Privacy & Data Protection Policy

Find A Table

Your privacy is important to us, and we take it seriously. We respect your privacy and are committed to protecting the personal data we collect about you. This Privacy & Data Protection Policy (hereinafter the “Policy”) describes the information that Find A Table collects about you, how we process it, and your rights under applicable data-protection law.

This Policy covers personal data processing carried out by Find A Table as data controller, or possibly as joint data controller with restaurant partners (“Customers”), where appropriate. The processing of personal data by Customers acting solely as independent data controllers is not covered by this Policy. We encourage you to contact the relevant restaurants directly for information about their own data-processing practices.

1. Definitions

In addition to terms defined elsewhere in this Policy, the following terms shall have the following meanings:

•        “Personal data”: any information relating to an identified or identifiable natural person (the “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.

•        “Processing”: any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure or destruction.

•        “Data controller”: the natural or legal person that determines the purposes and means of processing. When purposes and means are determined jointly with another party, they are “joint controllers.”

•        “Processor”: a natural or legal person that processes personal data on behalf of the controller.

•        “Recipient”: a natural or legal person, public authority, department or any other body that receives personal data, whether or not it is a third party.

•        “Customer”: a restaurant, café, or food-service establishment that has subscribed to Find A Table services and is listed on the Platform.

•        “Platform”: the Find A Table website (www.findatable.nl), the restaurant administration dashboard (connect.findatable.nl), the iOS and Android mobile applications (guest app, POS app, and admin app), and any related services or widgets.

2. Data Controller

2.1 Identity

The controller of your personal data is New Soft Solution, trading as Find A Table.

Registered address: Fluitekruidweg 257, 1508 AG Zaandam, Netherlands

KvK (Chamber of Commerce): 95603840

BTW (VAT): NL005166191B43

Privacy contact / DPO: privacy@findatable.nl

General contact: support@findatable.nl

2.2 Our role in dataprocessing

Find A Table offers an all-in-one restaurant management platform, including reservation management, online ordering (delivery and pickup), a loyalty programme, gift cards, a point-of-sale (POS) system, review collection, and restaurant website widgets. The Platform is accessible via www.findatable.nl (guest website), connect.findatable.nl (restaurant administration dashboard), and our iOS and Android mobile applications for both guests and restaurant staff.

Depending on the service, Find A Table may act as:

•        Sole data controller: for processing related to Platform operation, website analytics, marketing communications, account management, and general enquiries.

•        Joint data controller with the Customer: for processing related to reservations, online orders, click-and-collect, gift card redemptions, pay-at-table, reviews collected through our system, and loyalty programme activities performed jointly with the restaurant. In such cases, Find A Table and the Customer each bear responsibility for their respective part of the processing. To find out more about the division of roles and responsibilities in joint controllership, please contact privacy@findatable.nl.

Note: When a reservation, order, or review is made directly with a Customer without using Find A Table services, the Customer is the sole controller for that processing. Please contact the restaurant directly for details.

3. How Is Your Personal Data Collected?

3.1 Data collected directly from you

Your personal data is collected when you:

•        Browse the Platform (website, mobile app) and interact with its features;

•        Create an account, make a reservation, place an order, purchase or redeem a gift card, or participate in the loyalty programme;

•        Enter information in data-collection forms on the Platform;

•        Post a review, leave feedback, or contact us by any means;

•        Interact with a Find A Table reservation widget embedded on a Customer’s website;

•        Subscribe to our newsletter or marketing communications.

3.2 Data collected from third parties

Your personal data may also be collected through or from:

•        Restaurant partners (Customers) e.g. confirmation that your reservation was honoured, that your order was completed, or that your gift card was redeemed;

•        Stripe (our payment processor) transaction status, fraud-prevention signals, and truncated card references;

•        Google Analytics - anonymised usage and traffic data (only with your consent for non-essential cookies).

We do not purchase or rent contact lists from data brokers or third-party marketing databases.

