DRAFT - pending legal review

Privacy Policy

This policy explains how personal data is processed when cafes, restaurant teams, and customers use Team Organizer. This document is a legal draft for review by counsel and should be finalized before public launch.

1. Controller and Processor Roles

For each pilot deployment, the individual cafe or restaurant operator is the data controller for employee and customer data processed in its workspace.

Controller identity placeholder: [CAFE NAME - operator's legal name and address - TO BE COMPLETED BY CAFE]

The Team Organizer platform operator acts as a data processor and processes personal data only on documented instructions from the controller, except where EU or Member State law requires otherwise.

2. Categories of Personal Data

We process the following categories of data:

Cafe Owner Data

  • Name
  • Email address
  • Password hash and authentication metadata
  • Organization details

Team Member Data

  • Name
  • Email address
  • Phone number (optional)
  • Date of birth (optional)
  • Work areas and role flags
  • Monthly hours and scheduling constraints
  • Unavailable days and preferred working days

Customer Booking Data

  • Name
  • Email address
  • Phone number
  • Party size
  • Reservation date and time
  • Optional booking note

3. Purposes and Legal Bases

Owner Accounts

  • Account creation, authentication, and organization setup (Article 6(1)(b) GDPR - performance of a contract).
  • Security monitoring and abuse prevention (Article 6(1)(f) GDPR - legitimate interest in secure operation).

Team Member Records

  • Shift planning, staffing operations, and schedule publication (Article 6(1)(b) GDPR where needed for employment-related contract handling, and Article 6(1)(f) GDPR where used for operational planning interests).
  • Optional fields such as date of birth and optional profile details (Article 6(1)(a) GDPR - consent, where applicable).

Customer Reservation Data

  • Taking and managing table reservations (Article 6(1)(b) GDPR - pre-contractual/contract performance).
  • Reservation confirmations and operational communication (Article 6(1)(f) GDPR - legitimate interest in customer service).
  • Marketing communications, if introduced later, only with explicit opt-in (Article 6(1)(a) GDPR - consent).

4. Recipients and Subprocessors

We share personal data only with processors necessary to deliver the service:

  • Supabase - database and authentication infrastructure (EU region, exact project region to be confirmed during onboarding). Public DPA: https://supabase.com/legal/dpa
  • Resend - transactional email delivery (US). Public DPA: https://resend.com/legal/dpa
  • Netlify - hosting, CDN, and edge/runtime infrastructure (US). GDPR information page: https://www.netlify.com/gdpr-ccpa/

Add final DPA/public notice links here once legal onboarding is completed for each provider.

5. International Data Transfers

Data may be processed outside the EEA when using Resend and Netlify, both of which operate from the United States. Transfers rely on Standard Contractual Clauses (SCCs) and supplementary safeguards as documented by each provider.

6. Retention Periods

  • Owner account data: retained while account is active; deleted within 30 days of a validated account deletion request.
  • Team member data: retained while employed at the cafe; deleted by the manager when employment ends, or within 30 days of cafe account deletion.
  • Customer reservation data: retained for 12 months after reservation date for service quality and dispute handling, then deleted.
  • Finance records: retained for 10 years under German fiscal retention duties (Section 147 AO).
  • Server logs: retained for 30 days.

7. Data Subject Rights (Articles 15-22)

Data subjects can request:

  • Access to their personal data.
  • Rectification of inaccurate data.
  • Erasure of data, where legally applicable.
  • Restriction of processing.
  • Data portability.
  • Objection to processing based on legitimate interests.

To exercise rights, contact: [CONTACT EMAIL - TO BE COMPLETED] or use the platform contact form once configured.

8. Right to Lodge a Complaint

Data subjects have the right to lodge a complaint with a competent supervisory authority, particularly in the EU Member State of their habitual residence, place of work, or place of alleged infringement.

9. Automated Decision-Making

Team Organizer does not perform solely automated decision-making with legal or similarly significant effects under Article 22 GDPR. Scheduling uses a deterministic algorithm to produce recommendations, and human managers can override assignments manually.

10. Cookies and Tracking

We currently use only first-party essential cookies needed for authenticated sessions (Supabase auth session handling and related security/session management). We do not use analytics, advertising, or third-party tracking cookies.

11. Contact

Questions about this policy should be sent to [CONTACT EMAIL - TO BE COMPLETED].