Privacy Policy (B2B) – ProstHub

This Privacy Policy describes how ProstHub processes personal data when providing our B2B platform for digital QR menus, TV signage and AI-assisted content.

1. Controller and Contact

Controller:
Bilal Saglam
Freelancer Softwareentwickler — ProstHub
Kohlenstraße 105, 34121 Kassel, Germany
Email: info@prosthub.com

2. Scope of Processing

This Policy applies to users of our B2B Service (e.g., venue admins). Guests who view a public QR menu generally do not need to provide personal data.

3. Categories of Data

Account and business contact data (name, email).
Content you provide (menu items, photos, logos, captions); this is typically business data.
Billing data processed by Stripe (see Stripe’s privacy notices).
Technical data: server logs (IP address, timestamps, user agent) for security and diagnostics.
AI inputs/outputs you submit for generating tasting notes, captions and images.

4. Purposes and Legal Bases

Contract performance (Art. 6(1)(b) GDPR): account creation, hosting menus, signage, AI text/images.
Legitimate interests (Art. 6(1)(f) GDPR): service security, abuse prevention, product improvement.
Legal obligations (Art. 6(1)(c) GDPR): invoicing, tax and compliance requirements.
Consent (Art. 6(1)(a) GDPR): only where we ask for it (e.g., non-essential cookies, marketing).

5. Processors and Transfers

Hosting on Google Cloud (EU regions where feasible).
Payments via Stripe.
Additional sub‑processors may be used to provide features; a current list is available on request.
We do not sell personal data.

6. Storage Period (Retention)

We store account and venue content for the life of the subscription.
Backups/logs are retained for limited periods needed for security and operations.
After termination, upon request and where feasible, a data export of menu data can be provided within 30 days; thereafter, data may be deleted or anonymised unless legal retention applies.

7. Your Rights (GDPR)

Right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), and objection (Art. 21).
You also have the right to lodge a complaint with a supervisory authority (in Germany, e.g., HBDI Hessen).
As our Service targets B2B customers, these rights primarily concern natural persons whose data may be processed (e.g., admin users).

8. Security

We use technical and organisational measures appropriate to the risk, including least‑privilege access, encryption in transit, and regular updates.

9. Cookies and Analytics

MVP: we use only essential cookies required for authentication/session where applicable.
No marketing/advertising cookies are used by default. If we add non‑essential cookies or analytics, we will request consent where required.

10. Changes to this Policy

We may update this Policy to reflect changes to our processing. Significant changes will be notified via email or in‑app notice.

11. Contact

For requests regarding this Policy or a DPA (Data Processing Agreement) for B2B customers, contact:
Bilal Saglam
Freelancer Softwareentwickler — ProstHub
Kohlenstraße 105, 34121 Kassel, Germany
Email: info@prosthub.com

3. Categories of Data

Account and business contact data (name, email).

Content you provide (menu items, photos, logos, captions); this is typically business data.

Billing data processed by Stripe (see Stripe’s privacy notices).

Technical data: server logs (IP address, timestamps, user agent) for security and diagnostics.

AI inputs/outputs you submit for generating tasting notes, captions and images.

4. Purposes and Legal Bases

Contract performance (Art. 6(1)(b) GDPR): account creation, hosting menus, signage, AI text/images.

Legitimate interests (Art. 6(1)(f) GDPR): service security, abuse prevention, product improvement.

Legal obligations (Art. 6(1)(c) GDPR): invoicing, tax and compliance requirements.

Consent (Art. 6(1)(a) GDPR): only where we ask for it (e.g., non-essential cookies, marketing).

6. Storage Period (Retention)

We store account and venue content for the life of the subscription.

Backups/logs are retained for limited periods needed for security and operations.

After termination, upon request and where feasible, a data export of menu data can be provided within 30 days; thereafter, data may be deleted or anonymised unless legal retention applies.

7. Your Rights (GDPR)

Right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), and objection (Art. 21).

You also have the right to lodge a complaint with a supervisory authority (in Germany, e.g., HBDI Hessen).

As our Service targets B2B customers, these rights primarily concern natural persons whose data may be processed (e.g., admin users).