Data Processing Agreement DPA

Last updated: 19 января 2026 г.

This Data Processing Agreement (“DPA”) forms part of the Terms of Service and applies to hotel guest personal data processed via the QRush.delivery platform.

Summary The hotel is the Controller. QRush.delivery is the Processor. QRush processes guest data only on the hotel’s documented instructions to provide the Service.

1. Parties

Controller: the hotel/customer using QRush.delivery (“Customer”).

Processor: Sole Proprietor Andrey Anatolyevich Kulachenko, registration numbers 770765074793 / 309774608600785, registered address: 6 Pokrovskaya Street, Khotkovo, Sergiev Posad, Moscow Region, 141370, Russian Federation (“QRush”).

Where applicable, this DPA is intended to satisfy the requirements of Article 28 of the GDPR and similar data protection laws.

2. Scope and Purpose of Processing

QRush processes guest personal data to enable hotel ordering and service fulfillment via the platform (menus, orders, delivery point selection, and related platform operations), and to provide, maintain, and secure the Service.

Processing includes hosting, storage, retrieval, transmission, and deletion/anonymization as technically necessary to provide the Service.

3. Types of Data and Categories of Data Subjects

Categories of data subjects: hotel guests.

Types of guest personal data (depending on hotel configuration):

  • Room number
  • Guest last name
  • Order details (food, beverages, services)
  • Delivery point within hotel premises
  • Stay dates (check-in/check-out), if configured by the Customer

The Customer controls what guest data fields are collected and stored within the Service.

4. Duration

This DPA applies for the duration of the Customer’s use of the Service and for as long as QRush processes guest personal data on behalf of the Customer.

5. Processor Obligations

  • Process guest personal data only on the Customer’s documented instructions, including with regard to transfers of personal data, unless required by applicable law.
  • Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement reasonable technical and organizational measures appropriate to the risk, including measures designed to protect confidentiality, integrity, and availability.
  • Not materially decrease the level of security during the term of the Service.
  • Provide reasonable assistance to the Customer in responding to requests from data subjects, to the extent the Customer cannot do so through the Service functionality.
  • Provide reasonable assistance to the Customer in meeting obligations related to security, breach notifications, impact assessments, and prior consultations, taking into account the nature of processing and information available to QRush.

6. Controller Obligations

  • Ensure a lawful basis for collecting and processing guest personal data and for providing it to QRush for processing.
  • Provide required privacy notices to guests and obtain consents where required by applicable law.
  • Ensure accuracy of guest data and apply data minimization (collect only what is necessary).
  • Configure the Service responsibly and restrict access to guest data to authorized hotel personnel.
  • Respond to guest requests (access, deletion, etc.) as the Data Controller.

7. Subprocessors

The Customer provides a general authorization for QRush to engage subprocessors for hosting, infrastructure, email delivery, analytics, and payment processing, as needed to provide the Service.

  • QRush will impose data protection obligations on subprocessors that are no less protective than those in this DPA.
  • QRush remains responsible for the performance of its subprocessors to the extent required by applicable law.
  • Upon request, QRush will provide a list of subprocessors currently used for the Service.

8. Cross-Border Data Transfers

Personal data may be processed or stored in countries different from where the Customer or guest is located. Where required by applicable law, QRush will apply appropriate safeguards to enable lawful cross-border transfers.

9. Security Measures

QRush implements reasonable measures designed to protect personal data, such as encryption in transit, access control, and monitoring. The Customer acknowledges that no method of transmission or storage is 100% secure.

Detailed security documentation may be provided to the Customer upon request, subject to confidentiality.

10. Personal Data Breach

If QRush becomes aware of a personal data breach affecting guest personal data processed under this DPA, QRush will notify the Customer without undue delay and provide information reasonably necessary for the Customer to meet its legal obligations.

11. Deletion or Return of Data

Upon termination of the Service, QRush will delete or anonymize guest personal data within a reasonable time, unless retention is required by law or necessary for security and audit purposes.

The Customer may be able to delete guest data via the Service functionality. Certain backups may persist for a limited period as part of routine security and business continuity practices.

12. Audits and Compliance

Upon reasonable written request, QRush will make available information reasonably necessary to demonstrate compliance with this DPA. Where required by applicable law, the parties may agree on a reasonable audit scope and confidentiality protections.

13. Contact

Privacy inquiries: privacy@qrush.delivery

Support: support@qrush.delivery