RESTOBOT
RESTOBOT

Privacy Policy

Last updated: March 16, 2026

This Privacy Policy describes how RESTOBOT ("we", "us", or "our") collects, uses, and protects personal data when you use our platform, website, and services (collectively, the "Service").

We are committed to protecting your privacy and processing your data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Polish data protection laws.

1. Service Provider

The Service is provided by:

RESTOBOT
Warsaw, Poland
NIP 1133092409
REGON 524951267

For any privacy-related inquiries, please contact us at: [email protected]

2. Data We Collect

We only collect data that you explicitly provide to us. We do not collect IP addresses, and we do not use any analytics or tracking technologies.

2.1 Order Data

When you place an order through the Service, we collect:

  • email address
  • phone number
  • first and last name (optional)
  • delivery address (street, building, entrance, floor, apartment, city, postal code, geographic coordinates)
  • order comments
  • tip amount
  • promo code (if used)

2.2 Reservation Data

When you make a reservation, we collect:

  • email address
  • phone number
  • first name
  • preferred date, time, guest count, and duration
  • comments (optional)

2.3 Authentication Data (Administrators)

Restaurant owners and managers authenticate via the Telegram Login Widget. During this process, Telegram transmits the following data to us:

  • Telegram user ID
  • first and last name
  • username
  • profile photo URL

We do not send any data to Telegram. This data is used solely to identify and authenticate administrators within the Service.

3. How We Use Your Data

We use the collected data exclusively for the following purposes:

  • processing and fulfilling orders
  • managing reservations
  • authenticating administrators
  • providing and maintaining the Service

We do not use your data for marketing purposes. We do not send promotional emails, SMS campaigns, or newsletters.

4. Cookies and Local Storage

We use minimal browser storage technologies, strictly necessary for the operation of the Service. We do not use analytics cookies, advertising cookies, or tracking pixels.

4.1 Cookies

  • Authentication token — a secure cookie containing a JSON Web Token (JWT) used to keep you signed in. This cookie expires after 30 days.

4.2 Local Storage

  • Shopping cart — stores the contents of your current cart for each establishment
  • Language preferences — stores your selected display language
  • Feedback status — records whether you have already submitted feedback to avoid duplicate submissions

4.3 Session Storage

  • UI state — temporary data for interface elements (e.g., whether a banner has been shown), cleared when you close the browser tab

5. Third-Party Services

To provide the Service, we integrate with the following third-party providers. Each of these providers may process certain data as described below:

5.1 Payment Processing

  • Stripe — processes online card payments. Stripe receives your payment card information directly; we do not store full card details. Stripe's privacy policy: stripe.com/privacy
  • LiqPay — an alternative payment processor. Payment data is handled directly by LiqPay. LiqPay's privacy policy: liqpay.ua/en/privacy

5.2 Delivery

  • Wolt Drive — when Wolt Drive is selected as the delivery method, your delivery address and phone number are shared with Wolt to fulfill the delivery. Wolt's privacy policy: wolt.com/en/privacy

5.3 Maps and Address Autocomplete

  • Google Maps — used for delivery address autocomplete. When you type a delivery address, your input is sent to Google Maps to provide suggestions. Google's privacy policy: policies.google.com/privacy

5.4 Image Storage

  • Cloudinary — stores images uploaded by establishment administrators (e.g., menu item photos). No end-user personal data is transmitted to Cloudinary. Cloudinary's privacy policy: cloudinary.com/privacy

5.5 Authentication

  • Telegram — used for administrator authentication via the Telegram Login Widget. Telegram transmits administrator profile data to us; we do not send user data to Telegram. Telegram's privacy policy: telegram.org/privacy

6. Data Storage and Security

All data is stored on servers hosted by Heroku in the European Union.

We do not log IP addresses or any data beyond what users explicitly provide through the Service.

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. However, no method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security.

7. International Data Transfers

Our primary data storage is within the EU. However, some third-party service providers (such as Stripe and Cloudinary) may process data outside the European Economic Area (EEA). In such cases, these providers rely on Standard Contractual Clauses (SCCs) or other appropriate safeguards as required by the GDPR to ensure adequate protection of your data.

8. Data Sharing

We do not sell, rent, or share your personal data with any third parties except as described in Section 5 (Third-Party Services), where data sharing is strictly necessary to provide the Service.

We may disclose personal data if required by law or in response to valid legal requests by public authorities.

9. Data Retention

We retain personal data for as long as the associated establishment account remains active on the platform.

When an establishment account is closed, all associated data is deleted.

Individual users may request deletion of their personal data at any time by contacting us at [email protected].

10. Your Rights Under GDPR

If you are located in the European Economic Area, you have the following rights regarding your personal data:

  • Right of access — you may request confirmation of whether we process your personal data and obtain a copy of it
  • Right to rectification — you may request correction of inaccurate or incomplete data
  • Right to erasure — you may request deletion of your personal data
  • Right to restriction — you may request that we restrict the processing of your data
  • Right to data portability — you may request your data in a structured, machine-readable format
  • Right to object — you may object to the processing of your data
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days.

You also have the right to lodge a complaint with a supervisory authority. In Poland, the relevant authority is the President of the Personal Data Protection Office (UODO): uodo.gov.pl.

11. Children

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us and we will take steps to delete such information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Updated versions will be published on this page with a revised "Last updated" date.

Continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

13. Contact

If you have any questions about this Privacy Policy or our data practices, please contact us at:

[email protected]