Legal

Privacy Policy

Last updated: May 2026

1. Data Controller

The data controller for the Enefsis platform is:

Multimedia Agentur, Georgios Niokos

Trading as Enefsis

Schnirchgasse 2/17, 1030 Wien, Austria

ATU: ATU78295916

Email: support@enefsis.com

For any privacy-related enquiries, please contact us at support@enefsis.com.

2. Data We Collect

We collect different categories of personal data depending on whether you are a registered business client or a guest visiting a client's NFC-powered page.

Business Clients

When you create an Enefsis account and manage your digital presence through our dashboard, we collect:

  • Full name and email address
  • Business name, city, and restaurant type
  • Payment information (processed by Stripe — we do not store raw card data)
  • Menu content, opening hours, and other page configuration you provide
  • Account activity logs (page saves, logins)

Guests (NFC landing page visitors)

Analytics data is collected only with your explicit consent. If you decline the cookie consent banner, no tracking data is stored. If you accept, we collect:

  • Anonymous visitor ID (randomly generated, stored in your browser only)
  • Device type (mobile or desktop)
  • Tap / page-view events with timestamp
  • Table number (if present in the NFC link)
  • Button clicks (e.g. Google Review, Instagram, Call Waiter)
  • Menu item views
  • Browser language preference
  • Country derived from IP address (IP is not stored)

3. Legal Basis for Processing

Business client data (account, billing)Art. 6(1)(b) GDPR — performance of a contract
Guest analytics (with consent)Art. 6(1)(a) GDPR — freely given, specific consent via cookie banner
Security logs, fraud preventionArt. 6(1)(f) GDPR — legitimate interests of the controller
Invoice and billing recordsArt. 6(1)(c) GDPR — compliance with Austrian legal retention obligations

4. Data Retention

Client account & page dataDuration of contract + 3 years after termination
Guest analytics events24 months from date of collection
Invoices and billing records7 years (§ 132 BAO — Austrian Federal Fiscal Code)
Activity logs12 months

You may request deletion of your data at any time by contacting support@enefsis.com, unless retention is required by law.

5. Third-Party Processors

We share data with the following sub-processors solely to operate the service. All processors are bound by Data Processing Agreements. Transfers to the United States are covered by Standard Contractual Clauses (SCCs) approved by the European Commission.

ProcessorPurposeLocation
StripePayment processing and subscription managementUSA — SCCs
SupabaseDatabase and file storageEU (Frankfurt, Germany)
VercelApplication hosting and edge deliveryUSA — SCCs
ResendTransactional email (account notifications)USA — SCCs
DeepLOn-demand menu translationGermany (EU)
GoogleReview ratings sync via Places APIUSA — SCCs

6. Your Rights Under GDPR

As a data subject under the General Data Protection Regulation you have the following rights:

  • Right of access (Art. 15) — obtain a copy of all personal data we hold about you
  • Right to rectification (Art. 16) — have inaccurate or incomplete data corrected without undue delay
  • Right to erasure (Art. 17) — request deletion of your data ("right to be forgotten") where no legal obligation requires us to retain it
  • Right to restriction of processing (Art. 18) — ask us to suspend processing of your data in certain circumstances
  • Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format and transfer it to another controller
  • Right to object (Art. 21) — object at any time to processing based on legitimate interests; we will cease unless we can demonstrate compelling legitimate grounds
  • Right to withdraw consent (Art. 7(3)) — withdraw any previously given consent at any time; withdrawal does not affect the lawfulness of prior processing

To exercise any of these rights, email us at support@enefsis.com. We will respond within 30 days of receipt.

You also have the right to lodge a complaint with the Austrian supervisory authority:

Datenschutzbehörde (DSB)

Barichgasse 40–42, 1030 Vienna, Austria

www.dsb.gv.at

7. Cookies and Local Storage

Enefsis uses browser localStorage rather than traditional HTTP cookies. The table below explains what is stored and why.

CategoryWhat is storedConsent required?
EssentialAuthentication session tokens managed by Supabase (httpOnly cookies set by the server). Required for the dashboard to function.No — necessary for the service
AnalyticsAnonymous visitor ID, device type, tap events, button clicks, menu item views, language, and country. Stored only on NFC landing pages.Yes — only set after you accept the consent banner
AdvertisingNone.N/A — we do not use advertising or cross-site tracking

The following localStorage keys are used on NFC landing pages:

  • enefsis_cookie_consent — records your consent choice (accepted or declined)
  • enefsis_visitor_id — randomly generated anonymous ID for session analytics (written only after consent is accepted)
  • enefsis_lang — your selected display language

Withdrawing consent: clear your browser's site data for the relevant domain (Settings → Privacy → Clear browsing data, or equivalent). This removes all stored keys and resets consent — the banner will reappear on your next visit.

8. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the service after changes are posted constitutes acceptance of the updated policy. For material changes, we will notify registered clients by email.

© 2026 Enefsis — Multimedia Agentur, Georgios Niokos, Vienna, Austria