3.3 Mandatory vs. optional data

Where forms are used to collect personal data, mandatory fields are marked with an asterisk (*). If you do not provide mandatory information, we may be unable to process your request, complete your reservation, or deliver the service. All other fields are optional.

3.4 Sensitive data

We do not intentionally collect “special category” personal data as defined in Article 9 of the GDPR (e.g. data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or sexual orientation). We kindly request that you do not include such data in your communications with us, your reviews, or your reservation notes. Dietary requirements or allergy information you voluntarily provide are processed solely for the purpose of your restaurant visit.

3.5 Children’s data

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal data from people under 18. If we become aware that we have collected data from a person under 18 without verifiable parental consent, we will delete it without undue delay. If you believe a minor has provided us with personal data, please contact privacy@findatable.nl.

4. What Data Is Collected, for What Purposes, on What Legal Basis, and for How Long?

Your personal data is processed for the following purposes. For each, we specify the data controller(s), the categories of data processed, the legal basis, and the retention period.

4.1 Management of reservations and online orders

Purpose: To take, manage, track, confirm, or cancel reservations and online orders (delivery and pickup) placed through the Platform. Reports and statistics (fill rate, reservation trends, no-show rates) are also generated for the relevant Customer.

Data controller(s): Find A Table and the Customer with whom the reservation or order is made (joint controllers).

Data processed: Name, email address, telephone number, reservation date/time, party size, special requests (dietary needs, seating preference, occasion), delivery address (for delivery orders), items ordered, order value, payment status, reservation source (website, app, widget, phone), gift code (if applicable), no-show/arrived status and timestamp, conversation history and reservation notifications.

No-show risk alerting: The Platform may generate an objective, automatic alert for the Customer if a guest has a history of not honouring reservations in the preceding 12 months, or if simultaneous reservations at multiple restaurants are detected. This alert does not prevent the guest from making a reservation and does not result in automatic cancellation. The Customer may choose to ignore the alert or take additional measures (e.g. request reconfirmation, prepayment, or card pre-authorisation).

Legal basis: Performance of contract (Art. 6(1)(b) GDPR) for processing the reservation/order you initiated, and legitimate interest (Art. 6(1)(f)) of Find A Table and the Customer in managing restaurant operations.

Retention: Active database for 24 months from the date of the reservation/order or the last contact, then archived for 5 years for administrative and evidential purposes. Financial records are retained for 7 years per Artikel 52 AWR (Dutch tax law).

4.2 Payment processing

Purpose: To process payments for online orders, gift card purchases, and any prepayments or card pre-authorisations requested by Customers.

Data controller(s): Find A Table (sole controller for platform payment facilitation). Stripe acts as an independent controller for its own fraud-prevention processing.

Data processed: Truncated card reference, transaction amount, payment method (Visa, Mastercard, iDEAL), transaction status, receipt. Find A Table does not store full credit card numbers, expiry dates, or CVV codes - these are processed and stored exclusively by Stripe.

Legal basis: Performance of contract (Art. 6(1)(b)).

Retention: Transaction records: 7 years (Artikel 52 AWR). Full payment card data retention periods are determined by Stripe; Find A Table has no control over those periods.

4.3 Account management

Purpose: To create and manage your Find A Table account, authenticate your identity, and provide access to your reservation history, order history, loyalty balance, and preferences.

Data controller: Find A Table (sole controller).

Data processed: Name, email address, telephone number, encrypted password, language preference, account creation date, login history.

Legal basis: Performance of contract (Art. 6(1)(b)).

Retention: As long as your account is active. After account deletion: personal data erased within 30 days, except where retention is required by law.

4.4 Loyalty programme and gift cards

Purpose: To administer the loyalty programme (points earning, redemption, voucher issuance) and gift card lifecycle (purchase, balance tracking, redemption, expiry).

Data controller(s): Find A Table and the relevant Customer (joint controllers for loyalty redemptions at the restaurant).

Data processed: Name, email, points balance, points-earning events (completed visits, sign-up, referrals, reviews), voucher history, gift card purchaser/recipient details, gift card balance and usage history.

