Privacy Policy – EasyQ
Last updated: May 2025
1. Data Controller
For Business Users of the EasyQ platform:
Francesco Pugliese
Rome, Italy
Email: info@easyq-app.com
For personal data of end customers (queue participants), the Data Controller is the Business User. EasyQ acts as a Data Processor on behalf of the Business User, under the terms of the Data Processing Agreement.
2. Types of Data Collected
Business Users
- Name, email address, phone number
- Business name and address
- Login credentials
- Billing information (processed by Stripe; card details never stored by EasyQ)
- IP address and browser/device information (collected automatically)
- Usage and navigation data (pages visited, features used, session duration)
End Customers (Queue Participants)
- WhatsApp display name
- Phone number
- Queue-related data (registration time, party size, wait time, exit reason)
Analytics and Performance Data (all users)
EasyQ uses third-party analytics tools that automatically collect:
- IP address (anonymized or truncated where possible)
- Browser type, operating system, device type
- Pages visited, time on page, referral source
- User interactions (button clicks, form submissions, conversion events)
- Session recordings of on-screen activity (mouse movements, scrolls, clicks) via Microsoft Clarity
Where a Business User is logged in, EasyQ may pass a pseudonymous user identifier to Microsoft Clarity to link sessions to a single account. No name or email is transmitted.
3. Purpose and Legal Basis of Processing
Business Users
| Purpose | Legal Basis |
|---|---|
| Account creation and management | Contract — Art. 6(1)(b) GDPR |
| Service delivery and payments | Contract — Art. 6(1)(b) GDPR |
| Platform analytics and improvement | Legitimate interest — Art. 6(1)(f) GDPR |
| Marketing analytics (GA4, TikTok Pixel) | Consent — Art. 6(1)(a) GDPR |
| Legal compliance | Legal obligation — Art. 6(1)(c) GDPR |
End Customers
Personal data is processed by EasyQ on behalf of Business Users for queue management and sending service notifications via WhatsApp. Legal basis: contractual necessity between the end customer and the Business User.
4. Data Retention
- Business account data → retained until account deletion
- Inactive accounts → deleted after 24 months of inactivity
- Queue/customer data → deleted within 90 days of queue completion
- Upon account deletion, all associated data is purged within 30 days
5. Data Sharing and Sub-Processors
| Provider | Service | Location | Safeguard |
|---|---|---|---|
| Vercel Inc. | Hosting | USA | SCCs |
| Supabase Inc. | Database | USA | SCCs |
| Resend Inc. | Transactional email | USA | SCCs |
| Meta Platforms (WhatsApp) | Customer notifications | USA / Global | SCCs |
| Stripe Inc. | Payment processing | USA | SCCs |
| Google LLC | Analytics (GA4) | USA | SCCs |
| Microsoft Corporation | Analytics & session recording (Clarity) | Ireland / USA | SCCs |
| TikTok Inc. / ByteDance | Marketing analytics | USA | SCCs + TIA |
WhatsApp messages sent to end customers are delivered through Meta's infrastructure. Meta processes those messages under its own terms of service and privacy policy as an independent controller for the messaging infrastructure.
6. International Data Transfers
Where personal data is transferred outside the EEA, appropriate safeguards are implemented including Standard Contractual Clauses (SCCs) per Art. 46 GDPR. For transfers to TikTok Inc. and ByteDance, a Transfer Impact Assessment (TIA) has been conducted and is available on request at info@easyq-app.com.
7. Security Measures
- HTTPS encryption in transit
- Encryption at rest for database storage
- Secure authentication with hashed credentials
- Role-based access controls
- Infrastructure-level protections via Vercel and Supabase
8. Your Rights
Under GDPR, you have the right to:
- Access your personal data
- Correct inaccurate data
- Delete your data ("right to be forgotten")
- Restrict or object to processing
- Data portability in a structured, machine-readable format
- Withdraw consent at any time, without affecting the lawfulness of prior processing
- Not be subject to automated individual decision-making (Art. 22 GDPR)
Send requests to info@easyq-app.com. We will respond within 30 days. You may also lodge a complaint with the Italian Data Protection Authority: Garante per la Protezione dei Dati Personali.
9. Updates to This Policy
This policy may be updated from time to time. Significant changes will be communicated through the platform with at least 15 days' advance notice.