The Served platform (“Served”, “we”, “us”) is operated by [ENTITY — legal name, registered address, registration number]. We are the data controller for the personal data described in Sections 3 and 4 of this policy, except where Section 5 states otherwise.
Contact for all privacy matters: privacy@served.app. We have not appointed a Data Protection Officer; the contact above handles all data protection enquiries.
This policy applies to three groups of people:
We do not collect special category data and do not knowingly process data of anyone under 16. Served is a business tool and is not directed at children.
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing and operating the platform, authentication, account security | Performance of a contract (Art. 6(1)(b)) |
| Billing, invoicing, tax records | Legal obligation (Art. 6(1)(c)) |
| Fetching and displaying review data | Legitimate interest of the venue in managing its public reputation (Art. 6(1)(f)) |
| Server logs, abuse prevention, debugging | Legitimate interest in securing the service (Art. 6(1)(f)) |
| Transactional email (account confirmation, password reset, policy change notices) | Performance of a contract (Art. 6(1)(b)) |
| Responding to support and privacy requests | Legitimate interest in operating the service; legal obligation for rights requests |
We do not sell, rent, or share your personal data with third parties for marketing purposes. We do not use your data for advertising or profiling. We make no decisions about you based solely on automated processing.
We share data with the following processors, each bound by a Data Processing Agreement, and only to the minimum extent each integration requires:
| Processor | Role | Location |
|---|---|---|
| Supabase | Database and authentication | EU (eu-central-1) |
| Netlify | Hosting and CDN | US/EU edge |
| Stripe | Payment processing | US/EU |
| Resend | Transactional email | US |
| Upstash | Rate limiting and caching | EU |
| Google (Maps/Places API) | Review and location data | US |
| SerpAPI | Review fetching | US |
We may also disclose data where the law requires it, for example to comply with a court order.
Your data is stored in the European Union (Supabase, eu-central-1). Some processors listed above process data in the United States. Those transfers rely on the EU-US Data Privacy Framework where the processor is certified, and on Standard Contractual Clauses otherwise. Copies of the relevant safeguards are available on request at privacy@served.app.
| Data | Retention |
|---|---|
| Account and venue data | Until you delete your account, then removed within 30 days |
| Payment and billing records | 5 years after the tax year ends, as Polish tax law requires |
| Review data | Until the venue removes it or deletes its account |
| Server logs | 30 days |
| Backups | 7 days, after which deleted data also leaves backups |
| Support emails | 24 months after the matter closes |
Supabase encrypts data at rest and in transit. Access requires an authenticated session; we expose no raw database access to third parties. Access within the team is limited to what each role requires.
Under the GDPR you have the right to access your data, correct it, delete it, restrict its processing, object to processing based on legitimate interest, and receive a copy in a portable format. You can delete your account and all associated data directly in platform settings, or email privacy@served.app; we respond within one month.
You also have the right to lodge a complaint with a supervisory authority. Our lead authority is the Polish President of the Personal Data Protection Office (UODO), uodo.gov.pl. You may also complain to the authority in your own member state.
We do not sell or share personal information as those terms are defined in the California Consumer Privacy Act, and we have not done so in the preceding 12 months. The rights described in Section 9 are available to all users regardless of location, and we will not discriminate against you for exercising them. California residents may designate an authorised agent to submit requests on their behalf.
We use only strictly necessary cookies and local storage for authentication and session management. We set no analytics, advertising, or third-party tracking cookies, which is why you see no cookie banner.
We may update this policy as the platform evolves. We notify registered users of material changes by email at least 14 days before they take effect, and we keep a public changelog of all revisions.
privacy@served.app · [ENTITY], [registered address]
Served HoReCa Platform — Terms of Service · Sustainability