Who controls your data: When you place an order or create an account on a restaurant's page powered by Ordering.Tools, the restaurant operator is the data controller for your personal information — not Reservation Ltd. Your data is shared by you directly with the restaurant at the moment you interact. For data requests related to your orders, contact the restaurant directly.
1. Who We Are
Reservation Ltd. (“we”, “us”, “our”) develops and operates the Ordering.Tools platform — software that enables restaurants and food businesses to publish digital menus and accept online orders from their customers.
This Privacy Policy explains how Reservation Ltd. handles personal data in connection with the Ordering.Tools platform. It also explains the relationship between Reservation Ltd., Restaurant Operators, and Customers with respect to data protection.
2. Data Controller vs. Data Processor — A Critical Distinction
Under the EU General Data Protection Regulation (GDPR) and Bulgarian data protection law, there is an important legal distinction between a data controller (the entity that decides why and how personal data is processed) and a data processor (the entity that processes data on behalf of a controller).
Restaurant Operators are Data Controllers
When you place an order, create an account, or interact with a restaurant's page powered by Ordering.Tools, the restaurant operator is the data controller for all personal data you provide. The restaurant determines the purpose and means of processing your data. They are legally responsible for complying with data protection laws in relation to your data.
Reservation Ltd. is a Data Processor
Reservation Ltd. processes customer personal data only on behalf of Restaurant Operators, under their instruction, and solely for the purpose of providing the Platform Services. The data processor relationship between Reservation Ltd. and Restaurant Operators is governed by these Terms of Use and this Privacy Policy, which together form the data processing framework applicable to all operators using the Platform.
This means: if you have a question about how a specific restaurant uses your data, or if you want to exercise data rights in relation to your orders, you should contact the restaurant directly.
3. What Data We Process and Why
3.1 Data You Provide as a Customer (processed on behalf of Restaurant Operators)
When you interact with a restaurant's ordering page, you may provide:
- Account information: Name, email address, phone number (when creating an optional customer account)
- Order data: Items ordered, special instructions, delivery address, order history
- Contact details: Information submitted at checkout to enable the restaurant to fulfil your order
You share this data voluntarily and directly with the restaurant at the moment you choose to interact with their page. Reservation Ltd. processes this data solely as a technical intermediary to deliver the ordering functionality on behalf of the restaurant.
Legal basis: Processing is necessary for the performance of the ordering service on behalf of the Restaurant Operator, and is governed by the data processing framework set out in these Terms of Use and this Privacy Policy.
3.2 Restaurant Operator Account Data (Reservation Ltd. as Data Controller)
When a business subscribes to Ordering.Tools, we collect and store:
- Account credentials: Username, email address
- Business information: Restaurant name, venue details, operational settings
- Billing data: Processed via third-party payment providers; we do not store card data
- Communication records: Support requests or correspondence with us
Legal basis: Performance of the subscription contract between Reservation Ltd. and the Restaurant Operator, and legitimate interests in providing, securing, and improving the Platform.
3.3 Technical and Usage Data
We collect limited technical data to operate and maintain the Platform:
- Server logs (IP addresses, request times) — retained for up to 30 days for security purposes
- Error logs for debugging and service improvement
- Aggregate, anonymised usage statistics
Legal basis: Legitimate interests in maintaining the security and performance of the Platform.
4. How We Use Your Data
Reservation Ltd. uses personal data only for:
- Providing the Platform Services to Restaurant Operators and enabling ordering functionality for Customers
- Sending transactional communications (e.g., order confirmations) on behalf of Restaurant Operators
- Maintaining and improving the security, performance, and functionality of the Platform
- Complying with legal obligations
We do not use Customer data for our own marketing purposes. We do not profile Customers or sell, rent, or trade any personal data to third parties.
5. Data Sharing
We do not sell personal data. We may share data only in the following limited circumstances:
- Restaurant Operators: Customer data is made accessible to the Restaurant Operator on whose platform you interacted. This is the primary and intended use.
- Infrastructure providers: We use cloud hosting, database, and infrastructure providers who process data on our behalf under appropriate data processing agreements. These include AWS (hosting and storage) and similar sub-processors.
- Payment processors: Payment data flows directly to third-party payment processors (e.g., Stripe, MyPOS). We do not receive or store payment card details.
