Privacy Policy

1. Who We Are

Tables HQ ("we", "us", "our") operates the Tables HQ restaurant management platform and this marketing website. We act as the data controller for information collected through this website.

For enquiries about this policy or your personal data, contact us at: info@tableshq.com

2. Data We Collect

From this website

When you submit a demo request or contact form, we collect:

• Your name and email address
• Your restaurant name and phone number (if provided)
• Your message

We do not use cookies for tracking or advertising on this website. Google Fonts are loaded from Google's CDN — Google may process your IP address as part of this request.

From platform customers

When a restaurant subscribes to Tables HQ, the restaurant operator is the data controller for their staff and guest data. Tables HQ acts as a data processor on their behalf. The categories of data processed through the platform include:

• Staff accounts — name, email address, role, and PIN (hashed)
• Guest profiles — name, contact details, dietary preferences, allergen notes, visit and order history, loyalty tier
• Reservation and order records
• Financial transactions (processed via Stripe — card data is never stored on our servers)

Guest allergen notes and dietary preferences may constitute special category health data under UK GDPR. Tables HQ processes this data solely as a data processor on the restaurant's instructions. The restaurant operator, as data controller, is responsible for ensuring an appropriate legal basis (such as explicit consent) is in place when collecting this information from guests.

Our use of this data is governed by a Data Processing Agreement (DPA) incorporated into our Terms of Service. We do not use customer data for any purpose beyond operating the platform.

3. How We Use Your Data

We use data collected through this website to:

• Respond to your demo request or enquiry
• Follow up on potential commercial arrangements
• Improve our marketing and product communications

We do not sell your data to third parties. We do not use your data for automated decision-making.

4. Legal Basis for Processing

Under UK GDPR, our legal bases for processing are:

• Legitimate interests — responding to demo enquiries and conducting pre-sales activities
• Contract performance — processing platform customer data to deliver the service
• Legal obligation — retaining financial records as required by law

5. Third-Party Services

We use the following sub-processors and third-party services:

• Formspree — handles contact form submissions from this website. Formspree receives the data you enter in the contact form. See Formspree's Privacy Policy.
• Stripe — processes all card payments, including subscription billing and in-venue card-present transactions. Stripe is independently PCI-DSS Level 1 certified. We never store or transmit raw card numbers. See Stripe's Privacy Policy.
• Google Fonts — fonts are loaded from Google's servers. Google may process your IP address. See Google's Privacy Policy.
• Twilio (optional) — if a customer enables WhatsApp notifications, guest messages are sent via Twilio. This is an optional feature enabled at the restaurant's discretion.

All sub-processors are required to process data only for the purposes we specify and in accordance with applicable data protection law.

6. Data Retention

• Demo enquiries — retained for up to 24 months after our last communication.
• Platform data — retained for the duration of the subscription plus 90 days after termination, to allow for account recovery. Financial records are retained for 7 years as required by HMRC guidance. The platform maintains a full audit log with 365-day retention.
• Anonymisation — upon request or after the retention period, personal data is either deleted or anonymised.

7. Data Security

We take security seriously. Measures include:

• All data in transit is encrypted using TLS 1.2 or higher
• Passwords and PINs are hashed using PBKDF2/HMAC-SHA512 and are never stored in plain text
• Two-factor authentication (MFA) is available for all staff accounts
• Access to personal data is restricted to staff who need it to perform their role
• Platform data is isolated per tenant using schema-level database separation

8. International Transfers

Some of our third-party sub-processors are based in the United States. Stripe, Twilio, and Google all process data on servers outside the UK and EEA. These transfers are covered by Standard Contractual Clauses (SCCs) approved by the UK ICO or by an applicable adequacy decision, ensuring an equivalent level of data protection applies.

Where we host platform data directly, we use infrastructure within the UK or EEA. We do not transfer Customer data to any jurisdiction without ensuring appropriate safeguards are in place.

9. Your Rights

Under UK GDPR, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — ask us to correct inaccurate or incomplete data
• Erasure — ask us to delete your personal data where there is no lawful reason to retain it
• Restriction — ask us to restrict processing of your data in certain circumstances
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interests

To exercise any of these rights, email info@tableshq.com. We will respond within 30 days.

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

10. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. For material changes, we will notify platform customers by email.

11. Contact

For any questions about this Privacy Policy or your data, please contact us at info@tableshq.com.