Legal

Terms, Privacy, Cookies, in plain language.

These are the rules that apply when you use OffQ, and what we do with the information we collect. OffQ is operated by Mad Yeast ApS, a Danish private limited company registered at Rødovrevej 79, 2610 Rødovre, Denmark (CVR: 35225579).

Effective date: 2026-04-21 · Version 1.0

1 · Terms of Service

These Terms govern your use of OffQ, a web-based pickup-queue service provided by Mad Yeast ApS ("we", "us"). By creating an account or using OffQ, you ("Customer", "you") agree to these Terms.

1.1 Who can use OffQ

OffQ is a business-to-business service intended for food trucks, pop-ups, kiosks, cafés and similar venues operated by a business (including sole-proprietor businesses registered in an EU member state). By signing up you confirm that you are acting in a professional capacity. Consumer-specific rights under the Danish Consumer Contracts Act (Forbrugeraftaleloven) do not apply to B2B use.

1.2 The service

OffQ provides a web-based customer-facing queue board, a staff panel for order management, and a printable QR code. Features may be added, changed or removed over time. We aim for continuous availability but do not guarantee any specific uptime level during beta (see §1.6).

1.3 Accounts and magic-link login

OffQ uses passwordless login: you receive a one-time magic link by email. You are responsible for keeping access to your email account secure. Login tokens expire automatically and are single-use.

1.4 Pricing and subscription

OffQ is currently offered free of charge during public beta. No payment method is required. We will give at least 30 days' notice by email before introducing paid tiers. When paid tiers are introduced:

Prices will be shown in DKK or EUR including 25 % Danish VAT where applicable.
Subscriptions auto-renew for successive periods unless cancelled before the renewal date.
You can cancel at any time from the staff panel; the subscription continues until the end of the paid period.
Because OffQ is a digital service delivered immediately, the 14-day right of withdrawal under the Consumer Contracts Act is waived on paid activation, in line with § 18(2)(13) of that Act.

1.5 Acceptable use

You agree not to (a) use OffQ for unlawful purposes, (b) attempt to bypass authentication or rate limits, (c) resell or white-label the service without a written agreement, (d) submit content that is unlawful, defamatory or infringes third-party rights, or (e) use the service in a way that could harm other customers or the infrastructure.

1.6 Availability, warranty and liability

OffQ is provided "as is" during beta. To the maximum extent permitted by Danish law, we disclaim all implied warranties. Our aggregate liability to you for any claim arising out of the service is limited to the fees you paid to us in the twelve (12) months preceding the event, and during the free beta period to EUR 100 in total. We are never liable for indirect, incidental or consequential damages, including lost profits, lost goodwill or lost data, except where such limitation is prohibited by mandatory Danish law.

1.7 Data protection

Your use of OffQ involves the processing of personal data. Section 2 (Privacy Policy) describes what we process and why. Section 4 (Data Processing Agreement) describes the terms under which we process end-customer data on your behalf.

1.8 Termination

You may close your account at any time by emailing denis@madyeast.com. We may suspend or terminate an account immediately for material breach of these Terms, illegal use, or non-payment of fees once paid tiers apply, and we will explain the reason by email.

1.9 Changes to these Terms

We may update these Terms. Material changes will be notified by email to the address on file at least 30 days before they take effect. Your continued use of OffQ after that date constitutes acceptance.

1.10 Governing law and venue

These Terms are governed by Danish law, excluding its conflict-of-law rules and the UN Convention on Contracts for the International Sale of Goods. Any dispute shall be settled by Copenhagen City Court (Københavns Byret) as the court of first instance.

2 · Privacy Policy

This policy explains how Mad Yeast ApS processes personal data when you use OffQ. It is written to comply with the EU General Data Protection Regulation (GDPR) and the Danish Data Protection Act (Databeskyttelsesloven).

2.1 Data controller

Mad Yeast ApS · Rødovrevej 79 · 2610 Rødovre · Denmark · CVR 35225579. Contact for privacy matters: denis@madyeast.com.

OffQ involves two roles. For operator data (your login email, truck name, subscription status) we are the data controller. For end-customer data (first names people type into the queue) you (the venue) are the controller and we act as your processor. Section 4 covers the processor relationship.

2.2 What we collect and why

Data	Purpose	Legal basis (GDPR Art. 6)	Retention
Operator email address	Login, magic-link delivery, service notices	Contract performance (6.1.b)	While account is active + 5 years bookkeeping (Bogføringsloven §12)
Truck / venue name	Customer-facing queue branding, slug generation	Contract performance (6.1.b)	As above
IP address and request metadata	Rate limiting, fraud prevention, security logging	Legitimate interest (6.1.f)	Rolling 30 days, then deleted or hashed
JWT auth cookie	Keeping you logged in (90 days)	Strictly necessary (6.1.b)	90 days or until logout
Order records (numbers, timestamps, status)	Running the queue	Contract performance (6.1.b)	Active while account is open; cleared on request or account closure
End-customer first names	Displaying the queue	See §4 — we are processor, not controller	Active while order is in the queue; cleared on "reset" or archived with orders

2.3 Sub-processors

We use the following sub-processors to deliver OffQ. All are bound by GDPR-compliant contracts.