Legal basis: Performance of contract (Art. 6(1)(b)).

Retention: For the validity period of the points/card plus 12 months. Gift Cards purchase records: 7 years (tax law).

4.5 Review management

Purpose: To collect, display, and moderate reviews and ratings from guests following a reservation or order. Reviews may be published on the Platform (website and mobile app) and shared with the relevant Customer via their dashboard.

Data controller(s): Find A Table and the relevant Customer (joint controllers for reviews collected through the Platform).

Data processed: Name (or first name), review content, rating, date, associated restaurant.

Legal basis: Legitimate interest (Art. 6(1)(f)) in providing transparent restaurant feedback.

Retention: Active database for 36 months, then archived for 5 years. You may request removal of your review at any time.

4.6 Marketing and commercial communications

Purpose: To send you newsletters, promotional offers, event invitations, satisfaction surveys, and information about Find A Table services. Communications may promote Find A Table and/or a Customer restaurant.

Data controller: Find A Table (sole controller for Find A Table promotions). Find A Table and the Customer as joint controllers when communications promote both.

Data processed: Name, email address, telephone number, communication preferences, open/click engagement data.

Legal basis: Consent (Art. 6(1)(a)) for marketing emails. You may withdraw consent at any time by clicking the unsubscribe link in any email or by contacting privacy@findatable.nl. For existing customers, we may send communications about similar services based on legitimate interest (Art. 6(1)(f), “soft opt-in” under recital 47 GDPR and Dutch Telecommunicatiewet), always with an easy opt-out.

Retention: Active database for 3 years from the last interaction, then archived for 5 years.

4.7 Analytics, studies, reports, and service improvement

Purpose: To understand how visitors use the Platform, prepare aggregate reports and statistics, measure service performance, and improve the user experience.

Data controller: Find A Table (sole controller).

Data processed: Pseudonymised usage data, session data, browser/device type, IP address (anonymised where possible), pages visited, time spent, click and scroll behaviour, traffic sources.

Legal basis: Legitimate interest (Art. 6(1)(f)), balanced against your privacy through pseudonymisation and IP anonymisation. For analytics cookies: consent (Art. 6(1)(a)). See our Cookie Policy.

Retention: Active database for 26 months (aligned with Google Analytics default), then deleted or anonymised.

4.8 Cookies and similar technologies

Purpose: To record preferences, manage and secure the Platform, measure navigation and traffic, improve performance and user experience, and provide certain features. For full details, including each cookie’s name, purpose, provider, and lifespan, see our separate Cookie Policy.

Data controller: Find A Table (sole controller). Third-party cookie providers (Stripe, Google) may act as independent or joint controllers for their own processing.

Legal basis: Strictly necessary cookies: legitimate interest (Art. 6(1)(f)). All other cookies: consent (Art. 6(1)(a)), collected via our cookie consent banner.

Retention: Maximum 12 months for persistent cookies. Session cookies expire on browser close. Consent is renewed every 12 months.

4.9 Legal obligations and accounting

Purpose: To comply with Dutch and EU legal, regulatory, tax, and accounting obligations.

Data controller: Find A Table (sole controller).

Data processed: Transaction data, invoice data, payment records, identity and contact details as required.

Legal basis: Legal obligation (Art. 6(1)(c)), specifically Artikel 52 AWR and Dutch commercial-code requirements.

Retention: 7 years for tax and accounting records; 10 years for documents required by the Dutch Civil Code (Burgerlijk Wetboek).

4.10 Fraud prevention and platform security

Purpose: To detect and prevent fraud, abuse, no-show manipulation, fake reviews, unauthorised access, and other security threats.

Data controller: Find A Table (sole controller).

Data processed: IP addresses, login attempts, device identifiers, behavioural patterns, fraud-prevention signals from Stripe.

Legal basis: Legitimate interest (Art. 6(1)(f)).

Retention: Server logs: 90 days. Fraud-investigation records: duration of investigation plus 5 years.

