How we collect, use and protect your data.

Tableview Limited ("Tableview", "we", "us", "our") is the controller of the personal data described in this Privacy Policy in connection with the tableview.com marketing site and the data your team submits when contacting us, signing up, requesting a demo or operating the Service.

General privacy questions and requests: office@tableview.com.
Data Protection Officer / privacy team: privacy@tableview.com.
Security vulnerability reports: security@tableview.com.

When your venue uses Tableview to operate (taking orders, accepting payment, running loyalty, sending diner communications), we act as a processor for the personal data of your diners and staff that you upload to or generate inside the Service. In that capacity, your venue is the controller and the Data Processing Addendum ("DPA") incorporated into your subscription agreement governs how we process that data on your instructions. Where this Privacy Policy and the DPA conflict in respect of customer operational data, the DPA prevails.

This Privacy Policy applies to four groups of people. The same data may be processed for more than one of these groups depending on the context.

• Visitors to tableview.com, including marketing pages, the blog and the help centre.
• Prospects who contact us via the demo, contact or support forms.
• Customer users: owners, managers, hosts, servers, runners, cooks, accountants and IT staff who sign into the Tableview product on behalf of a venue.
• End-users (diners) whose personal data flows through the Service when your venue takes an order, opens a tab, sends a receipt, captures a loyalty profile or replies to a review.

This Privacy Policy does not apply to personal data we process exclusively as a processor on behalf of a venue. That processing is governed by the DPA between Tableview and the venue and by the venue's own privacy notices to its diners and staff.

We split data into five categories so it is obvious which one you are looking at and on what legal basis we hold it.

Account and contact data

• Full name, work email, work phone, role/title and preferred language, when you create an account, request a demo or contact our sales, support or partnerships teams.
• Restaurant or organisation name, country, address, VAT or tax registration number, brand, segment (fine dining, casual, bar, cafe, takeaway, cloud kitchen, hotel F&B) and number of locations.
• User credentials (hashed password, single sign-on identifier, hardware security-key registration), permissions and audit trail of admin actions.

Billing and tax data

• Billing contact, billing address, invoicing email, purchase order references.
• Subscription plan, modules enabled, terminal count, location count, contracted term, invoicing currency and applicable tax rates.
• Payment method metadata (e.g. last four digits of card, card brand, expiry month/year, bank country) returned by our PCI-compliant payment partner. Full primary account numbers (PANs) never reach Tableview servers.

Operational data created inside the product

• Menu, modifier, recipe, supplier and inventory data you configure.
• Orders, tabs, voids, comps, refunds, payments, tips, gratuities, fiscal receipts, kitchen tickets, table maps and service flows.
• Diner profile data (name, contact details, dietary flags, loyalty identifiers, marketing preferences) that you choose to capture, plus a hashed reference to the diner where the diner chooses to authenticate via Tableview Order & Pay.
• Order and messaging history with diners through delivery channels and direct channels you have connected (Uber Eats, Deliveroo, DoorDash, your website, your QR-code ordering pages, SMS receipts).
• Staff scheduling, time-clock punches, payroll exports and tip-pooling outputs, where you operate the Workforce module.
• Accounting outputs, P&L exports, day-end reports and bank reconciliation entries, where you operate the Accounting module.

Telemetry and device data

• Device type and OS version of POS terminals, tablets, kitchen display systems and printers paired with the Service.
• IP address, browser type and version, screen resolution, time zone, language preference and the URLs you visited on tableview.com.
• Application logs, error stack traces and performance traces from the product. Sensitive fields (diner names, contact details, payment metadata) are masked before logs leave your tenant.
• Crash reports, with stack traces and aggregate device characteristics, never with order or diner content.

Communications and support data

• Records of messages you exchange with Tableview support, sales and partnerships (email, in-product chat, phone call notes).
• Survey responses, NPS scores and product feedback you submit.
• Recordings of training calls or onboarding webinars where you have given consent at the start of the session.

We do not knowingly collect special category personal data (data concerning health, sex life, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data). Please do not capture special category data in optional free-text fields. Where dietary flags are captured by your venue (e.g. allergens, vegetarian, vegan), we treat that data with extra care and process it strictly to deliver the ordered service.

• Directly from you. When you create an account, request a demo, contact us, place a support ticket or use the product.
• Automatically. Through the use of the Service, including cookies and similar technologies (see the Cookie Policy), application telemetry and security event logs.
• From third parties. Sign-in providers (Google, Microsoft, Apple) where you choose single sign-on; payment partners (card brand metadata); connected delivery channels (order payloads); enrichment providers we use for sales contact lookup, limited to business-card-equivalent data (name, role, employer, work email).

For data we control, each processing activity below has at least one legal basis under Article 6 GDPR. Where required by Article 7 we collect explicit, freely-given, withdrawable consent (e.g. marketing emails). Where we rely on legitimate interests, we document the balancing test and you can object at any time.

To deliver the Service (Art. 6(1)(b) – contract)

• Authenticate users, provision locations, render the product, take payment, deliver hardware, provide support.
• Detect and prevent unauthorised access to your tenant.
• Generate invoices, statements and the reports you have configured.

To comply with law (Art. 6(1)(c) – legal obligation)

• Retain financial records for the period required by tax law (typically 7 years).
• Respond to lawful requests from public authorities and courts.
• Comply with PCI-DSS, anti-money-laundering and sanctions screening obligations applicable to payment services.

For our legitimate interests (Art. 6(1)(f) – legitimate interests)

• Operate, secure and improve the Service: error monitoring, fraud and abuse detection, aggregate product analytics, capacity planning.
• Marketing to existing customers about products and features similar to those they already use.
• Direct sales outreach to professional contacts at restaurants and groups that match our target market, using business-card-equivalent data and respecting unsubscribe and Do-Not-Sell signals immediately.
• Recover and enforce debts owed to us, including via third-party collection agencies operating under strict instructions.
• Defend against legal claims and conduct due diligence on counterparties.

With your consent (Art. 6(1)(a) – consent)

• Marketing emails to prospects who have opted in.
• Non-essential cookies and similar technologies (analytics, marketing pixels): only loaded after you accept them in the banner.
• Recording of onboarding or training calls.

We share personal data only with the categories of recipient listed below. We do not sell personal data and we do not disclose it for cross-context behavioural advertising.

Categories of sub-processors we use

• Cloud infrastructure. Hosting, storage, content delivery, backup and managed database services in the region closest to your venue.
• Payment processing. PCI-compliant acquirers and orchestration platforms that capture card data on our certified terminals and exchange tokens, not card numbers, with Tableview.
• Transactional email and SMS. Delivery of receipts, magic-link sign-ins, support replies, password resets and similar service messages.
• Customer support tooling. Help-desk, ticketing and in-product chat platforms used by our support team.
• Observability. Error monitoring, application performance monitoring, log aggregation and security information & event management (SIEM) providers, with sensitive fields masked at the source.
• Analytics. Privacy-preserving analytics for marketing pages and the product, with IP anonymisation and consent gating where required.
• Sales, marketing and CRM. CRM, sales engagement, marketing automation, web-form delivery and webinar tools.
• Workplace. Identity, single sign-on, code hosting and document tooling used internally by Tableview to run our business.

Every sub-processor operates under a written agreement that includes the GDPR Article 28 controls, audit rights, security obligations and (where the sub-processor is outside the EU/UK) the European Commission Standard Contractual Clauses or the UK International Data Transfer Agreement. We notify you of any new sub-processor at least 30 days before they go live with access to customer data and you can object inside the window.

Other recipients

• Connected delivery channels. When you connect Uber Eats, Deliveroo, DoorDash, Wolt, Glovo or any other channel, the orders and messages you exchange flow through their systems under their own terms.
• Professional advisers. Lawyers, auditors, accountants and insurers under confidentiality obligations.
• Public authorities. Tax authorities, regulators, law enforcement and courts, where required by law and after legal review of the request. We always disclose the minimum necessary and we challenge over-broad requests.
• Successors. A buyer or successor entity in connection with a merger, acquisition or sale of all or part of the business, under appropriate confidentiality controls and notice to you.

Our default hosting region for EU/UK customers is the European Union (Frankfurt) and for US customers is the United States (Virginia or Oregon). Where personal data is transferred to a sub-processor in a country that the European Commission or the UK has not deemed adequate, we rely on the following safeguards.

• EU Standard Contractual Clauses (2021/914) for transfers out of the EEA.
• UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, for transfers out of the United Kingdom.
• Swiss SCCs for transfers from Switzerland.
• Supplementary measures determined by a transfer impact assessment: end-to-end encryption in transit (TLS 1.2+), encryption at rest (AES-256), tokenisation of payment data, contractual restrictions on government access requests, transparency reports and the right for us to pause the transfer if the assessment changes.

A current list of regions and the safeguards used per transfer is available on request from privacy@tableview.com.

We keep personal data only for as long as is necessary for the purposes for which it was collected, including any legal, accounting or reporting requirements. We then either delete it or anonymise it irreversibly.

• Active customer data: for the lifetime of your subscription, plus 90 days after closure to allow self-service export and recovery from accidental cancellation.
• Closed-account data: deleted after 90 days unless a longer retention period is required by law (typically 7 years for invoicing and tax records).
• Prospect and marketing data: up to 24 months from your last meaningful interaction with us (opening an email, visiting the site, replying to a sales outreach).
• Support tickets: 24 months from closure.
• Security event logs and audit trails: 13 months for incident investigation, with hashed identifiers thereafter for trend analysis.
• Payment evidence and chargeback records: up to 7 years to comply with card-network rules and applicable financial-services regulation.
• Backups: production data is restored from encrypted backups for up to 30 days. After that window deletion is irreversible across primary, replica and backup tiers.

Where you ask us to delete personal data sooner, we do so unless we are required to keep it (for example to comply with a tax obligation or to defend a legal claim). In that case we restrict our processing of the data to that purpose until the retention obligation expires.

Depending on where you live, you have all or some of the following rights in respect of the personal data we hold about you. Exercising any of these rights is free of charge and we do not retaliate against you for doing so.

• Right of access. Obtain a copy of the personal data we hold about you and information about how we process it.
• Right to rectification. Ask us to correct inaccurate or incomplete personal data.
• Right to erasure ("right to be forgotten"). Ask us to delete personal data we no longer need or that we are processing only on the basis of your consent.
• Right to restriction. Ask us to stop using your personal data while we deal with a rectification or objection request.
• Right to data portability. Receive your personal data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.
• Right to object. Object to processing based on legitimate interests, including profiling, and to direct marketing at any time.
• Right to withdraw consent. Withdraw consent at any time without affecting the lawfulness of processing carried out beforehand.
• Right not to be subject to solely automated decisions (including profiling) that produce legal or similarly significant effects, except where allowed by law.
• Right to lodge a complaint with a data protection supervisory authority in the EU/UK/Switzerland (see "Complaints" below).
• Right to designate an authorised agent (US residents) to exercise rights on your behalf.

To exercise any of these rights, write to privacy@tableview.com. We verify your identity before acting on a request, and we respond within 30 days (extendable to 90 days for complex requests, with notice). For account data inside the product, you can self-serve most of these rights from Settings → Privacy. We do not charge for requests except where they are manifestly unfounded or excessive.

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, Texas, Florida, Oregon, Montana or another US state with a comprehensive privacy law, you have the following rights in addition to those listed above.

• Right to know the categories and specific pieces of personal information collected, the sources, the purposes, the categories of third parties to whom the information was disclosed, and (in some states) the categories sold or shared (we sell and share none).
• Right to delete personal information we hold about you, subject to specific exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of "sales" and "sharing". As noted, Tableview does not sell or share personal information for cross-context behavioural advertising. Our site honours the Global Privacy Control (GPC) signal automatically.
• Right to limit use of sensitive personal information beyond what is necessary to provide the Service.
• Right to non-discrimination. We will not deny services, charge different prices or provide a different level of service because you exercised a privacy right.
• Authorised agents. A third party may submit a request on your behalf with your verifiable written authorisation.

We do not have actual knowledge that we sell or share personal information of consumers under 16 years of age.

We use your contact details to send you operational messages (security alerts, billing reminders, service announcements) for as long as you have an account with us. These are not marketing and you cannot opt out of them while the account is active, but we keep them strictly necessary.

We send marketing messages (new features, product education, events) only with your consent or on the legitimate-interests basis where the law allows it for existing business customers and equivalent professional contacts. Every marketing message includes a one-click unsubscribe link in the footer and is honoured immediately. You can also opt out of marketing globally by writing to privacy@tableview.com.

tableview.com uses a small number of cookies and similar technologies (local storage, pixels, server-set identifiers). Strictly necessary cookies are set on every visit; performance, analytics and marketing cookies are loaded only after you accept them in the banner. You can withdraw consent at any time from the Cookie preferences link in the footer. Full details are in our Cookie Policy.

We maintain technical and organisational security measures designed to protect personal data against unauthorised access, alteration, disclosure or destruction. No system is impenetrable, but the controls below have been independently assessed.

Encryption and key management

• Data encrypted in transit using TLS 1.2 or higher with modern cipher suites.
• Data encrypted at rest using AES-256, with keys managed by a hardware-backed key management service.
• Tenant isolation at the database and storage level. No shared production credentials.

Access and identity

• Production access is limited to a small on-call rotation behind single sign-on and hardware-backed multi-factor authentication.
• Just-in-time access with approvals, logged, time-boxed and reviewed monthly.
• Strict separation of duties between engineering, security, support and finance.

Resilience and recovery

• Daily encrypted backups with point-in-time recovery and cross-region replication for disaster recovery.
• Documented business continuity plan exercised at least annually.
• Monitoring, alerting and on-call cover 24/7 for incidents that affect the Service.

Assurance

• Independent third-party penetration tests at least annually, with remediation tracked to closure.
• Continuous vulnerability scanning of code, dependencies, containers and infrastructure.
• Security questionnaire and recent test summary available to enterprise customers under NDA.

You can find our current trust posture at Data Security. To report a security issue, write to security@tableview.com. We respond within one business day and operate a responsible disclosure programme.

In the event of a personal data breach affecting personal data we control, we will notify the competent supervisory authority within 72 hours of becoming aware of it where required by law. Where the breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will also notify those individuals without undue delay, in clear and plain language.

Where the breach affects personal data we process for a venue, we notify the venue's designated security contact within 72 hours of confirming the incident, with the facts known at the time, an initial impact assessment, a remediation plan and a cadence for follow-up updates.

The Tableview product is intended for use by businesses and their staff. It is not directed to children. We do not knowingly collect personal data from children under the age of 16. If you believe we have inadvertently done so, please contact privacy@tableview.com and we will delete the data without undue delay.

Some features of the Service use artificial intelligence or statistical models (for example: forecasting, menu engineering suggestions, anomaly detection on payments, reply drafting for online reviews). When these features are enabled by your venue, they operate only on data inside your tenant and on the policies you configure.

• We do not train shared models on your operational data without your explicit, opt-in consent. Anonymous aggregate signals (e.g. error rates, performance metrics) may be used to improve the Service.
• You can disable any AI feature, run it in suggest-only mode, or require human approval before any action is taken. Defaults can be changed at any time from Settings → AI.
• We do not make decisions that produce legal or similarly significant effects on individuals solely on the basis of automated processing, except where allowed by law and subject to suitable safeguards.

If you are not satisfied with how we have handled your personal data or your privacy request, you can lodge a complaint with a data protection supervisory authority. We would ask you to contact us first at privacy@tableview.com so we can try to resolve the issue, but you may complain at any time without contacting us.

• United Kingdom: the Information Commissioner's Office (ICO), ico.org.uk.
• European Union: the data protection authority of the EU member state where you live, work or where the alleged infringement took place. A list is maintained at edpb.europa.eu.
• Switzerland: the Federal Data Protection and Information Commissioner (FDPIC), edoeb.admin.ch.
• United States: the relevant state attorney general; California residents may also contact the California Privacy Protection Agency (CPPA).

We update this Privacy Policy when our practices change. The "Last updated" date at the top of the page reflects the most recent revision. We will notify you of material changes in advance by email, in-product notice to admins, or both, at least 30 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.