🇸🇪 Svenska

Terms of Service for Popcorn

Last updated: March 15, 2026 · Version 1.1

These terms ("Terms") apply between you ("Customer", "you") and InsightsHub ("we", "us"), org. no. 931 538 982, registered in Norway. By creating an account, you agree to these Terms.

1. The Service

Popcorn is a digital platform for collecting and analyzing guest feedback via QR codes. The Service is provided "as is" and includes:

  • QR code generation and feedback forms
  • HQ Dashboard for overview, feedback, and settings
  • Guest reward system
  • Google Review integration (automatic redirect for high ratings)

2. Account and Responsibility

  • You must be at least 18 years old to create an account. Guests providing feedback must be at least 13 years old (Norwegian Personal Data Act §5).
  • You are responsible for keeping your login credentials secure, including one-time codes and Magic Links.
  • You are responsible for all activity under your account.
  • You warrant that the information provided during registration is accurate.
  • One account per venue/business. Multiple locations are managed within the same organization.

3. Plans and Pricing

  • BAS (Basic) is currently free of charge.
  • We reserve the right to introduce usage limits on the free plan (e.g., maximum responses per month) with 30 days' notice.
  • Future paid plans (PRO, MAX) are billed monthly. Price changes are communicated at least 30 days in advance.
  • For future paid plans, a 14-day cooling-off period applies from the date of purchase in accordance with the Norwegian Right of Withdrawal Act (angrerettloven). Detailed terms will be established when paid plans launch.

4. Data and Ownership

Your data ("Customer Data"):

  • You own all feedback data collected through your QR codes.
  • We store Customer Data on your behalf to provide the Service.
  • Upon termination, your Customer Data is deleted from our active systems within 30 days.

Our right to aggregated data:

  • We reserve the right to anonymize and aggregate Customer Data — so that neither guest nor restaurant can be identified — to:
    • Create industry insights and benchmarks
    • Improve our AI models and algorithms
    • Develop new features
  • This aggregated data is not personal data and is not subject to deletion rights.

Guest feedback:

  • Feedback is collected anonymously. We do not request guests' names or contact details in the standard flow.
  • You are responsible for informing your guests that feedback is being collected (we provide standard texts for this).

5. Data Processing Agreement (DPA)

By accepting these Terms, you also enter into the Data Processing Agreement attached as Appendix A. In the relationship between you and your guests:

  • You (the restaurant) are the Data Controller
  • We (InsightsHub) are the Data Processor

6. Acceptable Use

You agree not to:

  • Use the Service for unlawful purposes
  • Attempt unauthorized access to other customers' data
  • Use automated systems to create accounts (bots, spam)
  • Resell or sublicense the Service without our written consent

7. Availability and Support

  • We strive for high availability but do not guarantee specific uptime.
  • Support is provided via email: support@popcornfeedback.com
  • We reserve the right to perform scheduled maintenance with reasonable notice.
  • Neither party shall be liable for delay or failure caused by circumstances beyond reasonable control (force majeure), including natural disasters, war, pandemic, government action, or disruptions to public communication systems.

8. Limitation of Liability

  • Our total liability to you is limited to the amount you have paid for the Service in the preceding 12 months (for BAS customers: NOK 0).
  • We are not liable for indirect damages, lost profits, or data loss beyond what is required by mandatory law.

9. Termination

  • You may terminate your account at any time via HQ Settings or by contacting us.
  • We may suspend accounts (status: SUSPENDED) in case of suspected abuse or breach of these Terms.
  • Upon termination: Customer Data is deleted within 30 days. Aggregated, anonymized data is retained.

10. Changes to Terms

  • We may update these Terms. Material changes are communicated via email at least 30 days in advance.
  • Continued use after a change constitutes acceptance of the new Terms.

11. Governing Law and Dispute Resolution

  • These Terms are governed by Norwegian law.
  • Disputes that cannot be resolved amicably shall be settled by Norwegian courts, with Oslo District Court as the court of first instance.

12. Contact

InsightsHub
Email: support@popcornfeedback.com
Privacy inquiries: privacy@popcornfeedback.com

Appendix A — Data Processing Agreement

Under GDPR Art. 28 · Version 1.1

1. Parties

  • Data Controller ("Controller"): The Customer (restaurant/business using Popcorn)
  • Data Processor ("Processor"): InsightsHub, Norway

2. Background

This agreement governs the Processor's processing of personal data on behalf of the Controller in connection with the Popcorn service, in accordance with GDPR Art. 28.

3. Nature and Purpose of Processing

AspectDescription
PurposeCollection, storage, and structuring of guest feedback via QR-based forms
Nature of processingAutomated collection, storage, aggregation, display in dashboard
DurationFor the duration of the service agreement + 30 days after termination

4. Categories of Data Subjects

  • Restaurant guests (feedback providers)
  • Restaurant owners and staff (account holders)

5. Types of Personal Data

CategoryData
Guest feedbackRatings, multiple choice answers, free text responses (may potentially contain personal data)
Technical dataIP address (temporary), device type, language setting
Account dataName, email, business details

6. Processor's Obligations

The Processor shall:

  1. Process personal data only in accordance with the Controller's documented instructions and these Terms.
  2. Ensure that persons authorized to process personal data have committed to confidentiality obligations.
  3. Implement appropriate technical and organizational security measures per Art. 32, including encryption in transit (TLS) and at rest, role-based access control, regular security reviews, and incident response procedures.
  4. Not engage sub-processors without the Controller's approval. Approved sub-processors are listed in the Privacy Policy. The Processor shall notify changes to sub-processors with 30 days' advance notice. The Controller may object — if the objection cannot be accommodated, the Controller has the right to terminate the agreement.
  5. Assist the Controller in fulfilling obligations regarding data subject rights (Art. 15-22).
  6. Without undue delay (within 48 hours) notify the Controller of personal data breaches.
  7. Assist the Controller with data protection impact assessments (DPIA) where relevant.
  8. Upon termination, return or delete all personal data (at the Controller's choice) within 30 days and confirm the return/deletion in writing upon request (Art. 28(3)(g)).
  9. Provide the Controller with all information necessary to demonstrate compliance with Art. 28 obligations, and allow for and contribute to audits.
  10. Immediately inform the Controller if, in the Processor's opinion, an instruction infringes the GDPR or other applicable data protection law (Art. 28(3)).

7. Approved Sub-processors

Sub-processorPurposeLocation
RailwayWeb hosting, database (PostgreSQL)EU (Amsterdam)
Cloudflare R2File storage (image uploads)EU
ResendTransactional emailEU/US
Google (Places API)Restaurant searchEU/US
UpstashRedis (sessions, rate limiting)EU

The Processor ensures all sub-processors are bound by agreements with at least equivalent protection.

8. International Transfers

Personal data is primarily stored within the EU. Where sub-processors process data outside the EU/EEA, adequate protection is ensured through EU Standard Contractual Clauses (SCCs) or adequacy decisions.