Terms of Service for Popcorn
Last updated: March 15, 2026 Β· Version 1.2
These terms ("Terms") apply between you ("Customer", "you") and InsightsHub ("we", "us"), org. no. 931 538 982, registered in Norway. By creating an account, you agree to these Terms.
1. The Service
Popcorn is a digital platform for collecting and analyzing guest feedback via QR codes. The Service is provided "as is" and includes:
- QR code generation and feedback forms
- HQ Dashboard for overview, feedback, and settings
- Guest reward system
- Google Review integration (automatic redirect for high ratings)
2. Account and Responsibility
- You must be at least 18 years old to create an account. Guests providing feedback must be at least 13 years old (Norwegian Personal Data Act Β§5).
- You are responsible for keeping your login credentials secure, including one-time codes and Magic Links.
- You are responsible for all activity under your account.
- You warrant that the information provided during registration is accurate.
- One account per venue/business. Multiple locations are managed within the same organization.
3. Plans and Pricing
- BAS (Basic) is currently free of charge.
- We reserve the right to introduce usage limits on the free plan (e.g., maximum responses per month) with 30 days' notice.
- Future paid plans (PRO, MAX) are billed monthly. Price changes are communicated at least 30 days in advance.
- For future paid plans, a 14-day cooling-off period applies from the date of purchase in accordance with the Norwegian Right of Withdrawal Act (angrerettloven). Detailed terms will be established when paid plans launch.
4. Data and Ownership
Your data ("Customer Data"):
- You own all feedback data collected through your QR codes.
- We store Customer Data on your behalf to provide the Service.
- Upon termination, your Customer Data is deleted from our active systems within 30 days.
Our right to aggregated data:
- We reserve the right to anonymize and aggregate Customer Data β so that neither guest nor restaurant can be identified β to:
- Create industry insights and benchmarks
- Improve our AI models and algorithms
- Develop new features
- This aggregated data is not personal data and is not subject to deletion rights.
Guest feedback:
- Feedback is collected anonymously. We do not request guests' names or contact details in the standard flow.
- You are responsible for informing your guests that feedback is being collected (we provide standard texts for this).
5. Data Processing Agreement (DPA)
By accepting these Terms, you also enter into the Data Processing Agreement attached as Appendix A. In the relationship between you and your guests:
- You (the restaurant) are the Data Controller
- We (InsightsHub) are the Data Processor
6. Acceptable Use
You agree not to:
- Use the Service for unlawful purposes
- Attempt unauthorized access to other customers' data
- Use automated systems to create accounts (bots, spam)
- Resell or sublicense the Service without our written consent
7. Availability and Support
- We strive for high availability but do not guarantee specific uptime.
- Support is provided via email: support@popcornfeedback.com
- We reserve the right to perform scheduled maintenance with reasonable notice.
- Neither party shall be liable for delay or failure caused by circumstances beyond reasonable control (force majeure), including natural disasters, war, pandemic, government action, or disruptions to public communication systems.
8. Limitation of Liability
- Our total liability to you is limited to the amount you have paid for the Service in the preceding 12 months (for BAS customers: NOK 0).
- We are not liable for indirect damages, lost profits, or data loss beyond what is required by mandatory law.
9. Termination
- You may terminate your account at any time via HQ Settings or by contacting us.
- We may suspend accounts (status: SUSPENDED) in case of suspected abuse or breach of these Terms.
- Upon termination: Customer Data is deleted within 30 days. Aggregated, anonymized data is retained.
10. Changes to Terms
- We may update these Terms. Material changes are communicated via email at least 30 days in advance.
- Continued use after a change constitutes acceptance of the new Terms.
11. Governing Law and Dispute Resolution
- These Terms are governed by Norwegian law.
- Disputes that cannot be resolved amicably shall be settled by Norwegian courts, with Oslo District Court as the court of first instance.
12. Contact
InsightsHub
Email: support@popcornfeedback.com
Privacy inquiries: privacy@popcornfeedback.com
Appendix A β Data Processing Agreement
Under GDPR Art. 28 Β· Version 1.2 Β· Effective 2026-05-21
1. Parties
- Data Controller ("Controller"): The Customer (restaurant/business using Popcorn)
- Data Processor ("Processor"): InsightsHub, Norway
2. Background
This agreement governs the Processor's processing of personal data on behalf of the Controller in connection with the Popcorn service, in accordance with GDPR Art. 28.