4.11 Handling data-subject rights requests

Purpose: To process, manage, and respond to requests you make to exercise your data-protection rights (access, rectification, erasure, objection, etc.).

Data controller: Find A Table (sole controller).

Data processed: Your identity and contact details, the content of your request, any proof of identity where required, our response, and relevant correspondence.

Legal basis: Legal obligation (Art. 6(1)(c)) under GDPR Articles 15–22.

Retention: Until the request is fully resolved, then archived for 5 years for evidential purposes. Identity documents: deleted immediately after verification.

4.12 Pre-litigation and litigation

Purpose: To manage disputes, defend legal claims, enforce contracts, and comply with court orders.

Data controller: Find A Table (sole controller).

Legal basis: Legitimate interest (Art. 6(1)(f)) in safeguarding our legal rights.

Retention: For the duration of the applicable statute of limitations (generally 5 years under Dutch law), or until all proceedings and appeals are concluded and decisions enforced.

5. Who Receives Your Personal Data?

We do not sell your personal data to anyone. Only authorised people within Find A Table may access your data when such access is necessary for the performance of their duties. Your data may also be shared with the following categories of recipients, and only to the extent necessary for the relevant purpose:

 

Recipient	Purpose	Safeguards
Restaurant partners (Customers)	Fulfilment of reservations, orders, gift card redemptions, loyalty redemptions, and review management	Joint controller arrangement; each party responsible for its own obligations
Stripe (Stripe Payments Europe, Ltd., Dublin, Ireland)	Payment processing, fraud prevention	EU–US Data Privacy Framework certified; DPA with SCCs
DigitalOcean (New York, USA; EU data centre in Amsterdam)	Platform hosting and infrastructure	DPA with Standard Contractual Clauses
Vercel (San Francisco, USA)	Frontend hosting and content delivery	DPA with Standard Contractual Clauses
Google (Google Ireland Ltd., Dublin)	Website analytics (Google Analytics with IP anonymisation)	EU–US DPF; DPA signed; data sharing with other Google services disabled
Professional advisors	Legal, financial, and accounting advice	Bound by professional secrecy
Public authorities	Tax, law enforcement, regulatory authorities where required by law	Legal obligation (Art. 6(1)(c))
Courts and judicial officers	Litigation, enforcement of decisions	Legal obligation or legitimate interest

 

The above recipients are not necessarily recipients of all your personal data, but only that which is necessary for the purpose for which the data is shared.

6. International Data Transfers

Your data is primarily stored within the European Economic Area (EEA), specifically in DigitalOcean’s Amsterdam data centre. Where data is transferred outside the EEA (e.g. to service providers in the United States), we ensure adequate protection through one or more of the following mechanisms:

•        An adequacy decision by the European Commission for the recipient’s country;

•        EU–US Data Privacy Framework certification of the recipient;

•        Standard Contractual Clauses (SCCs) approved by the European Commission (June 2021 version);

•        Your explicit consent, after being informed of potential risks (where no other mechanism applies).

You may request a copy of the applicable safeguards by contacting privacy@findatable.nl.

7. Your Rights Under the GDPR

In accordance with applicable data-protection law, you have the following rights regarding your personal data:

•        Rights of access (Art. 15): Obtain confirmation as to whether your data is being processed and, if so, receive a copy of all personal data we hold about you, along with information about the processing.

•        Right to rectification (Art. 16): Request correction of inaccurate data or completion of incomplete data, at any time through your account settings or by contacting us.

•        Right to erasure (Art. 17): Request deletion of your personal data in certain circumstances (e.g. data no longer necessary, consent withdrawn), unless retention is required by law.

•        Right to restriction (Art. 18): Request that we restrict processing of your data in certain situations, e.g. while we verify accuracy or assess an objection.

•        Right to data portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format, or request its transfer to another controller (where processing is based on consent or contract and carried out by automated means).

•        Right to object (Art. 21): Object to processing based on legitimate interest on grounds relating to your particular situation. For direct marketing (including profiling related to marketing), you have an absolute right of objection at any time without providing justification.

