Served

Legal

Privacy Policy

Last updated: June 2026

1. Who we are

The Served platform (“Served”, “we”, “us”) is operated by [ENTITY — legal name, registered address, registration number]. We are the data controller for the personal data described in Sections 3 and 4 of this policy, except where Section 5 states otherwise.

Contact for all privacy matters: privacy@served.app. We have not appointed a Data Protection Officer; the contact above handles all data protection enquiries.

2. Who this policy covers

This policy applies to three groups of people:

  • Account holders and venue staff — people who create or use a Served account.
  • Venue guests — people whose reservation, contact, or CRM data a venue stores in Served. For this data, the venue is the data controller and we act as its data processor under a Data Processing Addendum. If you are a guest, direct privacy requests to the venue; we will assist the venue in fulfilling them.
  • Review authors — people whose publicly posted reviews on Google Maps, TripAdvisor, or Facebook a venue imports into Served. We collect this data from those platforms, not from you. We process only what is publicly visible: display name, review text, rating, and date. If you are a review author and want your data removed from Served, contact privacy@served.app.

3. Data we collect

  • Account data — email address and full name, provided when you create an account.
  • Venue data — business name, address, city, country, timezone, phone number, and email, provided for your venue profile.
  • Payment data — processed by Stripe. We never receive or store full card numbers. We retain billing records (plan, invoices, billing address, VAT number) as required by tax law.
  • Review data — public reviews fetched from Google Maps, TripAdvisor, and Facebook via third-party APIs at the venue’s request.
  • Usage data — server logs including request timestamps and IP addresses.
  • Support communications — emails you send to our support and privacy addresses.

We do not collect special category data and do not knowingly process data of anyone under 16. Served is a business tool and is not directed at children.

4. Why we process your data and on what legal basis

PurposeLegal basis (GDPR Art. 6)
Providing and operating the platform, authentication, account securityPerformance of a contract (Art. 6(1)(b))
Billing, invoicing, tax recordsLegal obligation (Art. 6(1)(c))
Fetching and displaying review dataLegitimate interest of the venue in managing its public reputation (Art. 6(1)(f))
Server logs, abuse prevention, debuggingLegitimate interest in securing the service (Art. 6(1)(f))
Transactional email (account confirmation, password reset, policy change notices)Performance of a contract (Art. 6(1)(b))
Responding to support and privacy requestsLegitimate interest in operating the service; legal obligation for rights requests

We do not sell, rent, or share your personal data with third parties for marketing purposes. We do not use your data for advertising or profiling. We make no decisions about you based solely on automated processing.

5. Processors and recipients

We share data with the following processors, each bound by a Data Processing Agreement, and only to the minimum extent each integration requires:

ProcessorRoleLocation
SupabaseDatabase and authenticationEU (eu-central-1)
NetlifyHosting and CDNUS/EU edge
StripePayment processingUS/EU
ResendTransactional emailUS
UpstashRate limiting and cachingEU
Google (Maps/Places API)Review and location dataUS
SerpAPIReview fetchingUS

We may also disclose data where the law requires it, for example to comply with a court order.

6. International transfers

Your data is stored in the European Union (Supabase, eu-central-1). Some processors listed above process data in the United States. Those transfers rely on the EU-US Data Privacy Framework where the processor is certified, and on Standard Contractual Clauses otherwise. Copies of the relevant safeguards are available on request at privacy@served.app.

7. Retention

DataRetention
Account and venue dataUntil you delete your account, then removed within 30 days
Payment and billing records5 years after the tax year ends, as Polish tax law requires
Review dataUntil the venue removes it or deletes its account
Server logs30 days
Backups7 days, after which deleted data also leaves backups
Support emails24 months after the matter closes

8. Security

Supabase encrypts data at rest and in transit. Access requires an authenticated session; we expose no raw database access to third parties. Access within the team is limited to what each role requires.

9. Your rights

Under the GDPR you have the right to access your data, correct it, delete it, restrict its processing, object to processing based on legitimate interest, and receive a copy in a portable format. You can delete your account and all associated data directly in platform settings, or email privacy@served.app; we respond within one month.

You also have the right to lodge a complaint with a supervisory authority. Our lead authority is the Polish President of the Personal Data Protection Office (UODO), uodo.gov.pl. You may also complain to the authority in your own member state.

10. For US residents

We do not sell or share personal information as those terms are defined in the California Consumer Privacy Act, and we have not done so in the preceding 12 months. The rights described in Section 9 are available to all users regardless of location, and we will not discriminate against you for exercising them. California residents may designate an authorised agent to submit requests on their behalf.

11. Cookies

We use only strictly necessary cookies and local storage for authentication and session management. We set no analytics, advertising, or third-party tracking cookies, which is why you see no cookie banner.

12. Changes to this policy

We may update this policy as the platform evolves. We notify registered users of material changes by email at least 14 days before they take effect, and we keep a public changelog of all revisions.

13. Contact

privacy@served.app · [ENTITY], [registered address]

Served HoReCa Platform — Terms of Service · Sustainability

Privacy Policy | Served