Privacy Policy
Version 2.0
Effective date: February 2026
1. Data Controller
Mebloexpert Robert Żołdak
ul. Andersa 4
59-900 Zgorzelec
Poland
VAT ID: PL6151029625
Email: support@restrosuite.app
2. Scope
This Policy applies to:
- business users,
- representatives,
- website visitors.
For restaurant end customers, RestroSuite acts as a Processor under a separate DPA.
United Kingdom and Ireland / EEA. The Controller is established in Poland. For data subjects located in Ireland and other EEA countries, the EU GDPR applies. Where the Controller offers services to, or otherwise processes personal data of, individuals in the United Kingdom in a manner subject to UK data protection law, the UK GDPR and the Data Protection Act 2018 may apply in addition to the EU GDPR.
Users located in the United Kingdom may be allowed to register an account and create a workspace or tenant for Evaluation Access before paid Services are approved. In such cases, RestroSuite processes account, workspace, technical, security, support, and communication data for the purposes of account creation, service administration, security, abuse prevention, technical evaluation, communication with the user, and compliance review. Paid subscription data, payment data, Store purchasing data, and live commercial-use data are processed only if and when the relevant features are approved and activated.
3. Data Collected
Registration and identification data
- Name
- Company name
- VAT ID
- Business address
- Email address
- Phone number
Billing data
- Invoice data
- Transaction ID
- Payment status
- Subscription status
Technical data
- IP address
- Server logs
- Device and browser information
- Session IDs
Communication data
- Support request content
- Email communication
4. Legal Bases
| Purpose | Legal Basis |
|---|---|
| Providing SaaS services | Art. 6(1)(b) GDPR – contract performance |
| Billing and accounting | Art. 6(1)(c) GDPR – legal obligation |
| IT security and system protection | Art. 6(1)(f) GDPR – legitimate interest |
| Support and communication | Art. 6(1)(f) GDPR – legitimate interest |
| Enforcement or defense of claims | Art. 6(1)(f) GDPR – legitimate interest |
| Marketing (if consent given) | Art. 6(1)(a) GDPR – consent |
5. Retention
Personal data is stored:
- During the contract term
- Up to 31 days after termination (account data)
- As required by law (e.g., 5 years for accounting data)
- Until statutory limitation periods expire
After these periods, data is deleted or anonymized.
6. Data Sharing
Data may be shared with:
- DigitalOcean – hosting
- Postmark – transactional email delivery
- Stripe Payments Europe Ltd. – payment processing
- PayU S.A. – payment processing
- Google Maps API – address geocoding and autocomplete
- Anthropic (Claude) – AI-powered content and menu generation
- OpenStreetMap – map display
- VIES (European Commission) – VAT ID validation
- Accounting service providers
Data is shared only to the extent necessary for service provision.
7. International Transfers
Transfers of personal data outside the EEA (e.g., via Stripe) rely on Standard Contractual Clauses approved by the European Commission, adequacy decisions, or other appropriate safeguards under Article 46 GDPR, as applicable.
Where UK personal data is subject to a restricted transfer under the UK GDPR, the Controller relies on the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, UK adequacy regulations, or another valid transfer mechanism under UK data protection law, as applicable.
8. Aggregated Data
Fully anonymized, aggregated operational data may be used for statistical or marketing purposes.
This data does not allow identification of any individual or user.
9. Rights
Data subjects have the right to:
- Access (Art. 15 GDPR)
- Rectification (Art. 16 GDPR)
- Erasure (Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Object (Art. 21 GDPR)
- Withdraw consent
To exercise these rights, contact: support@restrosuite.app
Data subjects located in the United Kingdom have equivalent rights under the UK GDPR, subject to applicable limitations under UK law.
10. Complaints
Data subjects have the right to lodge a complaint with a competent supervisory authority. In particular:
- United Kingdom: Information Commissioner's Office (ICO);
- Ireland: Data Protection Commission (DPC);
- Poland: President of the Personal Data Protection Office (UODO), where the Controller is established;
- EEA: the supervisory authority in the data subject's country of residence, workplace, or place of the alleged infringement.
Where RestroSuite is required to appoint a representative in the United Kingdom under Article 27 UK GDPR, the representative's name and contact details will be made available in this Privacy Policy and/or Legal Notice before RestroSuite commences paid commercial provision of the Services to UK Customers. Until such appointment, RestroSuite does not represent that it has appointed a UK GDPR representative.
11. Cookies
- The website uses only technically necessary cookies.
- No marketing or tracking cookies are used.
- Cookies can be managed via browser settings.
12. Security Measures
The Provider implements appropriate technical and organizational measures, including:
- TLS encryption
- Role-based access control
- Tenant separation
- Administrative access logging
- Regular backups
- Data minimization
13. Changes to this Policy
The Provider reserves the right to update this Privacy Policy in response to legal or technical changes.
The current version is always available on the website.