When you create an account on Access.al or use our services, we collect data you provide directly: email, full name, phone number (optional), business name, and business address. These are necessary for account operation and service delivery.
Payment data (card number, CVV, expiry date) is processed exclusively by Stripe Inc. and is NEVER stored on our servers. We only receive a token reference (stripe_customer_id) that lets us link billing to your account.
When you use the platform, our system automatically records: IP address, browser identifier (user-agent), login/logout timestamps, and key actions in the audit log (order creation, settings changes, etc.). These exist for security and service continuity reasons.
Cookies and similar technologies (localStorage) are used as described in Section 5.
Your personal data is used to: (a) manage your account — creation, login, business switching for owners of multiple businesses; (b) deliver the service — process orders, billing, generate fiscal receipts; (c) transactional communication — send confirmation emails, OTP for verification, account deletion notices.
Also used for: (d) security — fraud detection, account protection, monitoring suspicious attempts; (e) legal compliance — retention of invoices and fiscal records per Albanian Law no. 9920/2008 on tax procedures.
Service improvement (usage statistics) happens ONLY if you have given explicit consent via the cookie banner (Analytics category). Without consent, no non-essential analytics are executed.
Processing of your data is based on one or more of these legal bases: (b) Contract — for account management and delivering the service you requested.
(c) Legal obligation — for retention of invoices and fiscal records for 10 years per Albanian Law no. 9920/2008.
(f) Legitimate interest — for platform security, fraud detection, and service stability (audit log, monitoring).
(a) Consent — for analytics and marketing cookies (optional, controlled via banner). Consent can be withdrawn at any time.
We use the following providers as "data processors" to support our service. Contracts with each include GDPR-compliant Data Processing Agreements (DPA):
• Stripe Inc. (United States): payment processing. International transfer under EU Standard Contractual Clauses (SCC).
• DeepL SE (Germany, EU): API for automatic menu translations. EU adequacy decision.
• Hostinger International Ltd. (Cyprus, EU): infrastructure hosting (servers + database + storage). EU adequacy decision.
• Google LLC (United States): optional OAuth login. Transfer under SCC.
• Telegram FZ-LLC (Ireland/UAE): optional operator notifications. Used ONLY if manually enabled.
WE DO NOT SELL, RENT, or SHARE personal data with third parties for external marketing purposes. No data brokers, no external advertisers.
Cookies are scoped by the page you are visiting: Public pages (QR menu, checkout) use ONLY essential cookies (session, CSRF, cart) — no consent legally required (GDPR Art 5(3) + ePrivacy). The business dashboard (manager, staff, admin) may also use Analytics + Marketing cookies — only with your explicit consent via the banner.
We use 3 categories of cookies, divided according to the EU-compliant 3-category model:
• Essential (always active, cannot be disabled): session cookies for login, CSRF tokens for attack protection, and trust device cookies (90 days, per Sprint 2C) to skip 2FA verification on trusted devices.
• Analytics (optional, require consent): anonymous statistics for platform usage. Currently NO analytics script is active — reserved for future use.
• Marketing (optional, require consent): retargeting pixels (Facebook, Google Ads). Currently not active — reserved for future use.
Your cookie decision is stored in localStorage for 1 year. You can change it at any time via the "Change cookie settings" button at the page footer.
Retention periods are set according to purpose and legal obligations:
• Your account: retained until you request deletion. After request: 30-day grace period for recovery (you can cancel via email link); then final anonymization (email replaced with deleted-{hash}@deleted.local, name with "Deleted User", password erased).
• Invoices and fiscal records: 10 years, per Albanian Law no. 9920/2008 on tax procedures. Even after account anonymization, identifying columns (customer_email, etc.) are replaced with NULL — rows remain for legal compliance.
• Audit logs (activity_logs): 180 days with full data; after that, automatic in-place anonymization — IP truncated to /16, user-agent bucketed (Chrome/Safari/etc.), sensitive payload (email/phone/password/token) removed from details_json. Forensic trail (timestamp + action + entity_id) retained indefinitely.
• Cookies: 90 days (trust device), 1 year (consent decision), 30 minutes (session).
• Backups: 30 days rolling.
As a data subject, GDPR and Albanian Law 9887/2008 grant you these rights:
• Right of access (Art. 15): download a JSON copy of all your data via /manager/settings-pages/data-export. Immediate response, no more than 1 export per 24 hours.
• Right of rectification (Art. 16): correct inaccurate data via /manager/profile.
• Right of erasure / "to be forgotten" (Art. 17): request account deletion via /manager/settings-pages/account-deletion. 30-day grace period with email recovery link.
• Right to restriction of processing (Art. 18): contact info@access.al for specific requests.
• Right to data portability (Art. 20): receive your data in JSON format (same endpoint as access).
• Right to object (Art. 21): object to marketing via cookie banner; for other processing contact email.
• Right not to be subject to automated decisions (Art. 22): we do NOT use profiling or automated decision-making with legal effect.
Some of our providers are headquartered outside EU/EEA. For these transfers, we use GDPR Chapter V protection mechanisms:
• Stripe Inc. (USA): EU Standard Contractual Clauses (SCC 2021/914) + Stripe Privacy Shield Framework.
• Google LLC (USA, for optional OAuth): EU SCC + Google Cloud Privacy Framework.
• Hostinger (Cyprus), DeepL (Germany): within EU/EEA — no additional mechanism needed (EU adequacy automatic).
All transfers are documented and verified per Schrems II requirements.
We implement technical and organizational measures per GDPR Art. 32:
• Data in transit: TLS 1.2+ exclusively (forced HTTPS via .htaccess).
• Passwords: bcrypt with cost 10 (PASSWORD_BCRYPT). 2FA available for owner accounts.
• Trusted devices (Sprint 2C): SHA-256 token hash in DB; raw token only in HttpOnly+Secure cookie; sliding window 90 days.
• Limited access: our staff has "need-to-know" access; every action is audit-logged.
• Regular audits: internal security reviews + periodic penetration testing.
• Breach notification (Art. 33): if a security incident involves your data, authorities will be notified within 72 hours; you will be notified if the risk is high.
Data Protection Officer (DPO): info@access.al
Phone: +355 68 200 3737
Postal address: Ali Demi, Tirana, Albania.
Response within 30 days per GDPR Art. 12.3.
If you are not satisfied with our response, you have the right to lodge a complaint with the supervisory authority: Albanian Commissioner for Personal Data Protection (KMDP), Tirana, Albania. Web: kmdp.al