Privacy Policy

marketing.legal.lastUpdated: 2026-04-06 · marketing.legal.version 1.1.0

1. Introduction

This Privacy Policy explains how we process personal data when operating the DinerOps Service, related websites, and the DinerOps Go consumer mobile application (“DinerOps Go”) for loyalty programmes at participating restaurants. We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable national law. This Policy describes what data we collect, why we use it, and your rights.

2. Controller and contact details

Unless otherwise specified in an agreement with a customer, the data controller for personal data described in this Policy is Velar Labs Oy (Business ID: 3613049-9), a company incorporated in Finland, operating the DinerOps Service.

For general privacy questions you can contact us at support@dinerops.com. For data protection matters, including data subject rights, you can contact our privacy contact / DPO at support@dinerops.com.

3. Relationship to the DPA

When we process personal data on behalf of a customer in connection with the Service (for example reservation data, staff work hours), the customer is the controller and we act as processor. In such cases our processing is governed by a Data Processing Agreement (DPA) with that customer. This Privacy Policy mainly describes our role as an independent controller (for example for our own customer relationship management, billing and Service analytics).

4. Personal data we collect

Depending on your interaction with us, we may process the following categories of personal data:

  • account and contact data (name, email address, role, company/restaurant association, login identifiers);
  • customer relationship and billing data (subscription and plan details, billing contact details, invoicing and transaction references via payment providers);
  • service usage data (log data, device and browser information, pages viewed, actions taken — note: we do not store IP addresses in our analytics systems);
  • data you or your organisation enter into the Service (for example reservation and guest details, work hours data, opening hours and floor plan configuration);
  • marketing and communication data (newsletter subscriptions, communication preferences, information about interactions with our emails and website);
  • when you use the DinerOps Go app: account and profile details for loyalty (such as email, display name and programme participation), device identifiers, push notification tokens if you enable notifications, Google sign-in data if you choose that sign-in method, and camera input when you scan QR codes to register visits (processed to provide the loyalty features);
  • aggregated or statistical insight we derive from app or Service usage where permitted by law.

5. Sources of personal data

We obtain personal data from you directly (for example when you sign up, use the Service or DinerOps Go, contact support), from your organisation (when it designates you as an authorised user or contact person), automatically through your use of the Service, DinerOps Go and our websites (for example logs and cookies), and from certain third parties such as payment service providers or integration partners, where permitted.

6. Purposes and legal bases

We process personal data for the following purposes and on the following legal bases:

  • to provide and operate the Service and DinerOps Go (creating and managing accounts, authenticating users, providing core functionality including loyalty features, processing subscriptions and support) – based on performance of a contract with the customer or end user (where applicable) and our legitimate interests in providing a secure service;
  • to manage billing and administration (processing payments, invoicing, accounting, fraud prevention) – based on performance of a contract, compliance with legal obligations and our legitimate interests;
  • to communicate with you and provide support (responding to enquiries, sending essential service messages, support communications) – based on performance of a contract and our legitimate interests in maintaining customer relationships;
  • to improve and secure the Service (analytics, monitoring usage, developing new features, ensuring security) – based on our legitimate interests in improving and protecting the Service, and where required by law, on your consent; and
  • to comply with legal obligations and to establish, exercise or defend legal claims – based on compliance with law and our legitimate interests.

We do not use your data for automated decision-making that produces legal effects or similarly significantly affects you within the meaning of Article 22 GDPR.

7. Recipients and international transfers

We may share personal data with service providers and subprocessors (such as hosting providers, payment processors, and email and support platforms), integration partners chosen by customers, professional advisers (such as lawyers and accountants under confidentiality obligations), and public authorities where required by law. We do not share personal data with third-party analytics providers. A current list or description of subprocessors is available in our Data Processing Agreement at /dpa or on request from support@dinerops.com.

Some recipients may be located outside the EU/EEA. In such cases we will ensure appropriate safeguards for the transfer, such as an adequacy decision of the European Commission or Standard Contractual Clauses together with any additional measures required by law. Further information on international transfers and safeguards is available on request at support@dinerops.com.

8. Data retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. Indicative retention periods include:

  • account and customer relationship data: for the duration of the contract and for up to six (6) years thereafter, unless a longer period is required by law;
  • billing and transaction data: for the period required by applicable accounting and tax laws;
  • support tickets and communications: for as long as necessary to resolve the matter, and for a reasonable period thereafter;
  • anonymous marketing analytics data (page views, sessions, events): automatically deleted after 365 days;
  • reservation and guest data: anonymised (names, contact details and notes removed) after 24 months from the reservation date for completed, cancelled or no-show reservations. Anonymised records are retained for business statistics;
  • activity logs: anonymised (user names, emails and IP addresses removed) after 24 months; and
  • loyalty check-in data: automatically deleted after 90 days.

After the retention period, personal data will be deleted or irreversibly anonymised.

9. Cookies and similar technologies

We use only strictly necessary cookies and local storage on our websites and within the Service. We do not use any third-party analytics or tracking services. The technologies we use are:

  • auth-token (httpOnly cookie, session): authentication token required for login and access control — strictly necessary;
  • auth-google-state (httpOnly cookie, short-lived): CSRF protection during Google OAuth login flow — strictly necessary;
  • theme (cookie/localStorage): stores your selected light or dark theme preference — functional;
  • UI preference keys (localStorage): stores per-user interface preferences such as filter and view settings — functional.

On our pre-login marketing pages we collect anonymous, aggregated audience measurement data (such as page views, device type, browser, operating system and referrer hostname) using our own first-party system. This data is not linked to any identified or identifiable individual, does not include IP addresses, and is used solely for understanding aggregate visitor trends. No third-party analytics scripts are loaded.

10. Your rights

Subject to applicable law, you have the right to access your personal data, to have inaccurate or incomplete data corrected, to request deletion or restriction of processing, to receive a copy of your data in a structured, commonly used and machine-readable format and to transmit it to another controller, and to object to processing based on our legitimate interests and to direct marketing at any time.

Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing before withdrawal.

To exercise your rights, please contact us at support@dinerops.com. We may need to verify your identity before responding. You also have the right to lodge a complaint with a supervisory authority, for example the Office of the Data Protection Ombudsman in Finland or the supervisory authority in your country of residence or place of work.

11. Children’s privacy

The Service and our websites are not intended for children under 16 years of age, and we do not knowingly collect personal data from such individuals. If you believe that a child has provided us with personal data, please contact us at support@dinerops.com and we will take appropriate steps to delete such data.

12. Security

We implement appropriate technical and organisational measures to protect personal data, having regard to the risks involved and the state of the art. A high-level description of such measures is available in our Data Processing Agreement at /dpa and related security documentation.

If a personal data breach affecting personal data under our control occurs, we will notify affected customers or individuals as required by law and by the DPA.

13. Changes to this Policy

We may update this Privacy Policy from time to time, for example to reflect changes in our processing activities or legal requirements. We will publish the updated Policy on our website and indicate the "Last updated" date. If changes are significant, we may provide additional notice (for example via email or through the Service).