← Back to restoful

Privacy Policy

Effective date: 20 May 2026

This policy applies to all users of restoful worldwide, including residents of the European Union, the United Kingdom, the United States (including California), and the United Arab Emirates.

1. Who we are and how to contact us

restoful is a software-as-a-service platform for independent restaurant owners. The platform is operated by:

Sycamore Management Consulting L.L.C. dba restoful

Office G06-308, The Exchange Tower

Business Bay, Dubai, United Arab Emirates

Email: privacy@restoful.com

Website: restoful.com

For all privacy-related enquiries — including data access, correction, deletion, or complaints — please email privacy@restoful.com. We will respond within 30 days.

2. What personal data we collect and why

2a. Data you give us directly

CategoryExamplesPurposeLegal basis (GDPR)
Account dataName, email address, password (hashed)Create and manage your account; send transactional emailsContract (Art. 6(1)(b))
Restaurant profileRestaurant name, cuisine type, description, city, logoOperate the platform and display your public restaurant pageContract (Art. 6(1)(b))
Menu contentItem names, descriptions, prices, dietary tags, photosPower your digital and print menus, QR ordering, and public websiteContract (Art. 6(1)(b))
Uploaded menusPhoto or PDF of your existing paper menuAI extraction to digitise your menu; not stored after processingContract (Art. 6(1)(b))
Payment dataBilling name, last 4 digits of card, billing addressProcess subscription payments via Stripe (we never see full card numbers)Contract (Art. 6(1)(b))
CommunicationsEmails or support messages you send usRespond to enquiries and improve the serviceLegitimate interests (Art. 6(1)(f))

2b. Data collected automatically

  • Log data — IP address, browser type, pages visited, timestamps. Used to maintain security and diagnose errors. Retained for 90 days.
  • Session cookies — authentication tokens that keep you signed in. These are strictly necessary and do not require consent. See our Cookie section below.

2c. Data about your customers (end-customer data)

When your customers place orders or make reservations through restoful, we process their name, email address, phone number, and order details on your behalf. In GDPR terms, you are the data controller for your customers' data and we are the data processor. We process this data only to operate your restoful account and never use it for our own marketing or share it with third parties.

3. Cookies

We use the following categories of cookies:

NameTypePurposeConsent required?
sb-*Strictly necessarySupabase session tokens — keep you signed in. Expire when you sign out or after 1 hour of inactivity.No — essential to the service
restoful-cookie-consentFunctionalStores your cookie consent preference so we don't ask again.No — stores your own preference

We do not use advertising, tracking, or third-party analytics cookies. You can clear cookies at any time via your browser settings; doing so will sign you out.

4. Third-party processors

We share your data only with the vendors listed below, each engaged under a data processing agreement. All of these vendors are based in the United States.

VendorData sharedPurpose
Supabase (supabase.com)Account data, restaurant data, menu data, customer order/reservation dataDatabase, authentication, and file storage. Data stored in US-East AWS region.
Vercel (vercel.com)IP addresses and request metadataApplication hosting and global CDN.
AI infrastructure providersMenu content, images, menu item names and descriptions, and user-provided feedback you submit to AI featuresAI processing for menu extraction, generation, translation, website generation, and menu item photo generation.
Stripe (stripe.com)Name, email, billing address, payment card metadataPayment processing for subscriptions.
Resend (resend.com)Email address, nameTransactional email delivery (account confirmation, reservation notifications).

We do not sell your data. We do not share your data with any other third parties.

5. International data transfers

Sycamore Management Consulting L.L.C. is based in the United Arab Emirates. Our service providers are based in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction with data transfer restrictions, your personal data is transferred internationally. We rely on the following safeguards:

  • Standard Contractual Clauses (SCCs) — EU Commission-approved contractual terms are in place with our EEA-to-US data processors, including infrastructure, payment, email, hosting, and AI processing providers.
  • UK IDTA — Where required for UK personal data, we use the UK International Data Transfer Addendum.
  • Our AI processing providers maintain zero-data-retention arrangements for API calls — data sent to their APIs is not used to train models and is not retained after processing.

6. Data retention

  • Account and restaurant data — retained for the life of your account plus 30 days after deletion, to allow account recovery.
  • Menu and order data — retained for the life of your account. Deleted within 30 days of account deletion.
  • Uploaded menu files (photos/PDFs for AI extraction) — processed and deleted within 24 hours.
  • Payment records — retained for 7 years to comply with UAE commercial law and international accounting standards.
  • Log data — retained for 90 days.
  • Backup copies — may persist for up to 90 days after deletion from live systems.

7. Your rights

Depending on your jurisdiction, you may have the following rights regarding your personal data. To exercise any right, email privacy@restoful.com. We will respond within 30 days (or 45 days for complex requests).

All users

  • Access — request a copy of the personal data we hold about you.
  • Correction — ask us to correct inaccurate data.
  • Deletion — ask us to delete your account and associated data (subject to legal retention obligations).
  • Data portability — receive your data in a structured, machine-readable format.

EEA and UK residents (GDPR / UK GDPR)

  • Restriction — ask us to restrict processing of your data in certain circumstances.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.
  • Lodge a complaint — you have the right to complain to your local supervisory authority. A list of EU authorities is at edpb.europa.eu. UK residents may contact the ICO at ico.org.uk.

California residents (CCPA / CPRA)

  • Know — the categories of personal information we collect and how we use it (see Section 2).
  • Delete — request deletion of your personal information.
  • Correct — request correction of inaccurate personal information.
  • Opt out of sale or sharing — we do not sell or share your personal information for cross-context behavioural advertising. No opt-out is needed.
  • Non-discrimination — we will not discriminate against you for exercising your CCPA rights.
  • To submit a CCPA request, email privacy@restoful.com with the subject line “CCPA Request”. We may need to verify your identity before responding.

UAE residents (Federal Decree-Law No. 45 of 2021 on Personal Data Protection)

  • You have the right to access, correct, and request deletion of your personal data as described above.
  • You may contact the UAE Data Office at tdra.gov.ae to file a complaint.

8. Public data

Your restaurant name, menu items, prices, descriptions, item images, and website content are publicly accessible to anyone who visits your menu URL, scans your QR code, or visits your restoful-hosted website. Do not include private, confidential, or sensitive personal information in your menu or website content.

9. Security

We implement appropriate technical and organisational measures to protect your data, including HTTPS encryption in transit, hashed password storage, database-level row security policies, and access controls. We conduct security reviews before deploying changes. However, no system is perfectly secure. If we become aware of a breach affecting your personal data, we will notify you as required by applicable law.

10. Children

restoful is a business tool intended for adults. We do not knowingly collect personal data from anyone under the age of 18. If you believe we have inadvertently collected data about a minor, please contact us immediately and we will delete it.

11. Changes to this policy

We may update this policy from time to time. If we make material changes we will notify you by email at least 14 days before the changes take effect (or as required by applicable law). The “Effective date” at the top will always show when the policy was last updated. Continued use of restoful after the effective date constitutes acceptance of the updated policy.

12. Contact and complaints

For any privacy-related questions or to exercise your rights, contact us at privacy@restoful.com. We will acknowledge your request within 5 business days and respond in full within 30 days.

If you are not satisfied with our response, you have the right to escalate to the relevant supervisory authority in your jurisdiction (see Section 7).

restoful is operated by Sycamore Management Consulting L.L.C. dba restoful — Office G06-308, The Exchange Tower, Business Bay, Dubai, United Arab Emirates.

Terms of Service · DMCA Policy · privacy@restoful.com