (we do not store full card numbers); invoice records, plan, transaction metadata.

3.2 Restaurant guests (end-customers)

Captured at table: first name, email address; phone number (optional) if the restaurant enables SMS.
Engagement: email opens/clicks, offer redemptions via QR codes, visit/validation timestamps, amount paid (entered by cashier at redemption) to measure campaign ROI.

3.3 Automatically collected (site/app)

Server logs (IP address, timestamps, user agent, pages viewed).
Cookies and similar technologies (see section 8).

We do not intentionally collect sensitive personal information.

4) Sources of information

Directly from restaurants (signup, onboarding, dashboard).
Directly from guests (Finroa capture page after NFC/QR tap).
Stripe (billing events/metadata).

Standard HTTP logs and cookies when using our site/app.

5) How we use information (purposes)

5.1 For restaurants (controller = Finroa)

Provide, secure, and improve the Service and Hardware.
Account management, authentication, support.
Billing, payments, fraud prevention (via Stripe).
Service communications (onboarding, updates, incidents).
Legal compliance and enforcement of Terms.

5.2 For guests (controller = Restaurant; Finroa = processor)

Capture email (and optional phone) at the table.
Send automated follow-up email marketing and reminders with restaurant offers.
Generate QR codes for in-store validation; log redemptions and revenue.
Analytics for the restaurant’s dashboard (reviews captured, list growth, opens/clicks, repeat visits, revenue attribution).
List hygiene and deliverability protection (see section 6).

We do not use guest data for our own independent marketing.

6) Email sending, deliverability & list hygiene

Finroa operates the sending infrastructure (authentication, throttling, warm-up, cadence defaults) to protect inbox placement.
We may limit, throttle, delay, pause, or suppress sending to maintain deliverability.
To protect sender reputation, Finroa may automatically suppress or remove contacts who have not opened emails for a defined period (e.g., several weeks/months), as well as hard bounces, repeated soft bounces, and spam-complaint addresses.
All emails include identification and one-click unsubscribe.

Restaurants are responsible for the content and legality of offers and for obtaining any required guest consent (see section 10).

7) Sharing & disclosures

We do not sell personal information.

We share information only with:

Payment processor: Stripe (billing and payments).
Infrastructure/hosting and security providers (to run the Service).
Professional advisors (legal/accounting) as needed.
Law enforcement or regulators when required by law, or to protect our rights, users, or the Service.
Corporate transactions (merger, acquisition, asset sale), subject to continuity of safeguards.

Sub-processors used by Finroa for hosting or security are bound by appropriate contractual protections.

8) Cookies & tracking

We use cookies and similar technologies to operate and secure the Service, keep users logged in, and measure basic usage.

No cookie banner is currently presented. You can control cookies via your browser settings (blocking, deleting).
If we later use advertising/retargeting cookies, we will update this Policy and provide appropriate choices.

9) Data retention

Restaurant account/billing/usage data: retained for as long as your account is active and for as long as we operate the Service, and thereafter as needed to comply with law, resolve disputes, and enforce agreements.
Guest data (emails, engagement, redemptions): retained for as long as the restaurant’s account is active and for as long as we operate the Service, subject to automatic suppression (§6) and deletion requests where applicable.

Upon account closure, we will delete or de-identify data within a reasonable time unless retention is required by law or legitimate business needs.

10) Lawful marketing & consent (US)

Email (CAN-SPAM): all marketing emails include restaurant business information and an unsubscribe link; opt-out is honored.
SMS (if enabled): requires express opt-in; messages include STOP/HELP instructions; quiet-hours and frequency limits apply (TCPA/CTIA).

Restaurant obligations: restaurants must provide any legally required notice and obtain any required consent from guests before marketing to them. Finroa provides the capture page and the sending engine.

11) Security

We implement reasonable administrative, technical, and organizational safeguards, including TLS encryption in transit, role-based access, audit logging, tokenized links, and access controls. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

12) International data transfers

We may process and store information in countries other than where you live. By using the Service, you understand that your information may be transferred to and processed in such jurisdictions. We take steps to ensure an adequate level of protection consistent with this Policy.

13) Your choices & rights

13.1 Restaurant users (account holders)

Access, correct, or delete account information via the dashboard or at contact@finroa.com.
Export guest lists and campaign data (CSV).

Manage unsubscribes (automatic).

13.2 Guests (restaurant patrons)

Unsubscribe from marketing emails at any time (link in footer).

Request access or deletion from the restaurant (controller). Finroa will support the restaurant in responding. Guests may also contact contact@finroa.com and we will route the request to the restaurant.

13.3 California residents (CPRA)

If you reside in California, you may have rights to know/access, correct, delete, and limit use/disclosure of certain information. We do not sell personal information. If we “share” personal information for cross-context behavioral advertising in the future (e.g., ad cookies), we will provide a “Your Privacy Choices” link.
Submit CPRA requests to contact@finroa.com.

We will not discriminate against you for exercising your privacy rights.

14) Children’s privacy

The Service is not directed to children. We do not knowingly collect personal information from individuals under 16. If you believe a child has provided information, contact us to delete it.

15) Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will notify you (e.g., email or in-app). Your continued use of the Service after the effective date means you accept the updated Policy.

16) Contact & company information

Finroa — French sole proprietorship (SIRET 91303324700028)
Email: contact@finroa.com (we aim to respond within 1 business day)

Annex A — CPRA “Notice at Collection” (summary)

Category (CPRA)	Examples	Purpose	Disclosed to
Identifiers	Name, email, phone (opt.), business name/address, Place ID; guest first name/email/phone (opt.)	Account setup, service delivery, guest marketing on behalf of restaurant, support	Stripe (billing), hosting/security providers
Commercial info	Plan, invoices, transactions; offer redemptions, amounts paid at redemption	Billing, fraud prevention; ROI tracking for the restaurant	Stripe; hosting/security
Internet activity	Device/browser, IP, log data, basic cookies	Security, session management, service analytics	Hosting/security
Inferences	Engagement segments (e.g., inactive 60 days)	Send relevant follow-ups on behalf of the restaurant	Not sold; processors only

Retention: As described in §9 (for as long as the account is active and as long as we operate the Service, subject to legal requirements and suppression of inactives).
Sale/share: We do not sell personal information. If we begin “sharing” for cross-context advertising, we will provide a “Your Privacy Choices” link.

Translate »