Skip to content

Data Processing Agreement

Version 1.0 - Effective 17 March 2026

1. Parties

This Data Processing Agreement (“DPA”) is entered into between the restaurant (“Controller”) and TableGuru (“Processor”), collectively the “Parties”.

2. Scope and purpose

The Processor processes personal data on behalf of the Controller for the purpose of providing restaurant booking management services, including: reservation management, guest communication, payment processing, and analytics.

3. Categories of data subjects

  • Diners who make reservations through the platform
  • Restaurant staff who use the dashboard

4. Types of personal data

  • Name, email address, phone number
  • Booking details (date, time, party size, special requests)
  • Dietary requirements and allergen information
  • Payment information (processed by Stripe; not stored by Processor)
  • Visit history and guest preferences

5. Processor obligations

  • Process personal data only on documented instructions from the Controller
  • Ensure persons authorised to process data are bound by confidentiality
  • Implement appropriate technical and organisational security measures
  • Assist the Controller in responding to data subject rights requests
  • Delete or return all personal data upon termination of services
  • Make available all information necessary to demonstrate compliance

6. Sub-processors

The Processor uses the following sub-processors:

  • Supabase (EU) - Database hosting and authentication
  • Vercel (Global) - Application hosting
  • Stripe (US/EU) - Payment processing
  • Resend (US) - Email delivery
  • Twilio (US) - SMS delivery
  • Anthropic (US) - AI features

The Controller will be notified of any changes to sub-processors with at least 14 days' notice.

7. Data breach notification

The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach.

8. International transfers

Where personal data is transferred outside the UK, appropriate safeguards are applied as described in the Privacy Policy.

9. Term and termination

This DPA shall remain in effect for the duration of the services agreement. Upon termination, the Processor shall delete all personal data within 30 days unless retention is required by law.

10. Governing law

This DPA is governed by the laws of England and Wales and the UK GDPR.