Privacy Policy

Serva operates the platform. We are the data controller for personal data processed through our services. For data processed by restaurants (e.g. their customers' reservations and orders), the restaurant is also a data controller for that data; we process it on their behalf as a processor where applicable.

Account and profile data

Restaurant and staff accounts: When you sign up as a restaurant or staff member we collect email, name, phone (optional), and password. We also store restaurant details you provide: business name, slug, email, phone, address, website, description, logo and cover images, social handles, company name and billing email for invoicing, and settings (e.g. currency, timezone, language).

Customer accounts: If you create a customer account we collect email, name (optional), and password; we may also receive name and profile picture from Google or Facebook if you sign up with those providers. We store email verification status. Optional date of birth may be provided. We do not currently process payments; no payment card or bank details are collected for orders or deposits.

Reservations and table bookings

When you make a reservation we collect name, phone number, and optionally email, plus party size, date and time, and any notes. Reservations are linked to the restaurant and optionally to a customer account. We do not collect or process payment or deposit information at this time.

Orders (no payment at launch)

When you place an order (e.g. via QR at a table or for pickup) we store order details (items, quantities, special instructions), and optionally your name, phone, and email for fulfilment and communication. Orders may be linked to a table session or customer account. We do not collect payment card or other payment information; payment is not offered in the current release.

Table and visit sessions

When you scan a table QR or use the ordering interface we create a session linked to the table and restaurant. We may store an optional guest name, a session token, and optionally approximate location (e.g. for location checks) and browser/device information (user agent) for security and support.

Contact and support

When you submit the contact form we collect name, email, company, and message. We may use your IP address for rate limiting and bot verification (Cloudflare Turnstile). Support tickets may include subject, description, category, and contact name, email, and phone when you open a ticket or reply.

Reviews and loyalty

If you leave a review we store your rating, category ratings, and optional comment, linked to your customer account and the restaurant. Loyalty programme data (points, redemptions) is stored when you participate in a restaurant's loyalty scheme.

Analytics and usage

We collect first-party analytics to help restaurants understand usage: e.g. dish and category clicks, QR scans (restaurant, table/location, timestamp, and optionally user agent and referrer). This data is aggregated for reporting and may be retained for a limited period before archival. If you accept cookies on our marketing site we use Google Analytics to analyse site traffic; you can decline so that we do not load analytics cookies.

Technical and device data

We automatically collect IP address, browser type and version, device type, and similar technical data for security, rate limiting, and operation of the service. We use cookies and similar technologies for session management, preferences, and (with your consent) analytics as described in our cookie notice.

We use the data above to:

• Provide and operate the platform (accounts, menus, orders, reservations, tables, loyalty).
• Send transactional emails (e.g. reservation confirmations, order confirmations, email verification) via our email provider.
• Send promotional emails from restaurants (e.g. campaign offers, loyalty points expiring) when you have opted in. Every marketing email includes a clear unsubscribe link so you can opt out at any time. Unsubscribing applies only to that restaurant; you may still receive emails from other restaurants you interact with.
• Respond to contact form submissions and support tickets.
• Provide real-time features (e.g. order and booking updates) using a real-time messaging service.
• Improve and secure the service (monitoring errors, performance, and abuse prevention).
• Analyse usage (first-party analytics and, with consent, website analytics) and produce reports for restaurants.
• Comply with legal obligations and enforce our terms.

We process your data where necessary to perform our contract with you (e.g. providing the service), where we have a legitimate interest (e.g. security, analytics for restaurants, support), or where you have given consent (e.g. optional marketing, analytics cookies). You can withdraw consent for optional processing at any time (e.g. via cookie preferences, via the unsubscribe link in marketing emails, or by contacting us). We do not use automated decision-making or profiling that produces legal or similarly significant effects.

We may share data with:

• Email: Resend (or similar) for sending transactional and support-related emails.
• Real-time messaging: Pusher (or similar) for live order and booking updates.
• Error and performance monitoring: Sentry for diagnosing errors and improving the service.
• Website analytics (with your consent): Google Analytics for our marketing site.
• Bot and abuse prevention: Cloudflare Turnstile for contact form verification.
• Hosting and storage: Our infrastructure and storage providers (e.g. for images such as logos and menu items).
• Restaurants: Data you provide in the context of a restaurant (e.g. reservations, orders) is visible to that restaurant to run their business.
• Legal: Where required by law or to protect our rights.

We do not sell your personal data. We require processors to protect your data in line with applicable law. Some processors (e.g. email, analytics, hosting) may be located outside the European Economic Area; where we transfer data outside the EEA we use appropriate safeguards such as Standard Contractual Clauses or adequacy decisions to ensure your data remains protected.

We retain your data for as long as needed to provide the service, handle support, and comply with legal obligations. Account data is retained while your account is active and for a reasonable period after closure. First-party analytics data (e.g. clicks, QR scans) may be archived or deleted after a defined period. You can ask us to delete or anonymise your data subject to legal and operational constraints.

Depending on where you live (including if you are in the EEA or UK) you may have the right to: access your data, correct it, request erasure, restrict or object to certain processing, data portability, and withdraw consent. We will respond to your request without undue delay and in any event within one month where required by law.

You may also have the right to lodge a complaint with a supervisory authority. If you are in Malta, you can contact the Office of the Information and Data Protection Commissioner (idpc.org.mt). If you are elsewhere in the EEA or UK, you may contact your local data protection authority.

To exercise your rights, contact us at the details in Section 12.

Cookies are small text files stored on your device by your browser. We use cookies and similar technologies (e.g. local storage) for the purposes described below. You can manage your cookie preferences at any time via the cookie banner on our marketing site.

Essential cookies

These cookies are strictly necessary for the platform to function and cannot be declined.

In production, session cookies may use the __Secure- or __Host- prefix for additional browser security.

Local storage

We use your browser's local storage for features that need to persist on your device without being sent to our servers:

• Cart data: Items you add to your cart are stored locally so your selections are preserved if you refresh the page or return later.
• UI preferences: Settings such as theme or display preferences may be stored locally.

Analytics cookies (optional — require your consent)

If you click "Accept all" on our cookie banner, we load Google Analytics to help us understand how visitors use our marketing site.

These cookies are only set when you consent. If you click "Decline", no analytics cookies are loaded and no data is sent to Google. You can change your preference at any time by clearing your cookies and revisiting the site, which will show the banner again.

Third-party cookies

We do not use advertising or tracking cookies. Third-party services we integrate (e.g. Cloudflare Turnstile for bot protection) may set their own cookies as strictly necessary for their function. These are governed by the respective provider's cookie policy.

Managing cookies

You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. Note that blocking essential cookies may prevent the platform from functioning correctly. For more information on managing cookies, visit your browser's help pages or allaboutcookies.org.

We use technical and organisational measures to protect your data (e.g. encryption in transit, access controls, secure hosting). No system is completely secure; we will notify you and regulators where we are required to do so in the event of a breach affecting your data.

Our service is not directed at children under 16. We do not knowingly collect personal data from children; if you believe we have, please contact us so we can delete it.

We may update this policy from time to time. We will post the updated version on this page and change the "Last updated" date. Continued use of the service after changes constitutes acceptance of the updated policy where permitted by law.

For privacy-related requests, questions, or complaints contact us at: Contact form or the email address published on our website. We will respond within a reasonable time.