Brasserio Privacy Policy

1. Scope

This Privacy Policy explains how DevYouUp, operating the Brasserio product, collects, uses, discloses, stores, and protects personal information when individuals interact with Brasserio websites, dashboards, embedded booking widgets, restaurant public pages, mobile applications, payment and cancellation flows, communications, support, and related services.

This Policy applies globally. Additional rights may apply depending on where you live, where a restaurant operates, the feature used, and the data protection laws that apply.

This Policy does not cover independent third-party websites or services, including restaurant websites, payment providers, mobile operating systems, app stores, or tools that a restaurant adds to its own website. Those third parties are responsible for their own privacy practices.

2. Who Controls Personal Information

Brasserio has different privacy roles depending on the data and feature:

Restaurant and Guest operational data: For Guest reservations, waitlists, restaurant operational records, staff lists configured by a Restaurant Customer, and similar data processed for restaurant operations, the Restaurant Customer is generally the controller or business responsible for the data, and Brasserio acts as processor or service provider under the DPA.

Brasserio account, billing, security, legal, support, and B2B marketing data: Brasserio acts as an independent controller for data it uses to operate its business relationship with Restaurant Customers, protect accounts, bill for services, manage support, communicate with restaurant contacts, and comply with law.

Marketing website leads and visitors: Brasserio acts as controller for personal information collected through Brasserio-owned marketing pages, contact forms, analytics, and business development communications.

If you are a Guest and your request relates to a reservation, waitlist, deposit, special request, or restaurant-managed data, the restaurant may be the primary party responsible for your request. You may still contact Brasserio at support@brasserio.com, and we will handle or route the request as appropriate.

3. Personal Information We Collect

3.1 Restaurant owner, administrator, staff, and business-contact data

• name, email address, phone number, organization name, branch or role affiliation, and contact details;
• account credentials, password hashes, session data, account status, roles, permission levels, and activity or audit logs;
• device identifiers, working-station identifiers, push notification tokens, crash logs, diagnostics, app version, device type, operating system, and language settings;
• profile or avatar images where uploaded;
• billing contact details, payment status, plan details, invoices, transaction records, business registration numbers, privately held company numbers, and tax information where collected;
• support messages, onboarding records, implementation requests, legal notices, and security reports.

3.2 Guest and diner data processed for restaurants

• name and phone number;
• email address where provided, which is not mandatory for every booking flow;
• party size, reservation date and time, branch, section or table preference, booking status, cancellation status, no-show status, and waitlist information;
• special requests, accessibility notes, dietary notes, allergy notes, and similar information voluntarily provided by the Guest for reservation needs;
• deposit, hold, checkout, payment status, payment token, transaction identifier, limited card metadata, refund, chargeback, and receipt-related information provided by payment processors;
• SMS delivery status and communication metadata where needed to send confirmations, waitlist messages, or cancellation links.

3.3 Restaurant business and operational data

• restaurant name, public profile/page data, branches, locations, opening hours, menus, restaurant images, logos, descriptions, restrictions, and seating rules;
• floor plans, table coordinates, table layouts, service views, table states, reservations, waitlists, staff lists, customer lists, and operational settings;
• analytics and reporting data, including aggregated or de-identified product and benchmark data.

3.4 Technical and automatically processed data

Brasserio may process technical data needed to deliver and secure the Services, such as device information, browser information, session identifiers, cookie identifiers, crash logs, diagnostics, request metadata, network identifiers processed by infrastructure providers, and security logs. Brasserio does not use IP address as a restaurant or guest profile field, but IP addresses or similar network identifiers may be processed transiently or in logs by infrastructure, security, payment, analytics, or communications providers.

3.5 Location data

Brasserio may process device location when a restaurant user enables location access to add or configure a branch location and to improve suggestions for the book-a-table use case. Brasserio does not collect precise Guest location as a standard booking requirement.

3.6 Sensitive information

Brasserio does not require Guests to provide sensitive information. Special requests, accessibility notes, dietary notes, and allergy notes are optional and voluntarily provided for reservation or service needs. Brasserio does not intentionally collect biometric data, government ID numbers, or children’s data.

4. How We Use Personal Information

• provide, operate, maintain, secure, and improve the Services;
• create and manage restaurant accounts, staff accounts, roles, permissions, sessions, devices, and working stations;
• manage reservations, waitlists, guest cancellation links, deposits, holds, payment status, and restaurant operational workflows;
• send transactional SMS messages, staff push notifications, account notices, support messages, billing messages, security notices, and service announcements;
• process restaurant subscription billing, guest deposits or holds, refunds, chargebacks, VAT, invoices, reconciliation, and payment disputes;
• provide onboarding, implementation, support, troubleshooting, diagnostics, training, and product maintenance;
• generate analytics, reports, performance insights, and aggregated or de-identified benchmarks;
• protect against fraud, abuse, fake reservations, bot activity, credential compromise, security incidents, and unlawful use;
• comply with law, enforce contracts, protect rights, resolve disputes, and respond to lawful requests;
• send B2B marketing to restaurant contacts where permitted, with opt-out options.

5. Legal Bases for Processing

Where GDPR, UK GDPR, Israeli privacy law, or similar laws require a legal basis, Brasserio relies on one or more of the following legal bases depending on the data and feature:

• performance of a contract or steps taken before entering a contract;
• legitimate interests, including operating and securing the Services, providing support, improving the product, preventing fraud, and B2B marketing where permitted;
• consent, including for certain cookies, marketing, location access, or optional communications where required;
• legal obligations, including tax, accounting, consumer protection, payments, security, and compliance obligations;
• restaurant instructions when Brasserio acts as processor for Restaurant Customer data.

