Privacy Policy

Reservation Ltd. operates the Ordering.Tools multi-tenant SaaS platform for digital menus and online ordering serving hospitality and restaurant businesses. Reservation Ltd. also operates Reservation.Tools (reservation management) — a separate product with its own privacy policy. Depending on processing context, Reservation Ltd. acts as either data controller or data processor.

For data protection inquiries, contact [email protected].

We recommend contacting us before filing a complaint with the CPDP — in most cases we can resolve the matter directly and quickly.

Under EU GDPR and Bulgarian data protection law, there is an important legal distinction between a data controller (the entity that decides why and how personal data is processed) and a data processor (the entity that processes data on behalf of a controller). For end-customers, these roles are split between Reservation Ltd. and the Venue Operator depending on the data category.

Most of your data rights — access, rectification, erasure, portability, marketing opt-out — can be exercised directly in your account on www.ordering.tools, without contacting either us or the Venue. See Section 10.

We process personal data in accordance with the principles set out in GDPR Article 5 (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability).

5.1 Venue Operator Account Holders (Controller = Reservation Ltd.)

Owners, managers, and staff of Venues that subscribe to Ordering.Tools.

• Identification: Name, email, phone
• Authentication: Password (stored hashed, never plaintext)
• Profile: Role, language, timezone
• Session/technical: IP address, browser, OS, last login
• Audit logs: Records of platform actions
• Billing: Business name, EIK/VAT (legal entities), invoicing address — processed via third-party payment providers; no card data stored by us

5.2 Visitors to www.ordering.tools (Controller = Reservation Ltd.)

• Technical data: IP address, browser, pages viewed, referrer
• Cookies: See Section 11

5.3 Recipients of Product/Service Notifications (Controller = Reservation Ltd.)

Registered Venue Operators receiving periodic notifications about new features, service changes, and product messages. We do not maintain a public newsletter signup form and do not send marketing messages to non-registered users. Recipients may unsubscribe anytime via links in messages.

5.4 End-Customers of Venues (split controllership)

Individuals who register on Ordering.Tools (typically when placing their first order at any Venue on the platform) and subsequently place orders at one or more Venues. A single platform account is used across all Venues — you do not re-register per restaurant.

Reservation Ltd. is controller for:

• Platform account identity: Name, email, phone, hashed password
• Account authentication: Session tokens, email confirmation tokens, phone verification tokens
• Saved delivery addresses: Addresses you save on your account for reuse across Venues
• Loyalty balances and referral codes: Maintained at the platform level and visible in your account
• Cross-Venue order history: The aggregated list of your orders across all Venues, shown in your profile
• Marketing consent: Email and SMS marketing opt-ins/opt-outs managed from your Notifications settings

The Venue Operator is controller (and we act as processor) for:

• Order content: Items, modifiers, quantities, special instructions, order time, table number
• Delivery details per order: Address and notes you provided at checkout for that specific order
• External payment identifiers: Stripe customer ID (in the Venue's Stripe account), MyPOS/Borica transaction references
• Venue-side CRM: Any notes, tags, or segmentation the Venue maintains on its customers

What we do NOT collect: No special categories of data per GDPR Article 9 (racial/ethnic origin, political opinions, religious beliefs, genetic, biometric, health, sexual orientation). Exception: if Venues collect dietary information (e.g., "nut allergy") it may contain indirect health information — responsibility rests with the Venue as controller.

Payment data: Reservation Ltd. does not store or process payment card data. Payments process directly between the End-Customer and the Venue's own payment account at Stripe (via Stripe Connect Standard Direct Charges), MyPOS (embedded checkout), or Borica APGW (Bulgarian banks). See Section 7.5.

5.5 Contact Form Submissions (Controller = Reservation Ltd.)

Website visitors submitting contact forms provide name, email, and message text. Data is processed to respond to inquiries and retained only as long as needed for that purpose.

5.6 Real-Time Notifications (Pusher)

For order status updates and Kitchen Display System (KDS) push notifications, the platform uses real-time messaging. Push notification tokens are used solely for service-related notifications and are not shared with third parties for marketing.

Legitimate interest: Where we rely on legitimate interest as a legal basis, you may object to such processing at any time (Section 10).

A sub-processor is a third party to whom we delegate specific data processing operations (another processor within the meaning of Art. 28(2) and (4) GDPR). Sub-processors act strictly per our instructions and are contractually bound by confidentiality and security obligations through Data Processing Agreements (DPAs).

