Controller: TableGo Ltd ("TableGo", "we", "us") for our own business operations

Processor: TableGo Ltd when processing diner data on behalf of Restaurants within the business portal

Applies to: business.tablego.uk and the TableGo business portal, including widgets/iFrames, APIs and administrative tools used by Restaurants and their authorised users.

1. How to read this Notice

This Notice explains how we handle personal data in compliance with the UK GDPR and the Data Protection Act 2018 (DPA 2018). It also sets out key security information relevant to your account (including optional and two‑factor authentication (2FA), which may be required for certain high‑risk actions). It complements our SaaS Terms of Service and our Data Processing Addendum (DPA).

When we determine the purposes and means of processing (for example, account, billing, security, product analytics for the B2B portal), we act as Controller.

When we host or process diner data in your Restaurant account (for example, reservations, deposits, Gift Cards) strictly in accordance with your documented instructions, we act as your Processor and our DPA applies (UK GDPR Art. 28).

2. Categories of data we handle

A. Restaurant account and administrative data (Controller):

Business profile (venue name, company details, addresses), account owners and administrators, authorised user names, work email addresses, roles, team membership, and audit logs.

B. Billing details (Controller):

Billing contact, invoicing address, VAT number, payment references, and plan entitlements.

Stripe identifiers (account IDs, Connect status), payout preferences (metadata only).

Support tickets, email and chat transcripts, and survey responses.

C. Technical and security data (Controller):

Device and browser data, IP address, timestamps, session identifiers, cookie and SDK identifiers, feature flags, error and crash logs, performance metrics, and security telemetry (for example, authentication events, unusual activity signals).

D. Diner and transactional data processed for you (Processor):

Reservation metadata (name, contact details, party size, date and time, notes), Deposit Booking details (amounts, policy references), Gift Card issuance and redemptions, internal tags and notes, and communications with diners initiated via the Platform.

Limited payment metadata from Stripe (transaction IDs, status, amounts, last4; we do not store full card numbers or CVV).

Where diners add allergy or health notes, we process these only with the diner's explicit consent and transmit them to you for safety purposes.

E. KYC and verification data:

Stripe or its vendors may collect KYC data directly from you. We generally receive only status or metadata (such as pass/fail, verification state) rather than the documents themselves.

3. Purposes and lawful bases (Controller)

Processor role: When we process diner data for you, you (the Restaurant) are the Controller; you determine the purposes and legal bases and must provide appropriate privacy information to diners. Our DPA governs this processing.

4. Cookies & similar technologies (PECR)

We use cookies/SDKs on business.tablego.uk. Strictly necessary cookies are used for authentication and security. Analytics/performance cookies are used only with consent, managed via our Consent Management Platform (CMP). See our Cookie Policy for details and the cookie table (names, providers, purposes, durations).

5. Sharing your data

We share personal data with trusted providers under appropriate contracts, including:

• Stripe and Stripe Connect (payments, payouts, and fraud or risk management),
• Hosting, CDN, and infrastructure providers (for example, cloud hosting, Vercel, Supabase, or equivalent),
• Security, logging, error tracking, and monitoring services,
• Communications and support providers (ticketing or chat, email or SMS delivery),
• Analytics and product tooling (only with consent where required),
• Professional advisers (legal, accounting), and authorities where required by law.

Where two‑factor authentication is enabled, associated verification data is processed solely to provide this feature and is not shared with third parties except essential authentication infrastructure providers.

We maintain a list of sub‑processors and will notify you of material changes in accordance with the DPA.

6. International transfers

Some providers may process data outside the UK. Where we do so, we rely on:

• UK adequacy decisions (e.g., UK‑US Data Bridge), or
• SCCs/IDTA with supplementary measures.

You may request details of relevant safeguards.

7. Data retention

• Restaurant account and billing records (Controller): retained for the duration of the account plus six (6) years (for tax and audit purposes),
• Security and operational logs (Controller): typically up to 24 months, unless a longer period is required for investigations,
• Diner data (Processor): retained according to your instructions and configuration; upon termination, deleted or returned per the DPA (subject to legal retention),
• Cookie consent records: typically 6–12 months.

8. Your rights (Controller context)

Under the UK GDPR, you have the right to access your personal data, request rectification or erasure, restrict or object to processing, exercise data portability, and withdraw consent at any time (where processing is based on consent).

How to exercise your rights: Please contact us at support@tablego.uk. We will respond within one month, which may be extended by up to two additional months for complex requests.

Diner requests where we act as Processor: We will promptly notify or redirect the request to the relevant Restaurant Controller.

You may also lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

9. Security

We implement appropriate technical and organisational measures, including encryption in transit, access controls, least‑privilege policies, audit logging, vulnerability management, and staff training. No method is 100% secure; you are responsible for your own endpoint security and internal access governance.

Account security and two‑factor authentication (2FA)

To help protect accounts that can access diner or financial data, we strongly recommend enabling 2FA for all users, and we may require it for higher‑risk actions (for example, managing payouts, API keys, or user administration). Supported methods include time‑based one‑time passwords (TOTP) via an authenticator app. SMS may be available but is discouraged due to lower security.

• Your responsibilities: Keep credentials confidential, do not share logins, maintain up‑to‑date authenticator access, store recovery codes securely, and promptly remove access for former staff.
• Our practices: Rate‑limiting and monitoring of authentication events, session and device management, alerts for unusual activity, and the ability to revoke sessions.
• Support safety: We will never ask for your password or 2FA codes. If you suspect compromise, reset your password, revoke active sessions, and contact support@tablego.uk.

10. Special categories and children

We do not knowingly collect special category data in the B2B portal. If diners voluntarily provide allergy or health notes, this is processed with explicit consent and transmitted to you. The business portal is not intended for children under 16.

11. Data breaches

Where we act as Controller, we will assess and notify the ICO and affected individuals where legally required. Where we act as your Processor, we will notify you without undue delay upon becoming aware of a personal data breach, per the DPA.

12. Changes to this Notice

We may update this Notice from time to time. We will post the updated version with a new "Last updated" date and, where appropriate, provide notice via the portal or email. Your continued use of the business portal constitutes acceptance of these changes.

13. Contact