Privacy Policy
Last updated: February 2026
1. Data Controller
The data controller for personal data is:
SAS Tenga Labs (Qarte)
60 rue François 1er, 75008 Paris, France
Phone: +33 6 07 44 74 20
Email: contact@getqarte.com
2. Data We Collect
In the course of providing the Service, we collect the following categories of data:
Merchant data (Service users):
- Email address and password (authentication)
- Business name, type of activity, address, phone number
- Logo and visual customization (colors)
- Social media links and booking link
- Billing data (processed by Stripe, not stored by Qarte)
End-customer data (merchants' customers):
- First name and last name
- Phone number (international format)
- Birthday (day and month only, optional)
- Visit history and loyalty stamps
- Referral code
- Discount vouchers and rewards
Technical data:
- IP address (hashed, used for fraud detection via Qarte Shield)
- Browsing data (pages visited, session duration)
- Device information (type, browser, operating system)
3. Purposes and Legal Bases
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provision of the Service (account, loyalty, stamps, rewards) | Performance of contract (Art. 6.1.b) |
| Billing and payment | Performance of contract (Art. 6.1.b) |
| Retention of invoices and accounting data | Legal obligation (Art. 6.1.c) |
| Fraud prevention (Qarte Shield) | Legitimate interest (Art. 6.1.f) |
| Service improvement and aggregated statistics | Legitimate interest (Art. 6.1.f) |
| Transactional emails (welcome, reminders, billing) | Performance of contract (Art. 6.1.b) |
| Push notifications | Consent (Art. 6.1.a) |
| Audience measurement and behavioral analytics | Consent (Art. 6.1.a) |
| Targeted advertising (Facebook Pixel, TikTok Pixel) | Consent (Art. 6.1.a) |
4. Sub-processors and Data Recipients
We use the following sub-processors to provide the Service:
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Supabase Inc. | Database hosting | EU (Frankfurt) | DPA + SCC |
| Vercel Inc. | Web application hosting | USA / EU | DPA + EU-US DPF |
| Stripe Inc. | Payment processing | Ireland / USA | DPA + EU-US DPF |
| Resend Inc. | Transactional email delivery | USA | DPA + SCC |
| Google LLC | Audience measurement (GA4, GTM) | USA | EU-US DPF + SCC |
| Meta Platforms Inc. | Advertising and conversion measurement | USA | EU-US DPF + SCC |
| Microsoft Corp. | Behavioral analytics (Clarity) | USA | EU-US DPF + SCC |
| TikTok Inc. (ByteDance) | Advertising and conversion measurement (TikTok Pixel) | USA / Singapore | SCC |
DPA = Data Processing Agreement | SCC = Standard Contractual Clauses | EU-US DPF = EU-US Data Privacy Framework
5. International Data Transfers
Some of our sub-processors are located in the United States. These transfers are governed by:
- The EU-US Data Privacy Framework (EU-US DPF), where the sub-processor is certified
- Standard Contractual Clauses (SCCs) adopted by the European Commission (Implementing Decision 2021/914)
- Supplementary technical measures (encryption in transit and at rest, pseudonymization)
You may obtain a copy of the Standard Contractual Clauses by contacting us at contact@getqarte.com.
6. Data Retention
| Data Category | Retention Period |
|---|---|
| Merchant account data | Duration of contract + 3 years (civil statute of limitations) |
| Loyalty customer data | Duration of contract + 3 years |
| Billing data | 10 years (legal accounting obligation) |
| Connection logs | 12 months (French LCEN obligation) |
| Referral data | Duration of contract + 3 years |
| Audience measurement cookies | 13 months maximum (CNIL recommendation) |
| Prospecting data | 3 years after last contact |
Upon expiration of these periods, data is permanently deleted or irreversibly anonymized.
8. Your Rights (GDPR)
In accordance with the General Data Protection Regulation (GDPR) and the French Data Protection Act (loi Informatique et Libertés), you have the following rights:
- Right of access -- obtain confirmation that your data is being processed and receive a copy
- Right to rectification -- correct inaccurate or incomplete data
- Right to erasure -- request deletion of your data, subject to legal retention obligations
- Right to data portability -- receive your data in a structured, machine-readable format
- Right to object -- object to the processing of your data on legitimate grounds
- Right to restriction -- request suspension of the processing of your data
- Right to withdraw consent -- at any time, for processing based on consent
To exercise your rights, contact us at contact@getqarte.com. We will respond within one (1) month of receiving your request.
9. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:
- SSL/TLS encryption for all communications
- Secure authentication with password hashing
- Row Level Security (RLS) policies on the database
- Hashed IP addresses (not stored in plain text)
- Restricted data access following the principle of least privilege
10. Complaint with the CNIL
If you believe that the processing of your personal data constitutes a violation of the GDPR, you have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés), the French data protection authority:
CNIL -- 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
www.cnil.fr
11. Changes
We reserve the right to modify this privacy policy at any time. In the event of a substantial change, we will notify users by email or through the Service. The date of the last update is indicated at the top of this page.
12. Contact
For any questions regarding the protection of your personal data or to exercise your rights, contact us at: contact@getqarte.com