GoodResto Portal - Privacy Policy

Effective on November 8, 2025

INTRODUCTION

This Privacy Policy, hereinafter referred to as the “Privacy Policy”, sets forth the rules for using the Portal.

All capitalized terms used in this Privacy Policy shall have the same meanings ascribed to them in the GoodResto Portal - Terms of Service, unless expressly stated otherwise.

DATA CONTROLLER AND CONTACT INFORMATION

The controller of your personal data is:

Goodresto sp. z o.o.ul. Williama Heerleina Lindleya 1602-013 Warsaw, Poland

KRS: 0001124926

NIP: 7011221145

You can contact us via:

• Postal mail: Goodresto sp. z o.o., ul. Williama Heerleina Lindleya 16, 02-013 Warszawa, lub

• E-mail: [email protected]

SCOPE OF APPLICATION

This Privacy Policy applies to processing of Personal Data of:

• Venue Representatives and Venue Workers who use the GoodResto Portal.
  
• End Users, whose Personal Data may be processed within the Portal for the purpose of managing Reservations, including data:
  
  • submitted during online Reservations,
    
  • shared by GoodResto from the App or Website,
    
  • manually entered by the Venue (e.g., phone, walk-in, email reservations).

This policy applies only to the Portal.
Separate Privacy Policies apply to GoodResto App & Website (End Users).

TYPES OF PERSONAL DATA PROCESSED

Data of Venue Representatives and Venue Workers.

We process Personal Data provided during account registration and use of the Portal, including:

• First name and last name
  
• Business role
  
• Telephone number
  
• E-mail address
  
• Account login credentials (encrypted password)

For invoicing purposes, we process

• Venue legal name
  
• Venue address
  
• Tax Identification Number (or equivalent)

Data collected automatically:

When you use the Portal we may collect:

• IP address
  
• Device and browser information
  
• login activity and technical logs
  
• Usage logs for security and fraud prevention

Referral or incentive programs:

If Venue Representative are participating in incentive or referral programs offered by the Service Provider, GoodResto may collect and process Personal Data such as bank account details for the purpose of administering payments in accordance with applicable data protection laws.

Reservation customer Personal Data:

The Portal may contain Personal Data of customers who made a reservation at the Venue.

Such data may originate from:

1. Reservation submitted online (through App or Website), or
   
2. Data manually entered by the Venue (telephone reservations, walk-ins, emailed reservations, etc.).

Depending on the origin of data:

• For online reservations: GoodResto and the Venue are each independent data controllers.

• For manually entered customer data: the Venue is the data controller, and GoodResto processes such data solely as a data processor providing the reservation management system.

If a customer voluntarily provides dietary or allergy-related information during reservation, this information is only transmitted to the Venue. GoodResto does not verify, interpret, or act upon such information.

PURPOSES AND LEGAL BASES FOR PROCESSING

We process Personal Data to:

• create and maintain Portal accounts,
  
• provide reservation and customer record management features,
  
• provide technical support,
  
• secure and monitor the system,
  
• meet legal obligations (e.g., tax and accounting),
  
• carry out GoodResto’s direct marketing only where consent was given.

Legal bases for processing include:

• performance of a contract – GDPR art. 6(1)(b),
  
• legal obligation – art. 6(1)©,
  
• legitimate interest in securing the Portal – art. 6(1)(f),
  
• consent for marketing communications – art. 6(1)(a).

OPERATIONAL RESERVATION MESSAGES

The Portal may send transactional communications to End Users on behalf of the Venue, including reservation confirmations, reminders, updates, cancellation messages, and post-visit review requests. These communications are not marketing and do not require Marketing Consent. They are necessary to perform the Reservation and are sent based on Art. 6(1)(b) GDPR (performance of a contract) or Art. 6(1)(f) GDPR (legitimate interest in preventing no-shows and ensuring reservation management).

ROLES IN PERSONAL DATA PROCESSING

GoodResto processes Personal Data in different roles depending on how the data is obtained:

• When an End User makes a Reservation through the App, GoodResto is an independent Data Controller for the operation of the account and communication. Once Reservation details are shared with the Venue, the Venue becomes an independent Data Controller for fulfilling the Reservation.

• When an End User makes a Reservation through the Website without creating an account, GoodResto is a Data Controller for processing required to transmit and confirm the Reservation. After the Reservation details are transferred to the Venue, the Venue acts as an independent Data Controller for fulfilling the Reservation.

• When the Venue manually enters customer data (e.g. walk-in, email, or phone reservations), the Venue is the Data Controller of such Personal Data. In such cases, GoodResto acts solely as a Data Processor, providing technical storage, communication functionalities, and system infrastructure on behalf of the Venue.

Marketing consents apply only to the party to whom they were granted.

GoodResto and the Venue do not act as joint controllers.

MANUAL ENTRY OF CUSTOMER PERSONAL DATA BY THE VENUE

The Venue may manually enter customer information into the Portal.
By doing so, the Venue represents and warrants that:

1. The data was collected lawfully, and the customer was informed about processing.
   
2. The data will be used solely for managing reservations and customer relations.
   If the Venue requests GoodResto to send SMS or email notifications to the customer, the Venue has obtained the customer’s authorization to receive such communications.

For manually entered data:

• the Venue acts as the sole Data Controller for manually entered customer data. GoodResto acts only as a Data Processor in this context,
  
• GoodResto processes such data only on the Venue’s behalf,
  
• the Venue is solely responsible for the accuracy, lawful basis, retention, and consent management.

Any segmentation, notes, tags, or internal labels applied to customers are performed by the Venue and are not reviewed or validated by GoodResto.

If a manually entered customer later submits a reservation independently through GoodResto Services, GoodResto becomes an independent Data Controller for Personal Data related to that independent interaction.

OBLIGATION TO PROVIDE DATA

Providing personal data is voluntary but necessary to use the Services. Without this data, we will not be able to create or manage your account or provide functionalities.

DATA SHARING

We may share your Personal Data with:

• Trusted service providers such as IT companies, accounting firms, marketing agencies, analytics providers, or payment processors, but only to the extent necessary for the delivery of our services;

• Advisors such as legal, accounting or tax;

• Entities affiliated with Goodresto, if necessary for internal administrative purposes;

• Public authorities or regulatory bodies when required by applicable laws or legitimate legal requests

• Communication providers (SMS / email sending),

Data is hosted in the European Union.

In principle, we do not transfer your personal data outside the European Economic Area (EEA). If such transfer becomes necessary, it will only be done in accordance with applicable legal requirements and with the use of appropriate safeguards, such as standard contractual clauses approved by the European Commission.

DATA SECURITY

We apply organizational and technical safeguards, including:

• access control and internal authorization procedures,
  
• security monitoring and logging.

DATA RETENTION

Personal Data is retained only as long as necessary to fulfill the purposes described above, unless longer retention is required by law.

Account data is kept while the account is active and for a limited period afterward to manage legal claims and compliance.

RIGHTS OF DATA SUBJECT

You may request:

• access to your Personal Data,
  
• rectification or update,
  
• erasure (where legally permitted),
  
• restriction of processing,
  
• objection to processing,
  
• withdrawal of marketing consent (if provided).

To exercise your rights, contact us at: [email protected]

CHANGE TO THIS PRIVACY POLICY

If we make material changes to this Privacy Policy, and you are not accepting changes, then you should cease using the Services.