Happy Bar & Grill biometric surveillance tool development

Happy Bar & Grill, a Bulgarian restaurant chain, faced public backlash following revelations regarding an AI facial recognition system that biometrically profiles customers. The system, developed by vendor IP Biometrix, tracks physical attributes, infers ethnicity categories, and analyses emotional states. While the company stated the technology was intended to monitor staff "smiles," evidence suggests it processed customer data without transparent notice or valid legal basis under GDPR.^[1] The company later acknowledged testing the system in late 2023 before officially rejecting it, though discrepancies remain regarding the timeline and vendor documentation.^[2]

Happy Bar & Grill is a Bulgarian restaurant chain operating multiple locations across Bulgaria, Romania, Spain, and the United Kingdom.^[3] According to an official statement released in 12 March 2026, the chain received an offer for an AI-powered facial recognition system from Bulgarian security vendor IP Biometrix in 2023. The company stated the system was tested between September and December 2023^[4] before being officially rejected on 14 December 2023.^[2] However, archived evidence from IP Biometrix's portfolio displays implementation data and screenshots dated as late as November 2024, suggesting the vendor continued to showcase the project after the alleged rejection.^[1] The system was marketed for "smile monitoring" of staff to generate employee performance rankings but utilised existing security cameras for real-time facial recognition of clients.

IP Biometrix's portfolio page demonstrates the system processes both employees and customers. A sample image shows multiple individuals labelled as "Subject 6053," "6054," and "6055" with extensive biometric attributes tracked. It is important to note that the displayed percentages (e.g., ethnicity scores) represent AI confidence levels regarding specific selected individuals, rather than aggregate counts of demographics within the venue.^[1] Tracked attributes include:

• Physical features: glasses, dark glasses, beard, moustache, blink, mouth open, mask presence, "face quality"
• Ethnicity classifications: white, black, Asian, Hispanic, Indian, Arabian (displayed as confidence scores per subject)
• Emotional states: neutral, anger, contempt, disgust, fear, and others

IP Biometrix's portfolio page was captured by the Internet Archive on 2 January 2026. Demonstration images within the portfolio contain filenames dated to at least 9 November 2024 (e.g., "Screenshot-2024-11-09-120029.png").^[1]

Note on Evidence Dates: While the filenames indicate November 2024, this date relies on the vendor's naming convention and cannot be forensically verified independently. Additionally, another screenshot in the article shares the same date ("Screenshot-2024-11-09-121619.png"), which may indicate the images were generated when the portfolio article was posted rather than during live operation. However, other statistics in the portfolio reference data from September 2023.

Patrons entering affected locations received no visible signage at entrances or within dining areas informing them that their facial biometrics were being captured, analysed, or stored during the testing period. Happy's published privacy policy makes no mention of facial recognition, biometric processing, or AI surveillance systems in restaurants.^[5] Under the EU General Data Protection Regulation (GDPR), facial recognition constitutes processing of biometric data—a "special category" of personal data requiring explicit consent or another narrow legal basis under Article 9.^[6] Inferring ethnicity and emotional states triggers additional restrictions as these reveal "racial or ethnic origin" and constitute sensitive psychological profiling. The absence of transparent notice before data collection violates GDPR Articles 13–14, while processing customers' biometrics for staff performance monitoring lacks a proportionate legal basis under Articles 6 and 9.^[6] Under Bulgarian national guidance, the Commission for Personal Data Protection (CPDP) has stated that processing biometric data in shops and restaurants for the purpose of analyzing customer behavior, gender, or age cannot be based on "legitimate interest." The CPDP emphasizes that placing information signs is insufficient to achieve "explicit consent."^[7]

On 12 March 2026, Happy Bar & Grill issued an official statement addressing the allegations. The company categorically denied current use of the system, stating that no such software or technology is currently used in Happy restaurants. They acknowledged receiving an offer from GI Mobility Services (linked to IP Biometrix) in 2023 and confirmed testing occurred between September and December 2023. The company stated they officially rejected the proposal on 14 December 2023, citing the solution was unnecessary for their operations.^[2]

The statement did not explicitly address the "Burrata Italiana" locations where evidence suggests the dashboard was active. Furthermore, the company claimed to have notified the administrators of ConsumerRights.wiki demanding the removal of the documentation within 24 hours, labeling the information as fake news from an anonymous source.^[2] IP Biometrix removed the portfolio page showcasing the Happy Bar & Grill implementation during a site renovation prior to March 2026. The content is now preserved through the Internet Archive's Wayback Machine capture from 2 January 2026.^[1]

Following the company's statement, community analysis highlighted several discrepancies. While Happy Bar & Grill denied current use, privacy advocates argue that testing the system on customers without consent between September and December 2023 still constitutes a violation of GDPR. IP Biometrix's portfolio displayed data dated November 2024—almost a year after Happy claims to have rejected the system. This suggests either the system was tested beyond the stated period, or the vendor misrepresented the partnership status.^[1]

Additional concerns have been raised regarding IP Biometrix's other projects, including camera systems at the University of National and World Economy (UNWE), and their list of partners, which was removed from their website. Consumer awareness of the surveillance system gained traction on 11 March 2026, following a post on the subreddit r/bulgaria featuring the wiki page. The thread gathered thousands of views and hundreds of comments within hours. Affected customers may exercise GDPR rights by:

• Submitting Subject Access Requests (Article 15) demanding all biometric data processed about them
• Filing complaints with Bulgaria's Commission for Personal Data Protection^[8]
• Requesting deletion of biometric templates under the right to erasure (Article 17)