This Privacy Policy applies to all products, services, websites, applications, and APIs offered by TableGreet Ltd. under the brand name TableGreet, including but not limited to our digital menu SaaS platform, QR code generator, analytics dashboard, and any associated mobile or web applications (collectively, the "Services").
For the purposes of the General Data Protection Regulation (GDPR) 2016/679 and the UK GDPR, the data controller is:
This Policy does not apply to third-party websites, services, or applications that may be linked to from our Services. We encourage you to review the privacy policies of any third parties you interact with.
We collect personal data under the following categories:
| Category | Examples |
|---|---|
| Identity Data | Full name, business name, username, role |
| Contact Data | Email address, phone number, billing address |
| Credentials | Hashed password, authentication tokens |
| Venue & Menu Data | Restaurant name, logo, menu items, prices, allergen info, images |
| Payment Data | Billing details (processed by Stripe — we do not store raw card data) |
| Communications | Support tickets, emails, chat transcripts |
When diners scan a TableGreet QR code to view a digital menu, we collect minimal technical data (anonymised IP geolocation at country level, device type) purely for analytics. We do not build profiles on individual diners, require diner registration, or share diner data with third parties for advertising. Venue operators (our customers) are solely responsible for any data they independently collect from their guests.
We apply strict data minimisation. We collect only the personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed (Art. 5(1)(c) GDPR). If you believe we are collecting data beyond these categories, please contact our DPO immediately.
Under GDPR, every processing activity must have a lawful basis. The following table maps our processing activities to their legal basis:
| Processing Activity | Lawful Basis (GDPR Art. 6) |
|---|---|
| Account creation & authentication | Performance of contract (Art. 6(1)(b)) |
| Delivering the platform & Services | Performance of contract (Art. 6(1)(b)) |
| Processing subscription payments | Performance of contract (Art. 6(1)(b)) |
| Sending transactional emails | Performance of contract (Art. 6(1)(b)) |
| Fraud prevention & security | Legitimate interests (Art. 6(1)(f)) |
| Platform analytics & improvement | Legitimate interests (Art. 6(1)(f)) |
| Legal compliance & record-keeping | Legal obligation (Art. 6(1)(c)) |
| Marketing communications (opt-in) | Consent (Art. 6(1)(a)) |
| Cookies (non-essential) | Consent (Art. 6(1)(a)) |
We process your personal data for the following specific, explicit, and legitimate purposes:
We will not process your personal data for purposes that are incompatible with those described above without first obtaining your explicit consent or establishing a new lawful basis.
We do not sell, rent, or broker personal data. We share data only as described below, and only with parties who have agreed to process data in accordance with our instructions and applicable data protection law.
| Processor | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database, authentication, storage | USA (SCCs applied) |
| Stripe, Inc. | Payment processing | USA (SCCs applied) |
| Cloudflare, Inc. | CDN, DDoS protection, edge hosting | Global (SCCs applied) |
| Resend / SendGrid | Transactional email delivery | USA (SCCs applied) |
| Sentry, Inc. | Error monitoring & crash reporting | USA (SCCs applied) |
| Vercel / Netlify | Application hosting (if applicable) | Global (SCCs applied) |
SCCs = Standard Contractual Clauses (EU Commission Decision 2021/914)
TableGreet operates globally. Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA) or the United Kingdom, including the United States.
Where such transfers occur, we ensure an equivalent level of protection by relying on one or more of the following safeguards:
You may request a copy of the applicable transfer mechanism by contacting our DPO at [email protected].
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. The following retention schedule applies as a baseline:
| Data Type | Retention Period |
|---|---|
| Active account data | Duration of account + 30 days post-cancellation |
| Billing & transaction records | 7 years (legal/tax compliance) |
| Support communications | 3 years from closure of ticket |
| Usage analytics (aggregated) | 3 years |
| Server access logs | 90 days |
| Security/audit logs | 1 year |
| Backup data | Up to 90 days in secure rotation |
| Deleted account data | Purged within 30 days of deletion request |
Upon expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymised.
We implement and maintain a comprehensive information security programme that includes technical, organisational, and physical safeguards appropriate to the sensitivity of the data we process:
AES-256 encryption for all stored personal data
TLS 1.2+ enforced for all data transmission
Role-based access, MFA enforced for staff, least-privilege principle
Annual third-party security assessments
Documented incident response plan; GDPR Art. 33 notifications within 72 hours
Daily encrypted backups with tested restoration procedures
No security measure is 100% impenetrable. In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay where required under GDPR Art. 33–34.
Depending on your jurisdiction, you hold the following rights over your personal data. To exercise any right, submit a verified request to [email protected]. We will not discriminate against you for exercising your rights.
You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data along with information about:
We will respond to access requests within 30 days (GDPR) or 45 days (CCPA) of verified receipt.
You may request correction of inaccurate or incomplete personal data we hold about you. We will action verified correction requests without undue delay, and in any event within one calendar month. Where data has been shared with third-party processors, we will notify them of the correction unless this proves impossible or involves disproportionate effort.
You may request deletion of your personal data where one of the following grounds applies:
Exceptions apply where retention is required for legal obligations, the exercise of legal claims, or public interest purposes.
Where processing is based on consent or a contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV). You may also request that we transmit that data directly to another controller where technically feasible.
You may object to processing based on legitimate interests or direct marketing purposes at any time. Upon receipt of a valid objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
You may also request restriction of processing during the period while we verify accuracy, consider your objection, or establish whether there is a legal basis for processing.
You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects. TableGreet does not currently employ fully automated decision-making that legally affects our users. Any profiling we conduct (e.g., for analytics) is human-reviewed before any consequential action is taken.
Supervisory Authority: If you are located in the EEA or UK and believe we have violated your rights, you have the right to lodge a complaint with your local data protection supervisory authority (e.g., the UK Information Commissioner's Office at ico.org.uk, or your EU national authority).
We use cookies and similar technologies to operate and improve our Services. Our full Cookie Policy is available at /cookies. A summary of cookie categories:
| Category | Purpose | Consent Required |
|---|---|---|
| Strictly Necessary | Authentication, session management, security | No (essential) |
| Functional | User preferences, language, theme | Yes |
| Analytics | Usage statistics, feature performance | Yes |
| Marketing | Personalised ads, retargeting | Yes (opt-in only) |
You can manage cookie preferences at any time via our Cookie Settings panel or your browser settings. Withdrawing consent for non-essential cookies will not affect our legal basis for processing data under other grounds.
Our Services are directed exclusively to business operators and are not intended for individuals under the age of 18 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from minors.
If you are a parent or guardian and believe a minor has provided us with personal data, please contact us immediately at [email protected]. Upon verification, we will promptly delete the relevant data.
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you additional rights:
To submit a verifiable consumer request, contact us at [email protected] with subject line "CCPA Rights Request." We will respond within 45 calendar days.
We do not sell or share personal information as defined by the CCPA/CPRA.
We reserve the right to update this Privacy Policy at any time to reflect changes in our practices, technology, legal requirements, or for other operational, legal, or regulatory reasons. Material changes will be communicated via:
Your continued use of the Services after the effective date of any update constitutes your acceptance of the revised Policy. If you do not agree with our Privacy Policy, you must cease using the Services and may request deletion of your account.
All prior versions of this Policy are archived and available upon request.
For any privacy-related enquiries, requests to exercise your rights, or to report a concern, please contact: