GDPR Compliance

1. Our Commitment

MyResto is committed to full compliance with the General Data Protection Regulation (GDPR). Data protection is not just a legal obligation for us — it is a core principle that guides how we build our platform and operate our business.

We have designed MyResto with privacy by design and by default (Article 25 GDPR). This means we consider data protection implications at every stage of product development, and we minimize data collection to only what is necessary for the service.

2. Data Processing Roles

Under the GDPR, organizations can act as either Data Controllers or Data Processors. MyResto acts in both capacities depending on the data in question:

2.1 MyResto as Data Controller

We are the Data Controller for data we collect for our own purposes, including:

• Restaurant operator account data (name, email, billing information)
• Platform usage analytics
• Marketing and communications data
• Support and inquiry data

2.2 MyResto as Data Processor

We act as a Data Processor on behalf of Restaurants (who are the Data Controllers) for:

• Guest personal data (names, emails, phone numbers collected through orders and reservations)
• Order history and preferences
• Review and feedback data
• Any other personal data that Restaurants collect from their guests through our Platform

3. Security Measures

We implement comprehensive technical and organizational measures to protect personal data (Article 32 GDPR):

3.1 Encryption

• In transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS across the entire platform.
• At rest: All data stored in our databases is encrypted at rest using AES-256 encryption.

3.2 Access Controls

• Role-based access control (RBAC) within the platform — staff members only see data relevant to their role.
• Multi-tenant data isolation — each restaurant's data is logically separated and cannot be accessed by other restaurants.
• Internal access to production data is restricted to authorized personnel, logged, and reviewed.

3.3 Audit Logging

• All data access and modifications are logged in an immutable audit trail.
• Authentication events (login, logout, failed attempts) are monitored.
• Administrative actions are logged with timestamps and user identifiers.

3.4 Infrastructure Security

• Application hosted on Vercel with enterprise-grade infrastructure security.
• Database hosted on Neon with automated backups and point-in-time recovery.
• Regular security updates and dependency patching.
• Rate limiting and DDoS protection.

4. Data Breach Notification

In the event of a personal data breach, we follow the procedures mandated by Article 33 and Article 34 of the GDPR:

Our breach response plan includes containment, investigation, notification, and remediation steps. We conduct regular breach simulation exercises to ensure readiness.

5. Sub-processors

We use the following sub-processors to deliver our services. Each is bound by a data processing agreement that ensures GDPR-compliant handling of personal data:

6. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) as required by Article 35 GDPR for processing activities that are likely to result in a high risk to individuals. We have completed DPIAs for:

• Guest order processing and profiling (order history analysis)
• Review and feedback collection
• Analytics and usage tracking
• International data transfers to US-based sub-processors

DPIAs are reviewed and updated whenever there are significant changes to processing activities or when new features are introduced that involve personal data.

7. Records of Processing Activities

As required by Article 30 GDPR, we maintain detailed Records of Processing Activities (ROPA) that document:

• Categories of data subjects and personal data processed
• Purposes of processing
• Categories of recipients
• International transfers and safeguards
• Retention periods
• Technical and organizational security measures

These records are available to the supervisory authority (CNIL) upon request.

8. Data Protection Officer

Our Data Protection Officer oversees our compliance with GDPR and is available to address any questions or concerns about how we handle personal data.

9. GDPR Tools for Restaurants

We provide Restaurants with built-in tools to meet their own GDPR obligations as Data Controllers of guest data:

9.1 Data Export

Restaurants can export all guest personal data at any time in JSON or CSV format. This enables them to fulfill data portability requests (Article 20) from their guests. Available in Settings > Data > Export.

9.2 Data Deletion

Restaurants can delete individual guest accounts and all associated data (orders, reviews, preferences) to fulfill erasure requests (Article 17). Deletion is permanent and cannot be undone. Available in Customers > [Customer] > Delete.

9.3 Consent Management

Restaurants can configure consent flows for their guests, including:

• Marketing email opt-in/opt-out
• Review submission consent
• Data collection notices displayed during the ordering process

All consent records are timestamped and stored with proof of consent for audit purposes. Available in Settings > Privacy > Consent.

9.4 Audit Trail

An immutable log of all data access and modifications is available to Restaurant administrators. This includes:

• Who accessed or modified guest data, and when
• What changes were made
• Data export and deletion events
• Consent changes

The audit trail is retained for 3 years and can be exported for compliance documentation. Available in Settings > Audit Log.