Privacy Policy

Last updated: 24 April 2026

1. Data controller

The data controller is MESERO LABS SL, tax ID B24873507, registered office at Avenida Alfonso el Sabio, 23 · 03004 Alicante · Spain. For privacy-related inquiries: [email protected]. General contact: [email protected].

Hereafter we refer to ourselves as "Mesero" and to you (account holder or site visitor) as "the User".

This policy covers the Mesero TPV platform (web + Blazor client), its kitchen, reservation and payment integrations, the companion mobile apps Mesero Admin, Mesero Comandas and Mesero Fichar for iPhone and Android, and the Mesero Print Agent desktop app for Windows.

2. What data we collect

We collect only the data strictly necessary to provide the service.

Account data

• Full name
• Email address
• Password (stored hashed with BCrypt — never in plain text)
• Phone number (optional)
• Restaurant name
• Internal account identifier (user ID) assigned by Mesero, used to link sessions across the web platform and the Mesero Comandas mobile apps

Restaurant operational data

• Menu, products, prices, categories
• Orders, payments and invoices
• Employee data (name, hashed PIN, working hours)
• Tables, printers and terminal configuration

Technical and usage data

• IP address, device type, browser and operating system
• Non-advertising device identifiers (e.g. Android ID for crash report correlation; we never collect the Advertising ID)
• Access date and time
• Pages visited within the service
• Technical errors and diagnostic events (via Sentry)
• Session replay snapshots (via Sentry Session Replay) — a sample of 3% of normal sessions plus 100% of sessions that encountered an error, captured to reproduce and fix defects. All text and images are masked by default before the snapshot leaves your device, so the replay shows layout and interaction patterns rather than readable content. Data is ingested in the EU (ingest.de.sentry.io)
• Product usage events and feature-flag signals (via PostHog, EU cloud eu.i.posthog.com) — pseudonymised event identifiers for actions such as opening an order, sending to kitchen, completing a payment, or attempting to print, used to detect errors, measure reliability and prioritise improvements

End-customer data of the restaurant

As processor on behalf of the restaurant, Mesero may handle end-customer data (name, email, phone) when they place QR orders, make reservations or subscribe to newsletters. This data belongs to the restaurant, which acts as controller vis-à-vis the end customer.

Mesero Print Agent (Windows desktop app)

Mesero Print Agent is a helper application installed locally on the restaurant's Windows computers to forward order tickets to connected printers (USB, network or Bluetooth). It is a technical utility that collects no personal data from the user and sends no third-party telemetry.

Distribution and publisher: Mesero Print Agent is distributed through Microsoft Store under the publisher account of Farm Fresh Food SL, tax ID B09679333, a company affiliated with MESERO LABS SL for the distribution of client software. The data controller for any personal data processed through the application remains MESERO LABS SL (tax ID B24873507), as set out in section 1 of this policy.

• What it processes: print jobs received from the Mesero server over an authenticated SignalR connection (restaurant name, order items, quantities and prices) and the destination printer name configured in the operating system.
• Local storage: diagnostic logs in %LocalAppData%\Mesero\PrintAgent\logs, rotated every 7 days. They contain only print metadata and technical errors — never end-customer identifying data.
• Network: the agent only connects to your own Mesero server. It does not contact third-party domains, and does not send telemetry, analytics or external crash reports.
• Uninstall: Windows Settings → Apps → Mesero Print Agent → Uninstall. Local logs are removed with the app.

3. Purposes of processing

• Service delivery: creating and maintaining your account, enabling use of Mesero POS, billing and support.
• Legal compliance: invoicing, electronic invoices under Spanish VeriFactu (AEAT), retention of tax records.
• Transactional communications: sending essential service emails (account verification, password reset, technical notices, invoices).
• Marketing communications: only if you have explicitly opted in at signup or later. You can unsubscribe at any time.
• Service improvement: aggregate and anonymised usage analysis to detect errors, measure performance and improve the experience.
• Security: preventing fraud, abuse and unauthorised access.

4. Legal basis

• Contract performance (Art. 6.1.b GDPR): providing the contracted service, billing and support.
• Legal obligation (Art. 6.1.c GDPR): compliance with Spanish tax, accounting and data-protection law.
• Legitimate interest (Art. 6.1.f GDPR): security, fraud prevention, aggregate usage analytics.
• Consent (Art. 6.1.a GDPR): marketing communications and non-essential cookies. Consent can be withdrawn at any time.

5. Retention periods

• Account data: while the account is active, plus the period necessary to address possible liabilities.
• Billing and tax data: minimum 6 years (Spanish tax and commercial law obligation).
• Technical and security logs: maximum 12 months, unless a longer retention is legally required.
• Marketing consent: until withdrawn or the account is deleted.

After these periods, data is securely deleted or anonymised.

6. Recipients & processors

We do not sell or transfer your personal data to third parties for commercial purposes. We share the minimum data necessary with the following processors, all subject to Article 28 GDPR agreements:

7. International transfers

Some providers may process data outside the European Economic Area (EEA). In those cases, we ensure transfers are carried out with appropriate safeguards under GDPR: Standard Contractual Clauses approved by the European Commission, adequacy decisions, or certifications such as the EU-US Data Privacy Framework.

8. Your rights

As a data subject, GDPR and LOPDGDD grant you the following rights:

• Access: know what data we process about you.
• Rectification: correct inaccurate or incomplete data.
• Erasure ("right to be forgotten"): request deletion when data is no longer necessary.
• Objection: object to processing based on legitimate interest.
• Restriction: request temporary suspension of processing.
• Portability: receive your data in a structured format and move it elsewhere.
• Consent withdrawal: revoke consent previously given.
• Not to be subject to fully automated decisions with significant legal effects.

To exercise these rights, email [email protected] with a clear description of your request and a copy of your identification document. We will respond within one month.

If you consider that the processing of your data does not comply with the regulations, you also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD), Jorge Juan 6, 28001 Madrid — www.aepd.es.

9. Security measures

• HTTPS/TLS 1.2+ encryption across the entire service.
• Passwords hashed with BCrypt — we never store plain text passwords.
• Automated encrypted backups.
• Role-based access control and two-factor authentication for the internal team.
• Audit log for sensitive operations.
• Continuous staff training on data protection.

10. Children

Mesero is a professional service aimed at hospitality business owners aged 18 or older. We do not knowingly collect data from minors. If we detect that we have collected data from a minor, we will delete it immediately.

11. Changes to this policy

We may update this Privacy Policy to reflect changes in legislation, our services or internal practices. For material changes, we will notify you with reasonable advance notice by email or via a prominent notice on the site. The date of the last update is shown at the top of this document.

Questions about this policy? Email [email protected].