Privacy Policy

1. Scope

This Privacy Policy describes how we process personal data through the restaurant’s public website, the administration panel, media and content upload flows, and AI-assisted features for content translation. If in the future the platform is offered in SaaS mode to multiple restaurants, this policy will be supplemented with specific notes on the allocation of responsibilities between the platform and each tenant restaurant.

If a feature is not enabled in production, this policy does not pretend that it is active. Optional processing activities are described as optional and conditional.

2. Data Controller

2.1 Current mode — a single restaurant

In the current deployment, the restaurant identified in the site settings is the data controller for the personal data processed through the public site and the administration panel. The specific identification details, postal address, privacy contact, and, where applicable, the data protection officer, are shown at the end of this page and are loaded dynamically from the internal configuration.

Infrastructure providers and external services act as data processors or service providers, to the extent that they process data on behalf of the restaurant.

2.2 Future SaaS mode

In the planned multitenant SaaS mode, the roles are clearly separated: the platform is the data controller for its own business operations (account creation, billing, security logs, abuse prevention, support, and metrics strictly necessary to operate the service), while each tenant restaurant is normally the data controller for its customers’ data, reservations, messages, loyalty, CRM, and website content processed within its tenant space.

The platform acts as a data processor or service provider with respect to tenant-controlled data, in accordance with documented instructions in the contract and the data processing agreement (DPA). Third-party platforms that the end user uses directly—messaging, maps, payments, or reservations—may act as separate controllers under their own terms.

3. Categories of data processed

3.1 Data from public website visitors

IP address and basic server logs; browser, device, language, referrer, and request metadata; cookie and consent status where a consent layer exists; pages visited and interactions with content; contact actions (clicks to WhatsApp, map, phone, or booking links); data submitted through public forms if enabled in the future.

3.2 Administration account data

Name, email, role, password hash, and authentication events; password reset events and abuse-prevention logs; content edits, publishing actions, upload activity, and operational audit logs.

3.3 Content and media data

Menu, stories, homepage and site page content entered by administrators; uploaded images and localized alt text; SEO metadata, slugs, publication timestamps and editorial structured content.

3.4 AI-assisted processing data

Content provided by the administrator and submitted for translation or controlled transformation; minimal metadata necessary for rate limiting, observability, and cost control. No end-user free-form texts, special categories, or sensitive tenant-customer data are sent to the AI provider unless a later feature explicitly enables it and the legal bases, notices, and contracts are updated.

3.5 SaaS tenant data (future)

Tenant business identity, contacts, billing, subscription, support and contractual records; tenant configuration, domain and subdomain settings, localization preferences and legal pages configuration; tenant user accounts, permissions and security logs.

3.6 Tenant end-customer data (future)

If future modules are added, a tenant may process data relating to its own customers (reservations, contact details, loyalty, CRM, support requests, order- or event-related data). When that happens, the tenant’s privacy notice must be published identifying the tenant as controller, and the platform’s processor role must be documented in the DPA and sub-processor materials.

4. Purposes and legal bases

The specific legal basis depends on the processing context and the market. The reference model for this project is as follows:

1. Site delivery, security and session integrity — legitimate interest and, where applicable, necessity to provide the requested service.

2. Administration account management and authentication — performance of a contract, legitimate interest and compliance with security obligations.

3. Publication and localization of site content — legitimate interest in operating and localizing the service; contract where content is managed within a service relationship.

4. AI-assisted translation of content provided by administrators — legitimate interest in multilingual editorial workflows, with minimization and processor safeguards.

5. Customer support, abuse prevention, fraud prevention and platform security — legitimate interest and compliance obligations.

6. Analytics, marketing tags, remarketing, embedded third-party content or other non-essential processing — prior consent when required by law in Spain / EEA. These features are not currently enabled in this deployment; if they are enabled in the future, the consent selector will be shown in advance.

7. Future tenant SaaS operations — the legal basis will depend on whether the platform acts as controller for its own operations or as processor on behalf of the tenant.

The application does not rely on legitimate interest for non-essential cookies or for advertising technologies where cookie rules require consent.

5. Cookies and similar technologies

The cookie rules must be read together with the specific Cookie Policy (linked in the footer of each page). The baseline for this project is: strictly necessary cookies may be used without prior consent when the law allows; optional analytics, advertising, cross-site measurement and similar technologies remain disabled until valid consent is obtained when legally required.

If tools such as Google Analytics, Meta Pixel, Google Ads or Google Consent Mode v2 are enabled at any time, the cookie notice and the consent manager will be updated before activation. The existence of a tag manager or a consent mode does not replace the need for valid consent when the law requires it.

