Legal

Privacy Policy.

Effective 24 April 2026 · Last updated 24 April 2026

Summary.

In plain english — We only collect information we need to run our products and talk to you. We don't sell your data. We don't run advertising. We store it on servers in Germany and we tell you who processes it on our behalf. You have the right to see your data, correct it, or delete it. If we mess this up, you can complain to the Information Commissioner of Jamaica.

This policy explains how QueryOne collects, uses, stores, and shares information when you visit queryone.io, use our onboarding flow at start.queryone.io (Atrium), or use our products CloudBite and Waypoint. Full detail follows.

1. Who we are.

QueryOne is a trading name of Davin Muir, based in Kingston, Jamaica. We operate the website queryone.io and the products Atrium, CloudBite, Waypoint, and Parley. We are the data controller for information collected through those surfaces, meaning we decide what is collected and what is done with it.

We are currently in the process of incorporating as QueryOne Limited under the Companies Act of Jamaica. On incorporation, this policy will be updated to reflect the new legal entity; no substantive terms will change without notice.

Contact

Email: hello@queryone.io
Postal: Kingston, Jamaica (full address provided on request)

2. What this policy covers.

Scope — Our marketing site, our onboarding flow, and our products. Not third-party sites we link to.

This policy covers:

  • queryone.io — our marketing site.
  • start.queryone.io (Atrium) — the short intake we ask new prospects to complete.
  • CloudBite — our restaurant operations platform, used by restaurant operators and their customers who place orders.
  • Waypoint — our hospitality property management platform, used by property owners and staff.
  • Parley — our guest experience platform, where live.

It does not cover third-party websites or services that we link to. Those have their own privacy notices; read them before sharing information.

3. Information we collect.

Summary — What you give us (your name, email, business info); what we observe (pages visited, IP, device); and in our products, the data you put in to run your business.

3.1   Information you provide

When you interact with us, you may give us:

  • Contact information — name, email, phone (WhatsApp), business name, role.
  • Business context — what you're building, what problem you're trying to solve, rough size of your operation. Collected through Atrium, our onboarding flow.
  • Account credentials — for CloudBite and Waypoint: email, password (stored hashed, never in plaintext), two-factor authentication settings if enabled.
  • Payment information — where we charge fees, we pass payment details directly to our payment processor. We do not store full card numbers on our servers.
  • Support correspondence — any message you send us via email, WhatsApp, or in-product chat.

3.2   Information we collect automatically

When you use any of our surfaces, we automatically collect:

  • Log data — IP address, browser type and version, operating system, timestamps, pages requested, referring URL, and (if in-product) actions taken.
  • Device information — screen size, general location inferred from IP (city-level, not precise), language preference.
  • Cookies and session data — session identifiers to keep you logged in, and cross-site request forgery (CSRF) tokens for security. See section 10.

We do not use third-party advertising trackers, analytics pixels, or tag managers on our marketing surfaces.

3.3   Product-specific data

Inside our products, we store the data you need us to store to run your business:

  • CloudBite — your menu, your orders (including customer name or phone if your flow collects them), kitchen tickets, staff logins, sales reports, optional photos of menu items. Guest data is collected only where your ordering flow requires it (for example, to contact a guest about a completed order).
  • Waypoint — property records, rooms, rates, bookings, guest preference notes captured by your staff, staff user accounts, compliance documents you upload (licenses, permits, certificates), property photos.
  • Atrium — the answers you type into our onboarding flow, and our concierge's notes against that brief.

For data you collect from your own customers using our products (for example, a guest's email collected through a CloudBite order), you are the data controller and we are the data processor. A data processing addendum is available on request and will be built into our commercial agreements with paying customers.

4. How we use information.

Summary — To run our services, talk to you, keep things secure, comply with law. Not to sell anything to third parties.

We use the information we collect to:

  • Provide the services you've asked for, including running CloudBite, Waypoint, and Atrium.
  • Respond to your messages and support requests.
  • Send transactional communications — password resets, security alerts, invoices, service updates.
  • Debug errors, measure performance, and improve our products.
  • Protect against fraud, abuse, and security threats (for example, rate-limiting and blocking malicious login attempts).
  • Comply with legal obligations, including tax, accounting, and any lawful orders from Jamaican authorities.
  • With your explicit consent, send you occasional product announcements. You can unsubscribe at any time.

We do not use your information to build advertising profiles, sell to data brokers, or train public AI models.

5. Legal basis for processing.

Under Jamaica's Data Protection Act 2020, and equivalent frameworks internationally, we rely on one or more of the following legal bases when we process personal information:

  • Performance of a contract — to deliver the services you've agreed to use.
  • Legitimate interests — to run, secure, and improve our services, where those interests are not overridden by your rights.
  • Consent — where required (for example, marketing emails). You may withdraw consent at any time.
  • Legal obligation — to comply with Jamaican law or valid legal process.

6. Who we share information with.

Summary — A short list of vendors we need to run the business. No data sales, ever.

We share information only with the following categories of recipient, and only to the extent necessary:

  • Hosting and infrastructure — Hetzner Online GmbH (Germany) hosts our servers and databases. Data at rest lives in the EU.
  • Domain and DNS — our registrar and DNS provider process the technical traffic required to route requests to our servers.
  • Email delivery — we use outbound email providers (such as Amazon SES or a successor) to send transactional and support email. These services see the recipient address and message contents.
  • Payment processors — for paid services, payment details are handled directly by the processor. We receive a token and a confirmation, not the underlying card data.
  • Professional advisors — lawyers, accountants, and auditors, under obligations of confidentiality, where strictly necessary.
  • Authorities — if required by valid legal process under Jamaican law, or to protect our rights, safety, or property, or that of our users and the public.

