Privacy Policy

Last updated: 7 June 2026

This Privacy Policy explains how Qesja (“we”, “us”) collects, uses and protects your personal data when you use our website and services. We process personal data in accordance with the Republic of Kosovo’s Law No. 06/L-082 on the Protection of Personal Data and, where applicable, the EU General Data Protection Regulation (GDPR).

1. Who we are (Data Controller)

Qesja is the data controller responsible for your personal data. For any privacy question or to exercise your rights, contact us at qesjaks@outlook.com.

2. What data we collect

  • Account data: your name, email address and login credentials, managed by our authentication provider (Clerk).
  • Business data (for business accounts): business name, description, category, address, city and optional contact phone.
  • Reservation data: the bags you reserve, amounts, status and timestamps.
  • Payment data (if you pay online): processed securely by Stripe. We do not store your full card details.
  • Technical data: basic device/usage information and cookies needed to operate the site (see our Cookie Policy).

3. How we use your data

  • To create and manage your account and authenticate you.
  • To process and manage Surprise Bag reservations and pickups.
  • To process payments (where applicable).
  • To operate, secure, maintain and improve the service.
  • To comply with legal obligations.

4. Legal bases for processing

We rely on: performance of a contract (providing the service you request), your consent (e.g. optional cookies), our legitimate interests (securing and improving the service), and compliance with legal obligations.

5. Sharing & processors

We share data only with service providers that help us run Qesja:

  • Clerk — authentication and account management.
  • Supabase — database and file storage.
  • Stripe — payment processing.
  • Vercel — website hosting.
  • OpenStreetMap — map tiles (no account needed).

These providers act as our processors and may store data on servers inside or outside Kosovo/the EU, always under appropriate safeguards.

6. Data retention

We keep personal data only for as long as necessary to provide the service and to meet legal requirements. You may request deletion of your account and associated data at any time.

7. Your rights

Under Kosovo law and the GDPR you have the right to:

  • access the personal data we hold about you;
  • rectify inaccurate data;
  • erase your data (“right to be forgotten”);
  • restrict or object to processing;
  • data portability;
  • withdraw consent at any time;
  • lodge a complaint with the Information and Privacy Agency of Kosovo (IPA).

To exercise any of these rights, email us at qesjaks@outlook.com.

8. Security

We use reputable providers and reasonable technical and organisational measures to protect your data. No method of transmission over the internet is 100% secure, but we work to protect your information.

9. Children

Qesja is not directed at children under 16. We do not knowingly collect their data.

10. Changes to this policy

We may update this policy from time to time. The “last updated” date above reflects the latest version.