No "continued browsing" patterns, pre-ticked boxes or visually manipulative banner designs are used, nor will they be used, as consent mechanisms.

6. Data sharing and subprocessors

Depending on the active deployment features, data may be processed by the following types of providers: hosting and edge; databases; media storage; AI providers for controlled translation; email delivery; map, booking or messaging providers if the corresponding features are enabled; security and observability providers.

The current architecture of this project may include providers such as Vercel (hosting and functions), Neon (PostgreSQL), Vercel Blob (media storage), OpenAI (only for editorial translation with minimized submissions) and, optionally, external messaging, maps or booking services configured by the restaurant.

This policy does not list providers that are not actually used in the deployment. When the active set of subprocessors changes, the effective list will be updated.

7. International transfers

When data are accessed from outside the EEA or transferred outside the EEA, transfers will be based on an appropriate mechanism: adequacy decision, EU-U.S. Data Privacy Framework where applicable, standard contractual clauses or another valid transfer mechanism permitted by law.

Since transfer rules evolve and may change, the project maintains support for a dynamic subprocessors and transfers page, instead of keeping outdated statements in static text.

8. Retention

Retention is aligned with real business and security needs and, in SaaS mode, with the tenant’s contract terms. The general reference is: security and authentication logs — only for the period reasonably necessary for abuse detection, investigations and legal defense; admin account records — while the account is active and, afterward, only what is required for security, compliance and audit; published content and media — for as long as the business decides to publish or archive them; AI translation uploads — not retained beyond what is operationally necessary in application logs; tenant contractual, billing and support records — for the life of the contract plus legally required retention; tenant customer data after termination — returned or deleted according to the contract / DPA schedule, subject to backup and legal retention constraints.

9. Data subject rights

9.1 Spain / EEA / EU

People in the EEA generally have the right to: access, rectification, erasure, restriction, objection, portability, withdrawal of consent where processing is based on it, and lodging a complaint with a supervisory authority. In Spain, the competent authority is usually the Spanish Data Protection Agency (AEPD).

To exercise your rights, you can contact the data controller using the contact details provided at the end of this page. We will respond within the legally required time limits.

9.2 Ukraine

For publications aimed at Ukraine, this policy also recognises the rights provided for in the Law of Ukraine "On Personal Data Protection". Where data are processed in an EEA context or offered to the EEA, the GDPR may apply in parallel.

9.3 United States

For publications aimed at the U.S., supplementary notices apply: rights depend on the state of residence and the applicability threshold of the relevant law; California residents may have rights to know, delete, correct, opt out of sale or sharing, limit the use of sensitive personal information, and not be discriminated against for exercising those rights; if the service conducts a "sale" or "sharing" in the legal sense, browser-level privacy signals such as Global Privacy Control will be honoured when required.

10. Minors

The site and the SaaS platform are not intentionally directed at minors unless a specific feature is designed and legally reviewed for that purpose. In Spain, consent-based processing of minors' data generally requires the involvement of parents or guardians when the minor is under 14 years of age. If a future feature may involve minors, age gating and parental consent logic will be reviewed before launch.

11. Security

The service applies the platform safeguards documented in the project architecture, including: rate limiting of authentication attempts; password reset rate limiting; file upload restrictions; content security policy (CSP) and media restrictions; input validation and schema integrity; AI restrictions and structured output validation; abuse detection and operational logging; tenant isolation in the future SaaS model.

This policy describes security measures at a high level and does not promise controls that are not actually implemented.

12. Future use of analytics, pixels and consent modes

The project is architected to support, should the restaurant decide in the future, tools such as Google Analytics, Meta Pixel or other measurement technologies, as well as Google Consent Mode v2 or other consent signalling frameworks. None of these tools is currently enabled in this deployment.

When enabled: the cookie policy will be updated with actual vendors, purposes, durations and categories; the consent manager will be shown before any non-essential tag is loaded; the reject option will have the same prominence as accept; withdrawing consent will be as easy as giving it; proof of consent status will be retained where necessary. No consent technology will be invoked to circumvent the requirement for prior consent where the law requires it.

13. Changes to this policy

When this policy changes, the date shown at the top of the page will be updated. Material changes will be communicated in a proportionate manner, for example through a prominent notice on the site. We encourage you to review the page periodically.

14. Contact

Questions about this policy or about your rights may be addressed to the data controller using the contact details shown at the end of this page. In SaaS mode, the tenant responsible for your specific interaction is identified in the notice corresponding to their site.