Aaatable Legal

Privacy Policy

Last updated:

1. Introduction

This Privacy Policy explains how Aaatable ("we", "us", "our"), operated from Switzerland, collects, uses, stores, and protects your personal data when you use our platform at https://aaatable.com.

We comply with the Swiss Federal Act on Data Protection (nFADP/DSG) and, where applicable, the EU General Data Protection Regulation (GDPR).

This policy applies to two categories of users:

  • Restaurant Operators: restaurant owners and staff who hold an account on Aaatable.
  • Customers: diners who browse menus and place orders without creating an account.

2. Data Controller

Aaatable
Switzerland
Email: [email protected]

3. Data We Collect

3.1 Operator Account Data

When a Restaurant Operator registers an account, we collect:

  • Name and email address
  • Phone number (optional)
  • Restaurant name and address
  • Password (stored encrypted, never in plain text)

3.2 Customer Order Data

Customers do not create accounts on Aaatable. When a Customer places an order, the following data is collected at checkout:

  • Name and phone number
  • Delivery address (for delivery orders only)
  • Order contents, amounts, and payment method
  • Order comments and special instructions

This data is collected on a per-order basis to fulfil the transaction and is associated with the restaurant that receives the order.

3.3 Usage Data

For all visitors, we may automatically collect:

  • IP address and browser type
  • Pages visited and features used
  • Device information and operating system
  • Session duration and interaction data

3.4 Payment Data

Payment card details are processed directly by our payment partners (Stripe) and are never stored on our servers. We only receive confirmation of payment status. This applies to both Operator subscription payments and Customer order payments.

4. Legal Basis for Processing

We process your data based on:

  • Contract performance (Art. 6(1)(b) GDPR / Art. 31 nFADP): to provide Platform services to Operators, and to process orders for Customers
  • Legitimate interests (Art. 6(1)(f) GDPR / Art. 31 nFADP): to improve our services, prevent fraud, and ensure platform security
  • Consent (Art. 6(1)(a) GDPR / Art. 31 nFADP): for marketing communications to Operators, which can be withdrawn at any time
  • Legal obligations (Art. 6(1)(c) GDPR / Art. 31 nFADP): to comply with tax, accounting, and regulatory requirements

5. How We Use Your Data

5.1 Operator Data

We use Operator data to:

  • Provide, maintain, and improve the Platform
  • Manage subscriptions and billing
  • Send transactional notifications and product updates
  • Provide customer support
  • Generate anonymised analytics and reports

5.2 Customer Data

We use Customer data to:

  • Process and fulfil orders on behalf of the restaurant
  • Send order confirmations and status updates
  • Enable the restaurant to manage delivery or pickup

We do not use Customer order data for marketing purposes. We do not send Customers promotional communications.

6. Data Storage and Security

Your data is stored on servers located in Europe. We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Access controls and authentication mechanisms
  • Regular security audits and updates
  • Automated backups with encrypted storage

7. Data Sharing

We do not sell your personal data. We may share data with:

  • Restaurant Operators: Customer order data is shared with the restaurant that receives the order, so they can fulfil it
  • Payment processors (Stripe) for transaction processing
  • Hosting providers for infrastructure services (servers located in the EU)
  • Email services for transactional communications
  • Legal authorities when required by Swiss or EU law

All third-party processors are bound by data processing agreements ensuring adequate protection of your data.

8. International Data Transfers

Your data is primarily stored and processed within the European Economic Area (EEA) and Switzerland. If data is transferred outside these regions, we ensure adequate protection through:

  • EU Standard Contractual Clauses (SCCs)
  • Swiss-approved adequate protection measures
  • Or your explicit consent

9. Data Retention

We retain data for the following periods:

  • Operator account data: for the duration of the account, plus 90 days after deletion
  • Customer order data: 10 years (Swiss commercial law requirements)
  • Payment records: 10 years (Swiss tax law)
  • Usage logs: 12 months
  • Marketing consent records (Operators only): for the duration of consent, plus 3 years

10. Your Rights

Under the nFADP and GDPR, both Operators and Customers have the right to:

  • Access: request a copy of the data we hold about you
  • Rectification: correct inaccurate or incomplete data
  • Erasure: request deletion of your data (subject to legal retention requirements)
  • Restriction: limit how we process your data
  • Portability: receive your data in a structured, machine-readable format
  • Objection: object to processing based on legitimate interests
  • Withdraw consent: where processing is based on consent

To exercise your rights, contact us at [email protected]. We will respond within 30 days.

11. Cookies

The Platform uses cookies for:

  • Essential cookies: required for the Platform to function (session management, cart contents, language preferences)
  • Analytics cookies: to understand how users interact with the Platform (only when the Google Analytics module is enabled by the Operator)

Essential cookies cannot be disabled as they are necessary for the Platform to operate. You can manage analytics cookies through your browser settings.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Operators will be notified of material changes via email or in-app notification. Updated policies will also be published on this page. The date of the last update is indicated below.

13. Contact and Complaints

For questions or complaints about data protection, contact us at:
[email protected]

You also have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) or, for EU residents, your local data protection authority.

Last updated: March 2026