stayfoodie.
CA · ES · EN
Sign in Start free
Home Pricing How it works Partners About Start free →
Legal

Privacy policy

Last updated: 28 April 2026.

1. Introduction

This policy explains how SC DIGITAL BOMORE MARKETING COMPANY, SL (owner of the Stay Foodie trade name) processes the personal data of those who use the booking service and the stayfoodie.com website. The current version is the one published on this page dated 28 April 2026 — if we introduce substantial changes we will give notice by email before they come into force.

Data controller

  • Registered company name: SC DIGITAL BOMORE MARKETING COMPANY, SL
  • VAT / CIF: B75259804
  • Registered office: Carrer Xaloc, 8 baixos, 07470 Port de Pollença (Illes Balears)
  • Trade name: Stay Foodie
  • General contact: hola@stayfoodie.com
  • Data protection contact: privacidad@stayfoodie.com

Data we collect

We collect only the data strictly required for the service to work. Identification and contact details of the person who registers the restaurant (first and last name, email, phone) and of the team members invited to the account. Diner data when a booking is made through the widget or the restaurant's own page: name, email, phone, party size, date and time slot, allergies and notes left for the restaurant. Application usage data, such as bookings created, modified or cancelled, configuration preferences and activity logs from the panel. Technical data generated automatically: IP address, browser identifier and cookies, described in detail in the cookies policy.

Purposes of processing

We use the data to create and manage the restaurant's account, deliver the booking service (processing bookings, sending confirmations and reminders to the diner, running the restaurant's CRM), send essential service communications (billing notices, contractual changes, technical alerts), comply with our legal obligations (issuing and keeping invoices, responding to requests from competent authorities) and improve the product based on aggregated metrics. We do not use diners' data to send them our own marketing: that relationship belongs to the restaurant, and marketing communications from us are only enabled if you give us explicit consent.

Legal basis

Each purpose rests on a specific legal basis under Regulation (EU) 2016/679 (GDPR). Performance of the service contract (art. 6.1.b GDPR) covers account creation, booking management and essential technical notices. Explicit consent (art. 6.1.a GDPR) supports analytics cookies and commercial communications, and may be withdrawn at any time. Legal obligation (art. 6.1.c GDPR) justifies the retention of billing data and any other data required by tax and commercial regulations. Legitimate interest (art. 6.1.f GDPR) supports the minimum records needed for security, fraud prevention and service auditing.

Data retention

We keep the restaurant's account data for as long as the account is active. After cancellation we retain the strictly necessary information for six years, the period required by article 30 of the Spanish Commercial Code for accounting and commercial documentation, and the equivalent periods under tax law. Data linked to marketing consent is kept until you withdraw that consent, at which point it is deleted or anonymised. Cookies are kept in line with the specific policy published on the cookies page. Backups rotate on a cycle of at most ninety days before being overwritten.

Recipients and data processors

We do not sell or transfer data to third parties for commercial purposes. We do work with providers that act as data processors under contract: Stripe for the processing of payments and card guarantees, Twilio for sending reminder SMS when the restaurant activates that feature, transactional email providers for booking confirmations and account notices, cloud infrastructure with servers located in the European Union, and Google Analytics only when you have accepted analytics cookies. With each of them we sign the corresponding data processing agreement (DPA) or apply the standard contractual clauses approved by the European Commission.

International transfers

Some of our technology providers (for example Google or certain Stripe services) may process data outside the European Economic Area. In those cases we apply the safeguards set out in Chapter V of the GDPR: standard contractual clauses approved by the European Commission and, where applicable, certification under the EU-U.S. Data Privacy Framework. You can request a copy of the safeguards in place for a specific processing activity by writing to privacidad@stayfoodie.com.

Your rights

You have the right to access your data, rectify it, erase it, object to processing, request restriction, receive your data in a portable format, and not be subject to automated individual decisions with significant effects. To exercise these rights, send an email to privacidad@stayfoodie.com stating the right you are exercising and attaching a copy of your national ID or equivalent document confirming your identity. We will respond within one month from receipt, extendable to two when the request is particularly complex, in which case we will let you know about the extension.

Lodging a complaint with the Authority

If you believe your data protection rights have not been properly addressed, you may lodge a complaint with the Spanish Data Protection Agency (AEPD, the supervisory authority in Spain), based at C/ Jorge Juan 6, 28001 Madrid, with electronic office at www.aepd.es. We would be grateful for the chance to resolve the matter directly first by writing to privacidad@stayfoodie.com — but this is not a prerequisite for turning to the supervisory authority.

Security

We apply the technical and organisational measures appropriate to the risk of the processing, in line with article 32 of the GDPR. All communication between client and server travels encrypted over TLS. Passwords are stored using robust hashing functions, and API keys and sensitive data are encrypted at rest. Access to the admin panel is subject to role-based control, and card data is not stored on our servers — it is handled directly by Stripe. We carry out encrypted backups and regular audits of the system's state, and we maintain a documented procedure for breach notification within the 72-hour deadline set by law.

Changes to this policy

The current version of this policy is always the one published on this page, with the update date shown at the top. If we introduce substantial changes — for example, new processing purposes, relevant changes of processors or adjustments to the legal basis — we will give notice by email to registered users at least fifteen days before they come into force. Minor or editorial changes are published directly without specific notification.