3. Nature and Purpose of Processing
| Aspect | Description |
|---|
| Purpose | Collection, storage, and structuring of guest feedback via QR-based forms |
| Nature of processing | Automated collection, storage, aggregation, display in dashboard |
| Duration | Duration of the service agreement + 30 days post-termination retention (see section 7b) |
4. Categories of Data Subjects
- Restaurant guests (feedback providers)
- Restaurant owners and staff (account holders)
5. Types of Personal Data
| Category | Data |
|---|
| Guest feedback | Ratings, multiple choice answers, free text responses (may potentially contain personal data) |
| Technical data | IP address (temporary), device type, language setting |
| Account data | Name, email, business details |
6. Processor's Obligations
The Processor shall:
- Process personal data only in accordance with the Controller's documented instructions and these Terms.
- Ensure that persons authorized to process personal data have committed to confidentiality obligations.
- Implement appropriate technical and organizational security measures per Art. 32, including encryption in transit (TLS) and at rest, role-based access control, regular security reviews, and incident response procedures.
- Not engage sub-processors without the Controller's approval. Approved sub-processors are listed in the Privacy Policy. The Processor shall notify changes to sub-processors with 30 days' advance notice. The Controller may object β if the objection cannot be accommodated, the Controller has the right to terminate the agreement.
- Assist the Controller in fulfilling obligations regarding data subject rights (Art. 15-22).
- Without undue delay (within 48 hours) notify the Controller of personal data breaches.
- Assist the Controller with data protection impact assessments (DPIA) where relevant.
- Upon termination, return or delete all personal data (at the Controller's choice) within 30 days and confirm the return/deletion in writing upon request (Art. 28(3)(g)).
- Provide the Controller with all information necessary to demonstrate compliance with Art. 28 obligations, and allow for and contribute to audits.
- Immediately inform the Controller if, in the Processor's opinion, an instruction infringes the GDPR or other applicable data protection law (Art. 28(3)).
7. Approved Sub-processors
| Sub-processor | Purpose | Location |
|---|
| Railway | Web hosting, database (PostgreSQL) | EU (Amsterdam) |
| Cloudflare R2 | File storage (image uploads) | EU |
| Resend | Transactional email | EU/US |
| Google (Places API) | Restaurant search | EU/US |
| Upstash | Redis (sessions, rate limiting) | EU |
| Sentry | Error tracking, performance monitoring (PII scrubbed) | EU/US |
| Anthropic (Claude) | AI assistant for venue insights (Copilot). SCC applied per Anthropic Commercial Terms. | US |
| Self-hosted AI (Ollama) | On-platform AI analytics and diagnostics β no third-party data transfer | EU (Railway, europe-west4) |
The Processor ensures all sub-processors are bound by agreements with at least equivalent protection.
7b. Data Retention and Deletion
| Data type | Retention | Deletion method |
|---|
| Account data (venue PII) | Duration of contract + 30 days | Soft-delete immediately, hard-delete after 30-day restore window |
| Guest feedback (responses) | Retained as anonymised platform data | Foreign keys to deleted venues are nullified; response content preserved anonymously |
| Audit trail (deletion logs) | 3 years | Automatically purged after 3 years |
| AI interaction logs (CopilotLog) | 90 days | Auto-purged after 90 days |
| Encrypted backups | 30 days rolling | Overwritten by rotation schedule |
| Email suppression list | Indefinite | Retained to prevent re-mailing deleted accounts |
Upon account deletion, personal data is removed from live systems immediately. Encrypted copies may persist in backups for up to 30 days before being overwritten.
8. International Transfers
Personal data is primarily stored within the EU (Railway, europe-west4, Amsterdam, NL). Where sub-processors process data outside the EU/EEA β specifically Anthropic (US inference, SCC per Commercial Terms) and Resend (US routing) β adequate protection is ensured through EU Standard Contractual Clauses (SCCs) pursuant to Commission Implementing Decision (EU) 2021/914.