- Email providers: Transactional emails (order confirmations, notifications) may be sent via email delivery services under appropriate agreements.
- Legal requirements: We may disclose data where required to comply with a legal obligation, court order, or to protect the rights, property, or safety of Reservation Ltd., our users, or the public.
All third-party processors we use are subject to contractual obligations that restrict them from using personal data for any purpose other than providing services to us.
6. Your Rights — Including the Right to Erasure
Under applicable data protection law (EU GDPR and Bulgarian data protection legislation), you have the following rights:
Right to Erasure (“Right to Be Forgotten”)
You have the right to request that your personal data be deleted. We take this right seriously and will honour it.
- Platform accounts (created directly with Ordering.Tools): You may request deletion of your account and associated data at any time. We will process the request within 30 days of receipt, subject to any legal retention obligations.
- Customer ordering accounts (order history, profile data): Because the restaurant operator is the data controller for this data, erasure requests relating to orders and customer profiles must be directed to the relevant restaurant. We will forward verified requests to the appropriate Restaurant Operator and assist where technically possible.
Right of Access
You have the right to request a copy of the personal data we hold about you. We will respond within 30 days.
Right to Rectification
If your data is inaccurate or incomplete, you have the right to request correction.
Right to Restriction of Processing
You may request that we restrict processing of your data in certain circumstances (e.g., while accuracy is contested).
Right to Data Portability
Where processing is based on consent or contract and carried out by automated means, you have the right to receive your data in a structured, commonly used format.
Right to Object
You have the right to object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
To exercise any of these rights, contact us at: [email protected]
If you are unsatisfied with our response, you have the right to lodge a complaint with the competent supervisory authority. As a Bulgarian company, our lead supervisory authority is the Commission for Personal Data Protection of Bulgaria (CPDP) — cpdp.bg. EU residents may also contact their local national data protection authority.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Customer order accounts and order history | As determined by the Restaurant Operator (data controller). Upon account deletion request, removed within 30 days. |
| Restaurant Operator accounts | Duration of subscription plus 90 days after termination, then deleted (except where legal retention obligations apply). |
| Server and access logs | Up to 30 days for security purposes. |
| Billing and financial records | 7 years as required by applicable accounting and tax laws. |
8. Data Security
We implement technical and organisational security measures appropriate to the nature of the data we process. These include encrypted data transmission (HTTPS/TLS), access controls, and regular security reviews.
However, no system is completely secure. We cannot guarantee absolute security and are not responsible for security incidents arising from the actions or negligence of Restaurant Operators or third-party providers beyond our direct control.
In the event of a personal data breach affecting data under our direct control, we will notify affected parties and relevant supervisory authorities as required by applicable law.
9. International Data Transfers
Personal data may be transferred to and processed in countries outside the European Economic Area (EEA) by our infrastructure providers (e.g., AWS). Where such transfers occur, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission or equivalent mechanisms, to maintain the same level of protection required under EU data protection law.
10. Cookies
The Platform uses cookies strictly necessary for functionality, including:
- Session authentication tokens (to keep you logged in)
- Cart state persistence
We do not use third-party tracking cookies, advertising cookies, or analytics cookies that profile individual users. No data is shared with advertising networks.
11. Children's Privacy
The Platform is not directed to children under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child has provided personal data without parental consent, we will take steps to delete it promptly.
12. Responsibility for Restaurant-Level Privacy Practices
Each Restaurant Operator is independently responsible for:
- Publishing their own privacy policy to Customers as required by law
- Obtaining any required consents for marketing communications
- Responding to data subject requests related to their customers' orders and accounts
- Implementing appropriate security measures for their operational use of the Platform
- Complying with all applicable data protection laws in their jurisdiction
Reservation Ltd. is not responsible for and cannot be held liable for a Restaurant Operator's failure to comply with their own data protection obligations.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date at the top of this page. We encourage you to review this policy periodically. Continued use of the Platform after changes take effect constitutes acceptance of the updated policy.
14. Contact and Data Requests
For all privacy-related enquiries, data access requests, or erasure requests related to Reservation Ltd.'s own data processing:
For requests related to your orders or customer profile on a specific restaurant's page, please contact that restaurant directly. They are the data controller for your order data.