•        Right to withdraw consent (Art. 7(3)): Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

•        Right to set post-mortem instructions: In accordance with applicable law, you may set instructions regarding the retention, deletion, or communication of your personal data after your death. In the absence of such instructions, your data will be deleted (except where retention is legally required) after your death has been brought to our attention.

•        Right to lodge a complaint (Art. 77): Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), Bezuidenhoutseweg 30, 2594 AV The Hague, Netherlands - www.autoriteitpersoonsgegevens.nl.

7.1 How to exercise your rights

You may exercise any of these rights by contacting our Data Protection contact:

Email: privacy@findatable.nl

Post: New Soft Solution, Attn: Privacy / DPO, Fluitekruidweg 257, 1508 AG Zaandam, Netherlands

We will respond within 30 days of receipt. If your request is complex or we receive a high volume of requests, we may extend this period by a further 60 days, and we will inform you of any extension within the initial 30-day period.

In the event of reasonable doubt as to your identity, we may ask you to provide additional verification (e.g. a copy of an identity document). Any such document will be deleted immediately after verification.

You may also appoint a representative to exercise your rights on your behalf, provided they can prove their identity and the scope and duration of the mandate.

8. Data Security

8.1 Technical and organisational measures

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

•        Encryption of data in transit (TLS 1.2+/HTTPS) and at rest;

•        Role-based access controls - access limited to authorised staff who need it for their duties;

•        Regular vulnerability assessments, penetration testing, and software updates;

•        Data Processing Agreements with all sub-processors, contractually requiring them to guarantee security and confidentiality;

•        Data minimisation: we collect only the personal data necessary for each stated purpose;

•        Regular encrypted backups and disaster recovery procedures;

•        Secure password storage using industry-standard hashing algorithms.

8.2 Privacy by design and by default

In the development, design, selection, and use of our services, we take into account the right to protection of personal data by design and by default, in accordance with Article 25 of the GDPR. This means that data-protection principles are embedded into every new product, feature, or process from the earliest design stage.

8.3 Breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours (Article 33 GDPR). Where the breach is likely to result in a high risk to you, we will also inform you without undue delay (Article 34 GDPR).

9. Automated Decision-Making and Profiling

We do not engage in fully automated decision-making that produces legal effects or similarly significantly affects you, as described in Article 22 of the GDPR.

The no-show risk alert described in Section 4.1 is an informational flag provided to the restaurant — it is objective, based solely on historical reservation data, and does not automatically cancel reservations, restrict your account, or produce any legal or similarly significant effect. The restaurant retains full discretion over how to act on the alert.

10. Third-Party Links

The Platform may contain links to third-party websites (e.g. restaurant websites, social media pages, app stores). We have no control over the data-protection practices of these third-party sites. We recommend that you review their privacy policies before sharing any personal data with them.

If you post content disclosing your personal data on publicly accessible areas of the Platform (e.g. reviews), this content may be viewed by any visitor. We are not responsible for the use of such data by third parties.

11. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or the services we offer. When we make material changes, we will:

•        Notify you by email (if you have an account) at least 14 days before the changes take effect;

•        Post a prominent notice on the Platform;

•        Update the “Date of last update” at the top of this document.

We invite you to consult this Policy regularly.

12. Contact Us

If you have questions, concerns, or wish to exercise your data-subject rights:

Privacy / DPO email: privacy@findatable.nl

General support: support@findatable.nl

Post: New Soft Solution, Attn: Privacy, Fluitekruidweg 257, 1508 AG Zaandam, Netherlands

Website: www.findatable.nl

KvK: 95603840

BTW: NL005166191B43

 

If you believe your data is not being processed in accordance with applicable law, you have the right to lodge a complaint with:

•        Netherlands: Autoriteit Persoonsgegevens - Bezuidenhoutseweg 30, 2594 AV The Hague - www.autoriteitpersoonsgegevens.nl

If you are located in another EU/EEA country, you may lodge a complaint with the supervisory authority of that country. A list of European supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en.