We do not and will not sell personal information. We do not share information with advertisers. We do not participate in data-broker arrangements.

If we ever undergo a merger, acquisition, or transfer of the business, we will notify you and provide a choice before your information becomes subject to a different privacy policy.

7. International data transfers.

Important — Your data is stored on servers in Germany (EU). We disclose this because Jamaica's DPA requires it.

Our production infrastructure today is primarily located in Falkenstein, Germany, operated by Hetzner Online GmbH. We also use, or may use, servers located in the United States for specific purposes, including production hosting of certain services, transactional email delivery, content delivery, and error monitoring. When you use our services from Jamaica (or anywhere else), your information may be transferred to and stored in either jurisdiction.

Germany is a member of the European Union and is subject to the EU General Data Protection Regulation (GDPR), a legal framework for personal data protection comparable to or stronger than Jamaica's. For transfers to the United States, we rely on processors that maintain recognised data-protection safeguards, including standard contractual clauses and data-processing agreements.

As our product set grows, we may add additional processors in other jurisdictions. Where we do, we put in place appropriate contractual and technical safeguards and update this policy to reflect material changes.

8. How long we keep information.

We keep information only as long as we need it, which depends on the type of data:

  • Account data — for as long as your account is active, plus a reasonable period after closure to allow for billing reconciliation and legal retention (typically 7 years for tax and accounting records in Jamaica).
  • Business data inside our products — for as long as you use the service. On termination, we retain data for up to 30 days so you can export it, after which we delete or anonymize it unless legally required to retain it for longer.
  • Onboarding brief (Atrium) — for up to 24 months from submission, or until you ask us to delete it sooner, whichever is first.
  • Support correspondence — for up to 3 years.
  • Security logs — typically 90 days, longer where we are investigating an incident.

You can request earlier deletion at any time; we'll act on the request unless we have a legal basis to retain specific data.

9. Your rights.

Your rights — Access, correct, delete, restrict, port, object, withdraw consent, complain to the OIC. Free of charge, in under 30 days.

Under Jamaica's Data Protection Act 2020, you have the following rights with respect to your personal information:

  • Right of access — to know what personal information we hold about you and receive a copy of it.
  • Right to rectification — to have inaccurate or incomplete information corrected.
  • Right to erasure — to have your information deleted where we no longer have a lawful basis to hold it.
  • Right to restrict processing — to pause our use of your information in certain situations.
  • Right to portability — to receive your information in a structured, machine-readable format and, where technically feasible, to have it transferred to another controller.
  • Right to object — to processing based on legitimate interests, including any form of direct marketing.
  • Right to withdraw consent — where we rely on your consent, at any time, without affecting the lawfulness of prior processing.
  • Right to not be subject to solely automated decisions that have legal or similarly significant effects.

To exercise any of these rights, write to hello@queryone.io. We will respond within 30 days and will not charge you unless your request is manifestly unfounded or excessive.

You also have the right to complain to Jamaica's Office of the Information Commissioner if you are dissatisfied with how we handle your personal information.

10. Cookies and tracking.

Summary — Session cookies for login and CSRF. No advertising trackers. No third-party analytics on our marketing site.

We use a minimal set of cookies:

  • Strictly necessary — session cookies that keep you logged in to CloudBite or Waypoint, and security tokens that prevent cross-site request forgery. Without these, the service cannot function.
  • Preference — small values that remember display choices (for example, collapsed navigation state).

We do not use third-party advertising cookies, remarketing pixels, or cross-site tracking technologies. We do not run Google Analytics, Facebook Pixel, or similar services on queryone.io at the time of writing; if we introduce privacy-respecting analytics in the future, we will update this policy.

11. Security.

We take security seriously. Measures we currently have in place include:

  • TLS encryption on every public endpoint.
  • Password hashing with modern algorithms (never plaintext storage).
  • Rate-limiting and brute-force protection on authentication endpoints.
  • Server-side firewall (nftables) and intrusion-detection tooling (fail2ban).
  • Offsite, encrypted backups on a nightly cadence.
  • Role-based access controls in our products, so your staff only see what they need to.
  • Internal operational controls: limited administrator access, obfuscated admin URLs, two-factor authentication on our administrator accounts.

No system is perfectly secure. If we discover a breach that affects your personal information, we will notify you and the relevant authorities in accordance with Jamaican law, without undue delay.

12. Children.

Our services are not directed at children under 18. We do not knowingly collect personal information from anyone under that age. If you believe a child has given us personal information, contact us and we will delete it.

13. Changes to this policy.

We may update this policy to reflect changes in our practices, our products, or applicable law. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page.
  • Post a notice on queryone.io.
  • Where the change materially affects you, email registered account holders at the address on file.

Continued use of our services after the effective date of an update means you accept the updated policy.

14. Contact and complaints.

For any question, request, or complaint about privacy, contact us first:

If we fail to resolve your concern, you can complain to the Office of the Information Commissioner of Jamaica, the regulator responsible for enforcing the Data Protection Act 2020.