Data Processing Agreement
Last updated 15 June 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you (the restaurant) and TableTango. It sets out how we handle your guests' personal data on your behalf, as required by UK data protection law (UK GDPR Article 28). You accept it when you connect your restaurant. Plain English, as ever — questions to hello@tabletango.co.uk.
1. Who's who
Your guests' personal data is yours. You decide what's collected and why, so you are the data controller. We process it only to run the service for you, so we are your data processor. (Separately, for our own data — your account details and email enquiries to us, and our staff — we're the controller; that's covered in our privacy notice.)
2. What we process, and why
| Subject matter | Providing the TableTango booking service to your restaurant. |
|---|---|
| Duration | For as long as you use the service, then deletion/return as in section 7. As a standing retention measure, personal data on individual bookings is automatically anonymised 24 months after the booking, and text/email logs and unused waitlist/feedback records are deleted after 24 months. |
| Nature & purpose | Taking, storing and managing bookings; sending confirmation and reminder messages; and the optional features you switch on (waitlist, post-visit reviews, AI booking chat). |
| Types of personal data | Guest name, mobile number, email, booking details (date, time, party, table), and any notes or dietary/standing-requirement information the guest chooses to provide. |
| Categories of data subject | Your guests / diners (and people who join your waitlist). |
3. Our promises as your processor
- Only on your instructions. We process your guests' data only to provide the service and on your documented instructions (these terms + how you configure the service). We'll tell you if we think an instruction breaks the law.
- Confidentiality. Anyone who can access the data is bound to keep it confidential.
- Security. We keep appropriate technical and organisational measures (UK GDPR Article 32): data hosted in the UK (London), access controls and row-level security so each restaurant only sees its own data, encryption in transit, and secret keys held in a secrets vault — never in the website code.
- Helping with guest rights. We help you respond to your guests' data requests — the admin console can export or erase a guest's data by phone or email.
- Breaches. We'll tell you without undue delay if we become aware of a personal-data breach affecting your data, with the detail you need to meet your own obligations, and help you assess and report it.
- Help with assessments. We'll reasonably assist with data protection impact assessments and any prior consultation with the ICO.
- Deletion / return. When you leave or ask, we delete or return your guests' data (and delete existing copies, unless the law requires us to keep them).
4. Sub-processors
We use a small set of trusted providers to run the service. By accepting this DPA you give general authorisation to those below; we'll let you know before we add or replace one, so you have a chance to object. Each is bound by data-protection terms.
| Provider | What they do |
|---|---|
| Supabase | Database & hosting (London, UK) |
| Twilio | Sends the SMS confirmations & reminders |
| Zoho | Email (booking emails & our mailbox) |
| Anthropic | Powers the AI booking chat |
| Netlify | Hosts the website |
5. Where the data lives
Your guests' data is stored in the UK (London). Where a sub-processor necessarily processes some data outside the UK, it's done under the safeguards the law requires (an adequacy decision, or standard contractual clauses / the UK IDTA).
6. Your side
You confirm you have a lawful basis for collecting your guests' data, that you give your guests the privacy information they're entitled to, and that your instructions to us comply with data-protection law.
7. Audits & information
We'll give you the information you reasonably need to show you're meeting your Article 28 obligations, and allow audits or inspections to the extent the law requires (on reasonable notice and at reasonable cost).
8. Liability, term & law
This DPA lasts as long as we process your guests' data. Liability under it is governed by the limits in the Terms of Service, and nothing here limits anything that can't legally be limited. This DPA is governed by the law of England and Wales.
Contact
TableTango — hello@tabletango.co.uk · tabletango.co.uk