7.1 Current sub-processor list

7.2 Changes to the sub-processor list

We may add, remove, or replace sub-processors. When we add a new sub-processor processing personal data of Venue Operators or End-Customers, we update this Privacy Policy and notify Venues by email within reasonable time, allowing objections per the DPA.

7.3 Disclosure required by law

We may disclose data to government authorities when legally required (court orders, competent authority directives). We verify each request's legitimacy and disclose only what is expressly required.

7.4 Payment providers — NOT our sub-processors

Payments accepted by Venues through the platform follow a "facilitator" model. Reservation Ltd. is not party to payments and does not process payment card data:

• Stripe (Connect Standard): Venues maintain their own Stripe accounts linked via OAuth (scope=read_write). Card data flows directly between End-Customers and the Venue's Stripe account via Direct Charges with the Stripe-Account header. We are not the merchant of record and receive no transaction commissions on order payments.
• MyPOS (embedded checkout): Venues maintain their own MyPOS merchant accounts with unique Store IDs and certificates. The platform redirects End-Customers to payment forms using Venue merchant credentials.
• Borica APGW: Bulgarian bank card payments process directly between End-Customers and the Venue's acquiring bank via Borica's gateway with signature verification.

In all cases, payment providers act as sub-processors of the Venue as controller, not of Reservation Ltd. Stripe Billing is used separately for Reservation Ltd.'s own subscription billing of Venue Operators (see Section 5.1).

7.5 Embedded ordering widgets on Venue websites

When Venues embed Ordering.Tools widgets on their own websites, the widget connects to our platform showing menus and accepting orders. Data collected via widgets (name, phone, email, address, order details) is processed per the Venue's privacy policy, with us acting as processor.

7.6 Connected directories — Listings sync (Google, Apple, Facebook, Instagram, Bing)

Venue Operators may optionally connect their Google Business Profile, Apple Business Connect, Facebook Page, Instagram Business account, or Bing Places listing to Ordering.Tools through the admin panel at /admin/listings. When connected, the platform pushes the venue's public identity (name, hours, address, phone, photos, description, website URL, menu URL) to the chosen directory whenever the Venue Operator updates that data in Ordering.Tools.

What we send: only public business identity data already published by the Venue Operator inside Ordering.Tools. We do NOT send end-customer personal data, order history, or any internal admin data to any directory.

OAuth scope summary per platform:

• Google Business Profile — scope https://www.googleapis.com/auth/business.manage: read venue's GBP location, write hours/address/phone/website/photos/description/permanent-closure status.
• Apple Business Connect — Apple developer-team JWT: read/write venue location's hours/address/phone/website/photos.
• Facebook Pages — scopes pages_manage_metadata + pages_read_engagement: write Page about/phone/website/hours; read Page-level review and comment events for future reputation tooling.
• Instagram Business — scopes instagram_basic + instagram_content_publish: write biography/website/contact phone of the linked IG Business Account.
• Bing Places — Microsoft Bing Places API token: write business name/description/address/phone/website/hours.

Token storage: OAuth access tokens, refresh tokens, and the linked external location identifier are stored encrypted at rest in our database (column VenueIntegration.config) using the same encryption path that protects Stripe and MyPOS credentials. Tokens are never logged in plaintext, never sent to any third party, and never exposed to other Venues.

Revocation: a Venue Operator can disconnect any directory at any time via /admin/listings → "Disconnect" — this removes the encrypted tokens from our database and marks the integration inactive. The Venue Operator may additionally revoke our app's access from the directory's own settings (Google Account permissions, Apple ID app authorisations, Facebook Business Settings, Microsoft account permissions). Revoking from the directory side prevents any future API call but does not retroactively delete data already pushed to the directory; that remains under the directory's own retention policy.

Audit log: every push attempt is recorded in our VenueListingSyncLog table (when, which platform, which fields, success/failure, response code). The Venue Operator can view the last 25 entries at /admin/listings.

Each directory acts as an independent data controller for the data we push on the Venue Operator's instruction. The Venue Operator's relationship with each directory is governed by that directory's own terms (e.g., Google Business Profile Terms, Meta Platform Terms, Bing Places Terms).

Primary infrastructure and most sub-processors are located in the EU/EEA:

• Hosting and infrastructure — AWS, eu-west-1 (Ireland)
• Real-time messaging — Pusher (United Kingdom, under UK adequacy decision)

For some services (CDN/WAF, error tracking, AI features, geocoding), data may be processed by U.S. providers. These transfers are protected under GDPR Articles 44–49 via:

• EU–U.S. Data Privacy Framework (DPF): Verify provider certification at dataprivacyframework.gov
• Standard Contractual Clauses (SCC): European Commission–approved clauses for non-DPF providers

We do not transfer data to third countries outside the EU/EEA, UK, and USA.