6. How We Share Personal Information

• with Restaurant Customers and their Authorized Users, according to roles, permissions, and restaurant account configuration;
• with Guests and restaurants as needed to operate reservations, waitlists, cancellation links, deposits, holds, refunds, and related communications;
• with subprocessors and service providers listed in the Subprocessor and International Transfer Notice, including hosting, database, payment, SMS, email, push notification, analytics, security, infrastructure, app store, and domain providers;
• with payment processors and financial partners to process payments, holds, refunds, chargebacks, fraud checks, reconciliation, receipts, and compliance obligations;
• with communications providers to send transactional SMS, staff push notifications, support, or account messages;
• with professional advisers, insurers, auditors, and legal authorities where needed for compliance, disputes, investigations, or legal rights;
• in connection with a merger, acquisition, financing, reorganization, sale of assets, change of control, bankruptcy, or transfer of the Brasserio business;
• with consent or at the direction of the relevant Restaurant Customer or user.

Brasserio does not sell personal information for money. Brasserio does not currently send guest marketing emails or use paid retargeting through Meta Pixel or LinkedIn Ads. If targeted advertising or similar sharing is introduced, Brasserio will provide required notices and choices under applicable law.

7. Cookies, Analytics, and Similar Technologies

Brasserio uses cookies, local storage, SDKs, pixels, tags, and similar technologies for login, session continuity, security, preferences, language settings, analytics, attribution, booking-flow continuity, and payment-flow reliability. Google Analytics and reCAPTCHA may be used. Google Tag Manager, Meta Pixel, LinkedIn Ads, Hotjar, Microsoft Clarity, Mailgun, Sentry, and Datadog are not currently used for the Services described in this Policy.

Details are provided in the Cookie Policy at https://brasserio.com/cookie-policy. Users may control cookies through browser settings. Where legally required and technically available, Brasserio will honor Global Privacy Control signals and provide consent or preference controls for non-essential cookies.

8. Communications

Brasserio may send transactional SMS messages for reservation confirmations, waitlist messages, and cancellation links. Brasserio may use Twilio and link.brasserio.com for SMS delivery and link shortening. Brasserio may send staff push notifications through Firebase Cloud Messaging. Guest push notifications are not currently offered.

Brasserio does not currently send Guest marketing emails. Brasserio may send B2B marketing emails to restaurant contacts where permitted. Restaurant Customers may opt out of B2B marketing, but service, security, billing, legal, and transactional notices may still be sent.

9. International Transfers

Brasserio is operated from Israel and currently uses infrastructure including AWS eu-central-1 for primary hosting. Personal information may be processed in Israel, the European Economic Area, the United States, and other countries where Brasserio, support personnel, service providers, subprocessors, or payment and communications providers operate.

Where required for transfers of personal information subject to EU GDPR, UK GDPR, Swiss data protection law, or similar rules, Brasserio relies on recognized safeguards such as adequacy decisions, EU Standard Contractual Clauses, the UK International Data Transfer Addendum, the EU-U.S. Data Privacy Framework for participating vendors, vendor transfer assessments, or other lawful transfer mechanisms.

10. Data Retention

Brasserio retains personal information for as long as needed for the purposes described in this Policy, including to provide the Services, maintain account records, meet legal obligations, resolve disputes, prevent fraud, enforce agreements, and protect security.

When a Restaurant Customer approves account deletion, Brasserio revokes access, disables employee access, revokes API keys and machine credentials, terminates active sessions, and schedules operational data for deletion. The default operational deletion safeguard period is 30 days.

Operational data scheduled for deletion may include reservations and booking records, tables, floor setup, menus, employee records, and account-level operational data. Invoices, transaction history, and related financial records are retained for 7 years where legally required, and personal customer details are anonymized where applicable.

Brasserio does not currently provide restaurant self-service export before deletion. Brasserio does not currently promise customer-specific backup retention or recovery. Limited residual copies may remain temporarily in logs, caches, provider records, or compliance records where technically necessary or legally required.

11. Privacy Rights and Choices

Depending on your location and relationship to the data, you may have rights to access, correct, delete, receive a copy of, restrict, object to, or port your personal information; withdraw consent; opt out of certain marketing; opt out of sale or sharing where applicable; and lodge a complaint with a regulator.

Restaurant account users may contact Brasserio at support@brasserio.com for account, privacy, or support requests. Guests whose requests relate to restaurant-controlled reservation or waitlist data should contact the restaurant first; Brasserio may route the request to the restaurant or assist under its processor obligations. Brasserio aims to respond to privacy requests within 30 days where required or commercially reasonable.

California and similar U.S. state privacy rights: Brasserio does not sell personal information for money. To opt out of any activity that may be considered sharing for cross-context behavioral advertising under applicable law, contact support@brasserio.com or use recognized browser signals such as Global Privacy Control where technically recognized.

12. Security

Brasserio uses technical and organizational measures designed to protect personal information, including TLS in transit, restricted internal access, role-based access controls, least-privilege practices, credential and secret-management practices, monitoring, and vendor controls. No system is 100% secure. Users and Restaurant Customers are responsible for protecting credentials, devices, websites, and account access.

13. Children

The Services are not intended for children under 16. Brasserio does not knowingly collect personal information from children under 16. If you believe a child provided personal information to Brasserio, contact support@brasserio.com.

14. Changes to This Policy

Brasserio may update this Policy from time to time. Material changes may be notified by posting an updated version, sending notice to account contacts, or displaying an in-product notice. The Last Updated date shows when this Policy was last revised.