This Data Processing Addendum ("DPA") forms part of the agreement between you (the "Customer" or "Restaurant") and Restaurant Platforms ("Restaurant Platforms," "we," "us") for use of the Service. It describes how we process personal data on your behalf. It is provided for general information and does not constitute legal advice.

1. Roles of the parties

For end-customer and employee personal data submitted to or collected through the Service, the Restaurant is the data controller and Restaurant Platforms is the data processor, processing such data only on the Restaurant's documented instructions and to provide the Service. For a limited set of platform-operation purposes (billing, security, fraud prevention, and product improvement using de-identified data), Restaurant Platforms acts as an independent controller.

2. Scope and purpose of processing

We process personal data to provide the ordering, reservations, loyalty, CRM, staff-operations, messaging, and AI features you enable. Categories of data subjects include your end-customers, guests, and staff. Categories of personal data include names, contact details, order and reservation history, loyalty activity, marketing-consent records, and staff scheduling and pay-rate information.

3. Subprocessors

You authorise Restaurant Platforms to engage subprocessors to provide the Service. We require each subprocessor to provide protections consistent with this DPA. Current subprocessors include:

Supabase — database, authentication, storage
Vercel — application hosting and content delivery
Stripe — subscription billing and end-customer payment processing
Resend — transactional and marketing email delivery
Twilio — SMS delivery
Google, Anthropic, and OpenAI — AI model providers for recommendations and drafting
Upstash — caching and rate limiting
Sentry — error and performance monitoring

We will give notice of a new or replacement subprocessor before it begins processing, so you have an opportunity to object on reasonable data-protection grounds.

4. Security

We maintain technical and organisational measures appropriate to the risk, including encryption in transit and at rest, tenant data isolation enforced by row-level security, role-based access controls, audit logging, and regular backups. See our Security page for details.

5. Data subject requests

We provide tools that let you and your end-customers export and request deletion of personal data. Where you receive a data-subject request you cannot fulfil with these tools, we will provide reasonable assistance. End-customers can exercise access and deletion rights from their account's "Your data" page.

6. Data retention and deletion

We retain personal data for as long as needed to provide the Service and as required by law. On termination, we will delete or anonymise Tenant personal data after a reasonable wind-down period, except where retention is required for financial-record integrity or legal compliance, in which case records are anonymised so they no longer identify an individual.

7. Breach notification

If we become aware of a personal-data breach affecting your data, we will notify you without undue delay and provide information reasonably available to help you meet your own notification obligations.

8. International transfers

Personal data may be processed in Canada, the United States, and other jurisdictions where our subprocessors operate, with appropriate safeguards for cross-border transfers.

Data ownership

You own your data. As between you and Restaurant Platforms, your restaurant owns its customer records, reservations, menus, orders, loyalty data, and employee records. You can export this data at any time, and you keep it if you leave.

Restaurant Platforms owns the platform. We own and retain all rights to the software, algorithms, workflows, network benchmarks, aggregate and de-identified datasets, AI models, and the operational insights generated by the platform. Nothing in your use of the Service transfers ownership of these to you.

We grant you a limited right to use the Service and its outputs for your own restaurant during your subscription. We claim no ownership of your underlying records, and you claim no ownership of the platform that produces and serves them.

AI training & platform learning

Your customer data and your restaurant's identifiable data are not used to train public or third-party foundation AI models. Restaurant Platformsdoes not sell your data and does not feed your guests' personal information into external model training.

Restaurant Platforms may use de-identified, aggregated usage patterns to improve its own product — including recommendations, forecasting, the Restaurant Intelligence Network, and automation. This platform learning operates only on information that does not identify a specific customer, employee, restaurant, or transaction.

Where the platform uses third-party AI providers to generate recommendations or drafts, those providers process the necessary inputs on Restaurant Platforms's behalf to return a result, under terms that do not permit using your content to train their general models.

Aggregated & de-identified data — the Restaurant Intelligence Network

Restaurant Platformsmay collect, aggregate, anonymize, and de-identify operational and usage information across participating restaurants to generate benchmarks, industry insights, forecasting models, AI recommendations, and platform analytics (the "Restaurant Intelligence Network"). This helps every participating restaurant see how it compares and improves the recommendations the platform can offer.

De-identified aggregates never identify, and are not designed to identify, an individual customer, employee, restaurant, or transaction. A benchmark is displayed only when enough participating restaurants exist in a group to reasonably prevent any individual restaurant from being identified. No customer or employee personal information is ever included in these aggregates.

Participation in the Restaurant Intelligence Network is presented to you transparently and can be turned off at any time from your settings. Aggregated and de-identified intelligence derived in this way is owned by Restaurant Platforms.

Contact

Questions about this DPA can be sent to privacy@restaurantplatforms.com. Our address is Toronto, Ontario, Canada.