Legal
Privacy Policy
Last updated: 21 June 2026
Who controls the data
For the guest-facing storefront, the restaurant is the data controller and Ordered is the data processor. For your restaurant account itself (logins, billing), Ordered is the controller. This policy is written from Ordered's perspective; restaurants must publish their own customer-facing privacy notice.
What we collect
- Restaurant accounts: email, name, business name, address, VAT number, phone, billing data.
- Guests placing an order: name, email or phone (if entered), table number, order contents, and payment metadata from Stripe (card brand, last 4 digits, authorisation code, charge ID). We never see or store the full card number.
- Usage: basic logs (IP, user agent, timestamps) for security and abuse prevention.
Why we hold it
To run the ordering service, send order confirmations, generate dispute-proof receipts, produce VAT reports, prevent fraud, and meet our legal obligations (HMRC retention rules require us to keep transaction records for at least 6 years).
Who we share it with
- Stripe — payments processing.
- Supabase / Lovable Cloud — hosting and database (EU region).
- The restaurant itself — guest orders go straight to the venue's dashboard.
How long we keep it
Order and tax records: 6 years (HMRC). Account data: while your account is active, then 30 days for export, then deleted. Guests can ask the restaurant to anonymise their personal details at any time — the restaurant's back office has a one-click tool for this that redacts name, email, phone, address, and notes while preserving the totals required by law.
Your rights
Under UK GDPR you can access, correct, export, restrict, or delete your personal data. Contact us at hello@ordered.app. You can also complain to the ICO (ico.org.uk).
Cookies
We use strictly-necessary cookies for sign-in sessions and CSRF protection. We do not use third-party advertising or analytics cookies on the guest storefront.
Contact
hello@ordered.app