Provider	Purpose	Location	Transfer basis
Hostinger International Ltd.	Web hosting, database, server logs	EU (Netherlands data centre)	Intra-EU — no transfer mechanism needed
Resend (Resend Inc.)	Transactional email (magic links)	US-based; EU data region available	EU Standard Contractual Clauses (SCCs)
api.qrserver.com (GoQR.me / Goqr.me)	QR code image generation	EU (Germany)	Intra-EU — URL passed only; no personal data attached
Umami Cloud (umami.is)	Privacy-friendly, cookieless visitor analytics	EU (Germany)	Intra-EU — no personal data, no cookies

This list will be kept up to date. Material changes will be announced at least 14 days in advance.

2.4 Your rights

Under GDPR you have the right to:

Access the personal data we hold about you (Art. 15)
Rectify inaccurate data (Art. 16)
Erase your data — the "right to be forgotten" (Art. 17)
Restrict processing (Art. 18)
Data portability in a machine-readable format (Art. 20)
Object to processing based on legitimate interest (Art. 21)
Withdraw consent where processing relies on it (Art. 7)

Email denis@madyeast.com to exercise any of these rights. We respond within 30 days.

2.5 Complaints

If you believe we have handled your data unlawfully, you can complain to the Danish Data Protection Agency (Datatilsynet), Carl Jacobsens Vej 35, 2500 Valby, datatilsynet.dk.

2.6 International transfers

Most of our processing stays within the EU. Where Resend (see §2.3) processes data in the United States, we rely on the EU Commission's Standard Contractual Clauses and any applicable supplementary measures.

2.7 Security

Passwords are never stored — we use stateless JWT magic links signed with HMAC-SHA256. Traffic is served over HTTPS. Database and sensitive files are locked down by server-level access control. Session cookies are marked HttpOnly, Secure and SameSite=Lax.

3 · Cookie Policy

OffQ uses the absolute minimum of cookies. We do not use advertising cookies, tracking pixels or third-party social buttons.

Cookie	Purpose	Lifetime	Consent?
`PHPSESSID`	Server session identifier (CSRF protection, flash messages)	Session	Strictly necessary — no consent required
`qa_staff`	Stateless JWT login cookie after magic-link click	90 days	Strictly necessary — no consent required
`qa_staff_email`, `qa_staff_truck_name`	Remember your login details on the login page (convenience only, not auth)	30 days	Strictly necessary — no consent required

Analytics without cookies. We use Umami for anonymous visitor analytics. Umami uses no cookies, stores no IP addresses and cannot identify individual visitors. Under the Danish cookie rules (Cookiebekendtgørelsen §3(2)), no consent banner is required for analytics that meet these criteria. We will introduce a proper consent banner if we ever add analytics that need one.

You can clear cookies at any time through your browser settings. Clearing the strictly-necessary cookies will log you out of OffQ.

4 · Data Processing Agreement (summary)

When you use OffQ to run a queue, end customers type their first name into your queue board. Those first names are their personal data. You, as the venue, are the controller of that data. We process it on your behalf, strictly to run the queue you have configured. This section is a summary of the terms that govern that relationship; it takes legal effect automatically when you activate an account.

4.1 Parties

Controller: you, the operator of the venue using OffQ.
Processor: Mad Yeast ApS, CVR 35225579, Rødovrevej 79, 2610 Rødovre, Denmark.

4.2 Scope of processing

Subject matter: the processing of end-customer first names and order metadata in order to display and manage a pickup queue.
Duration: for as long as you hold an OffQ account, plus up to 30 days after closure for backups and audit.
Nature and purpose: display, state transitions (received → preparing → ready), storage, deletion.
Categories of data subject: members of the public who voluntarily join your queue.
Categories of personal data: first name (as provided), order number, time of join, status.
Sensitive data: none.

4.3 Sub-processors

We engage the sub-processors listed in §2.3 to carry out this processing. By accepting these Terms you grant a general authorisation under GDPR Art. 28(2) for us to use those sub-processors, and to update the list subject to the 14-day notice described in §2.3.

4.4 Security measures

HTTPS for all traffic; HSTS on the production domain.
Stateless JWT authentication with one-time magic links and replay protection.
Server-level access control on database and secrets.
No PII stored in log files; logs rotated every 30 days.
Backups encrypted at rest at Hostinger.

4.5 Personal data breach

We will notify you without undue delay — and within 72 hours where reasonably possible — if we become aware of a personal data breach affecting your data. We will give you the information you need to comply with your GDPR Art. 33 notification obligation to Datatilsynet.

4.6 Deletion and return

On termination of your account, or at your written request, we will delete or return all personal data processed on your behalf within 30 days, except where Danish law requires retention (notably Bogføringsloven's 5-year rule for invoices and accounting records).

4.7 Right to audit

You may request, once per year and with 30 days' notice, reasonable information about our security arrangements, or instruct a third-party auditor (bound by confidentiality) to perform an audit at your cost. A full DPA contract is available on request for customers who need one signed.

5 · Company information

Required disclosures under Danish E-handelsloven § 8:

Mad Yeast ApS

Legal formAnpartsselskab (ApS)

Registered officeRødovrevej 79, 2610 Rødovre, Denmark

CVR number35225579

VAT IDDK35225579

Trade registerErhvervsstyrelsen (Danish Business Authority)

Contact emaildenis@madyeast.com

ProductOffQ · offq.me

6 · Contact

Questions about these Terms, privacy, or the service in general:

Mad Yeast ApS
Rødovrevej 79 · 2610 Rødovre · Denmark
denis@madyeast.com

For urgent data-breach or GDPR matters, please write "PRIVACY URGENT" in the subject line.