Privacy Policy

TableFlow (“we”, “us”, “our”) is the data controller responsible for your personal data. We operate a QR-code ordering platform for UK restaurants and hospitality venues.

If you have any questions about this policy or how we handle your data, please contact us at info@table-flow.com.

We collect personal data in the following contexts:

• Waitlist & marketing - your work email address when you register interest via our website.
• Account registration - your name, email address, and business details when you create a TableFlow account.
• Payments - billing contact details and payment method information, processed on our behalf by Stripe (see section 6).
• Platform usage - order data, menu configurations, table setups, and analytics generated while using the TableFlow service.
• Customer ordering (end diners) - we do not create accounts for end-diners. Any data entered during the ordering flow (e.g. dietary notes) is processed on behalf of the restaurant operator.
• Technical data - IP address, browser type, device information, and usage logs collected automatically when you visit our website or use the platform.

We use personal data to:

• Send you updates about TableFlow, including early access invitations and launch news (waitlist registrants).
• Provide, operate, and improve the TableFlow platform and associated services.
• Process payments and manage your subscription.
• Send transactional communications such as order confirmations and account notifications.
• Comply with legal obligations and enforce our terms of service where necessary.
• Analyse aggregated, anonymised usage patterns to improve features and performance.

We will never sell your personal data to third parties or use it for purposes materially different from those described here without first obtaining your consent.

Under the UK General Data Protection Regulation (UK GDPR), we rely on the following legal bases:

We retain personal data only for as long as necessary:

• Waitlist email addresses - until you unsubscribe or request deletion, or until TableFlow ceases operations.
• Account data - for the duration of your subscription and up to 7 years afterwards to satisfy tax and accounting obligations.
• Payment records - 7 years in line with HMRC requirements.
• Technical logs - up to 90 days for security and debugging purposes.

We use carefully selected third-party services to operate the platform. Each processor handles data under a data processing agreement and only to the extent necessary to perform their service.

We do not transfer personal data outside the UK or EEA except where the processor operates appropriate safeguards as noted above.

Under the UK GDPR you have the following rights in relation to your personal data:

• Access - request a copy of the personal data we hold about you.
• Rectification - ask us to correct inaccurate or incomplete data.
• Erasure - request deletion of your data where we no longer have a legal basis to retain it.
• Restriction - ask us to limit how we process your data in certain circumstances.
• Portability - receive a structured, machine-readable copy of data you provided to us.
• Objection - object to processing carried out on the basis of legitimate interests, including direct marketing.
• Withdraw consent - where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email privacy@tableflow.co.uk. We will respond within one calendar month. If you are unhappy with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

Our website uses strictly necessary cookies to support authentication sessions and security tokens. We may also use analytics cookies to understand how visitors use our site - these are only set with your consent. You can manage or disable cookies at any time through your browser settings. Disabling strictly necessary cookies may prevent the platform from functioning correctly.

We implement appropriate technical and organisational measures to protect personal data against accidental loss, unauthorised access, disclosure, alteration, or destruction. Payment card data is handled exclusively by Stripe and is never transmitted to or stored on our servers. All data in transit is encrypted using TLS. Access to production systems is restricted to authorised personnel only.

We may update this Privacy Policy from time to time. Where changes are material, we will notify registered users by email at least 14 days before the changes take effect. The “Last updated” date at the top of this page always reflects the most recent revision. Continued use of TableFlow after the effective date constitutes acceptance of the updated policy.