Right to erasure and backups: The right to be forgotten applies to backups. After production database deletion, data is permanently removed from backups within rotation cycles (up to 30 days). Until then, backups retain data only for post-incident recovery.

Under GDPR Articles 15–22 you have the following rights:

Self-service tools for End-Customers: Most rights can be exercised directly from your account without contacting us:

• Access and rectification: Account → Settings to view and update your name, email, phone, and language
• Portability: Account → Settings → Export my data — downloads a structured JSON file with your profile, addresses, loyalty records, and order history
• Erasure (platform-wide): Account → Settings → Delete Account — anonymises orders across all Venues and removes your profile
• Erasure (single Venue): Account → Privacy — anonymise your data at one Venue while keeping your platform account
• Objection and consent withdrawal: Account → Notifications to toggle marketing email/SMS consent anytime

To exercise any right we cannot handle via self-service, contact: [email protected]

We respond within 30 days. Complex or numerous requests may extend this by up to 60 additional days, with notification. Exercise of rights is free unless requests are manifestly unfounded or excessive.

The Ordering.Tools platform uses cookies and similar storage only where needed to run the site and, with your consent, for aggregated analytics. We do not use advertising or profiling cookies and we do not sell your data.

Strictly necessary cookies (no consent required) are used for session authentication, cart state, language preference, and bot/abuse protection. With your consent, we may use analytics cookies to understand aggregate site usage. A live list of the trackers in use at any given moment, together with the controls to accept or reject each category, is available in the Cookie Settings panel accessible from the footer of this site.

You can manage or block cookies through your browser settings. Blocking strictly necessary cookies will impair platform functionality.

We apply technical and organisational measures appropriate to the level of risk, in accordance with GDPR Article 32. These include encryption in transit, encryption at rest for stored files and backups, role-based access control on the principle of least privilege, hashed passwords, token-based session authentication, multi-tenant isolation, automated backups on a defined rotation policy, contractual safeguards with sub-processors via DPAs, bot protection, and an internal incident response procedure including notification of the supervisory authority within 72 hours where required under GDPR Article 33.

Reservation Ltd. does not engage in automated decision-making (including profiling) producing legal effects or similarly significantly affecting individuals, as defined in GDPR Article 22.

The platform uses AI in a limited, narrow capacity: product description generation (admin-only). When a Venue Operator clicks "Generate description" in the admin product editor, the product name, category, and existing description are sent to a third-party AI provider (see Section 7.1) which returns a draft description. The Operator reviews and edits before saving. No End-Customer personal data is sent to the AI provider.

This usage falls outside the EU AI Act's "high-risk" categories (Annex III). We do not use AI for automated decisions about individuals, content moderation, profiling, or biometric processing. If AI usage expands, this section will be updated.

In accordance with the EU Data Act (Regulation 2023/2854, applicable from September 2025), Venue Operators have the right to switch providers and port their data with no lock-in:

• Data export: Venues may request a complete export of their menu data, customer database, and order history in a structured, machine-readable format (CSV/JSON). Exports are delivered within the timeframes required by the EU Data Act.
• Maximum exit notice: 60 days. Contracts cannot bind Venues beyond this notice period.
• No switching fees: From January 2027, no fees may be charged for switching to another provider. Until then, only fees not exceeding actual costs may apply.
• Continued access: During the exit-notice period, Venues retain full access to data and the platform.

Submit data export or switching requests to [email protected].

Ordering.Tools is not directed to children. We do not knowingly collect personal data from children under 14 (the consent age under Bulgarian law for information society services). Venue Operators are responsible for ensuring their ordering pages comply with applicable rules where children may interact with their menus.

We may update this Privacy Policy to reflect new features, new sub-processors, or legislative changes. Significant changes are notified to registered Venue Operators via email and/or in-platform notice before they take effect. Non-substantial changes (typo corrections, contact updates) are published directly. The effective date appears at the top of this page.

For privacy questions, GDPR rights requests, or other personal data inquiries:

For requests related to your orders or customer profile on a specific Venue's page, contact that Venue directly. They are the data controller.

This Privacy Policy was prepared in compliance with Regulation (EU) 2016/679 (GDPR), the EU AI Act, the EU Data Act, and applicable Bulgarian legislation.