Skip to content
v2.0Last Updated: March 23, 2026

Privacy Policy

This policy explains how MyResto collects, uses, stores, and protects your personal data in compliance with the GDPR.

1. Data Controller

The data controller responsible for your personal data is:

MyResto SAS

12 Rue de la Paix

75002 Paris, France

Email: dpo@myresto.app

Company registration: Paris RCS (registration number pending)

Our Data Protection Officer (DPO) can be contacted at dpo@myresto.app.

2. Data We Collect

We collect different categories of personal data depending on how you interact with our platform:

2.1 Account Data

When you create a MyResto account, we collect your name, email address, phone number (optional), and password (stored as a cryptographic hash). For restaurant operators, we also collect business name, address, and billing information.

2.2 Restaurant Data

Restaurant operators provide menu content, table configurations, pricing, operating hours, and promotional offers. This data is provided voluntarily and is used to operate the platform.

2.3 Order Data

When guests place orders through the platform, we collect order details (items, quantities, modifications), table number, timestamps, and order status history.

2.4 Payment Data

Payment card details are collected and processed directly by our payment processor, Stripe. We do not store full card numbers on our servers. We retain only the last four digits, card brand, and transaction identifiers for record-keeping.

Note: MyResto never has access to your full card number. All payment data is handled directly by Stripe, which is PCI DSS Level 1 certified.

2.5 Usage and Analytics Data

We collect information about how you use the platform, including pages visited, features used, browser type, device information, IP address, and approximate location (city level). This data is collected through cookies and similar technologies.

2.6 Communications

When you contact us via email or through our contact form, we retain the content of those communications to resolve your inquiry and improve our service.

3. How We Use Your Data

We use your personal data for the following purposes:

  • Service delivery: to operate the platform, process orders, manage reservations, and provide the features you expect.
  • Account management: to create and manage your account, authenticate you, and provide customer support.
  • Billing and payments: to process subscription payments, issue invoices, and manage your billing history.
  • Analytics and improvement: to understand how the platform is used, identify issues, and improve our features.
  • Communications: to send you transactional emails (order confirmations, password resets), and, with your consent, marketing communications about product updates.
  • Security: to detect and prevent fraud, abuse, and security incidents.
  • Legal compliance: to comply with applicable laws, regulations, and legal processes.

Under the GDPR, we process your personal data on the following legal bases:

Legal BasisPurpose
Contract performance (Art. 6(1)(b))Account management, order processing, subscription billing
Legitimate interest (Art. 6(1)(f))Analytics, platform improvement, fraud prevention, security
Consent (Art. 6(1)(a))Marketing communications, non-essential cookies
Legal obligation (Art. 6(1)(c))Billing and tax record retention as required by French/EU law
Tip: You can withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

5. Data Retention

We retain your personal data only for as long as necessary for the purposes described above:

Data CategoryRetention Period
Account dataDuration of account + 3 years after deletion
Order data10 years (French tax law requirement)
Payment records10 years (French tax law requirement)
Analytics data2 years
Support communications3 years after resolution
Marketing consent recordsDuration of consent + 3 years

When retention periods expire, data is securely deleted or anonymized so it can no longer be associated with you.

6. Data Sharing and Third Parties

Important: We do not sell your personal data. We never have and never will.

We share data only with the following categories of service providers, each bound by data processing agreements:

ProviderPurposeLocation
StripePayment processing (independent data controller for payment data). Privacy PolicyUSA
ResendTransactional and marketing emailsUSA
VercelApplication hosting and content deliveryUSA
NeonDatabase hosting with encryption at restUSA

We may also disclose data when required by law, court order, or to protect our legal rights.

7. Your Rights Under GDPR

Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

RightDescription
Access (Art. 15)Request a copy of all personal data we hold about you
Rectification (Art. 16)Ask us to correct inaccurate or incomplete personal data
Erasure (Art. 17)Ask us to delete your personal data, subject to legal retention obligations
Restriction (Art. 18)Ask us to restrict processing of your data in certain circumstances
Data Portability (Art. 20)Request your data in a structured, machine-readable format (JSON or CSV)
Object (Art. 21)Object to processing based on legitimate interests, including profiling and direct marketing
Withdraw Consent (Art. 7)Withdraw consent at any time without affecting the lawfulness of prior processing

You also have the right to lodge a complaint with your local supervisory authority. In France, this is the Commission Nationale de l'Informatique et des Libertes (CNIL).

How to exercise your rights: Contact our DPO at dpo@myresto.app. We will respond within 30 days. If your request is complex, we may extend this by an additional 60 days and will inform you of any such extension.

8. International Data Transfers

Some of our service providers are located in the United States (Vercel, Stripe, Resend, Neon). We ensure appropriate safeguards for these transfers through:

  • Standard Contractual Clauses (SCCs): We have entered into EU-approved Standard Contractual Clauses with each US-based provider, as required by the GDPR following the Schrems II decision.
  • EU-US Data Privacy Framework: Where applicable, our providers are certified under the EU-US Data Privacy Framework.
  • Supplementary measures: Including encryption in transit (TLS 1.2+) and at rest, access controls, and contractual commitments to challenge disproportionate government access requests.

9. Cookies

We use cookies and similar technologies on our platform. For detailed information about the cookies we use, their purpose, and how to manage them, please see our Cookie Policy.

10. Children's Privacy

Age restriction: Our platform is not directed at children under the age of 16. We do not knowingly collect personal data from children.

If you believe we have inadvertently collected data from a child, please contact us at dpo@myresto.app and we will promptly delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email at least 30 days before the changes take effect. We will also post the updated policy on this page with a new "Last updated" date.

We encourage you to review this page periodically to stay informed about how we protect your data.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Data Protection Officer

MyResto SAS

12 Rue de la Paix

75002 Paris, France

Get in Touch

dpo@myresto.app (DPO)

hello@myresto.app (General)

Supervisory authority: If you are not satisfied with our response, you have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertes), 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France. www.cnil.fr