Cookie Policy
Last updated: 2026-06-03
How Tapeo uses cookies and similar technologies. Governed by article 22 of Spain’s LSSI-CE, the GDPR, the LOPDGDD, and AEPD cookie guidance.
01What this Policy covers
This Cookie Policy explains how Tapeo (https://tapeo.menu), operated by ATOMIRA TECHNOLOGIES, S.L., uses cookies and similar client-side storage on tapeo.menu and on QR-menu pages we serve on behalf of venue operators.
“Cookies” in this Policy means HTTP cookies as well as functionally equivalent technologies such as localStorage and sessionStorage where the same consent rules apply.
02Categories of cookies we use
Following the AEPD classification:
- Strictly necessary (technical) — required for authentication, session, security, and basic functioning. No consent required under LSSI-CE Art. 22.2.
- Functional — remember your language and similar preferences. Consent-based.
- Analytics — Tapeo does not currently use analytics cookies. Operator-side product analytics (page views, conversion) are computed server-side from request logs without setting any client cookie.
- Advertising / cross-site tracking — none. We do not display ads and we do not allow third-party advertising trackers anywhere in the Service.
03Specific cookies set by Tapeo
The following table reflects the configuration in production. We will update this section whenever the list changes.
3.1 Strictly necessary
| Name | Purpose | Duration |
|---|---|---|
| authjs.session-token | NextAuth authentication session for signed-in venue operators and admins. HttpOnly, Secure, SameSite=Lax. | 30 days |
| authjs.csrf-token | CSRF protection for sign-in and OAuth flows. HttpOnly. | Session |
| authjs.callback-url | Stores the post-sign-in destination during an OAuth round-trip. | Session |
| tapeo_cs | Per-table customer session. Lets a diner reopen the same shared tab on the same device without signing in. HttpOnly. | 12 hours |
| tapeo_staff | PIN-gated staff surface session (waiter / kitchen). HttpOnly, Secure, SameSite=Strict. | 8 hours |
| tapeo:favoriter-id | Anonymous per-device identifier so a diner can mark dishes as ♥ favorites and see them again on the same device. Random opaque token; not linked to any account. | 12 months |
| tapeo_impersonating | Indicates a superadmin is impersonating another account from /admin. Auditable. HttpOnly. | Session |
3.2 Functional (consent-based)
| Name | Purpose | Duration |
|---|---|---|
| tapeo-locale | Remembers your interface language (English, Spanish, or Catalan on the dashboard; one of seven languages on the customer menu). | 12 months |
04Third-party cookies
When you choose to sign in with Google, Google sets its own cookies on accounts.google.com to authenticate you. These cookies are governed by Google’s policy at https://policies.google.com/technologies/cookies. We never receive or store the contents of Google’s sign-in cookies; Google returns us a verified email and OpenID identifier, nothing more.
When Tapeo introduces card / Bizum payments via Stripe and Redsys, the corresponding payment pages will set strictly-necessary third-party fraud-prevention cookies. This section will be updated when those features ship.
05How we ask for consent
During the closed-alpha period, Tapeo only sets strictly-necessary cookies that do not require consent under LSSI-CE Art. 22.2 — plus the tapeo-locale preference cookie, which is written only when you actively change the language using the in-app language toggle (an unambiguous opt-in act). No cookie banner is shown because no consent-required cookies are placed without an explicit user action.
If we later introduce optional analytics or any other consent-required cookies, we will add a cookie banner that complies with current AEPD guidance (equal-weight accept and reject buttons, category-by-category control, no dark patterns, no pre-ticked boxes).
06Managing cookies in your browser
You can clear or block cookies via your browser settings. Blocking strictly-necessary cookies will prevent sign-in and other essential features from working.
- Chrome — https://support.google.com/chrome/answer/95647
- Firefox — https://support.mozilla.org/kb/cookies-information-websites-store-on-your-computer
- Safari — https://support.apple.com/guide/safari/manage-cookies-sfri11471/mac
- Edge — https://support.microsoft.com/microsoft-edge
We respect the Do-Not-Track (DNT) and Global Privacy Control (GPC) signals where technically feasible.
07Changes to this Policy
We may update this Cookie Policy from time to time. Material changes will be posted here with at least 30 days’ advance notice and will trigger a re-consent prompt where any new consent-required category is introduced.
08Contact and supervisory authority
For any question about cookies, write to hola@tapeo.menu. For independent review, you can contact the Spanish data-protection authority, Agencia Española de Protección de Datos (AEPD): C/ Jorge Juan, 6, 28001 Madrid — https://www.aepd.es.
Questions? Email hola@tapeo.menu.