Skip to main content

Privacy Policy

Effective Date: 1 June 2025
Last Updated: 31 May 2025

1. Data Controller and Contact Information

Carta Servicios de Hospitalidad SL, a limited liability company incorporated under Spanish law with Tax Identification Number (NIF) B75425777 and registered office at [Barcelona address], Spain ("Controller," "Carta," "we," "us," or "our") acts as the data controller for the personal data processed through our digital menu and restaurant booking platform (the "Service").

For all data protection inquiries, please contact our Data Protection Officer at:

  • Email: privacy@carta.app
  • Postal Address: Av. d'Eduard Maristany 13, 08930 Sant Adria de Besos, Barcelona, Spain

2. Scope and Application

This Privacy Policy governs the collection, processing, and use of personal data in connection with your access to and use of our Service, whether as a restaurant operator ("Restaurant User") or as an individual making reservations ("Customer"). This Policy applies to all processing activities conducted by Carta as data controller.

3. Categories of Personal Data Collected

3.1 Restaurant User Data

We collect and process the following categories of personal data from Restaurant Users:

  • Identity Data: Full name, business name, job title
  • Contact Data: Email address, telephone number, business address
  • Account Data: Username, password (encrypted), account preferences
  • Business Data: Restaurant information, menu content, pricing data, operational details
  • Financial Data: Billing information, payment method details, transaction history
  • Usage Data: Service utilization metrics, feature engagement data

3.2 Customer Data

We collect and process the following categories of personal data from Customers:

  • Identity Data: Full name as provided during booking process
  • Contact Data: Email address, telephone number
  • Booking Data: Reservation details including date, time, party size, special requirements or dietary preferences
  • Payment Data: Credit/debit card information, billing address (processed through third-party payment processor)
  • Communication Data: Correspondence with Carta or restaurants through our platform

3.3 Technical Data

We automatically collect certain technical data when you use our Service:

  • Device Data: IP address, browser type and version, device identifiers
  • Usage Data: Access logs, clickstream data, session duration
  • Cookie Data: Authentication tokens, session identifiers (essential cookies only)

4. Legal Basis for Processing

We process personal data based on the following lawful bases under Article 6 of the General Data Protection Regulation (GDPR):

4.1 Contract Performance (Article 6(1)(b))

  • Provision of booking services to Customers
  • Delivery of platform services to Restaurant Users
  • Processing payments and managing accounts

4.2 Legitimate Interests (Article 6(1)(f))

  • Service improvement and platform optimization
  • Security monitoring and fraud prevention
  • Customer support and dispute resolution
  • Business administration and operational efficiency

4.3 Legal Obligation (Article 6(1)(c))

  • Compliance with tax and accounting requirements
  • Retention of records as required by applicable law
  • Cooperation with law enforcement when legally mandated

4.4 Consent (Article 6(1)(a))

  • Direct marketing communications (where consent is obtained)
  • Optional data processing activities not covered by other lawful bases

5. Purposes of Processing

We process personal data for the following specific purposes:

5.1 Service Provision

  • Operating and maintaining the digital menu and booking platform
  • Facilitating communication between Customers and Restaurant Users
  • Processing and confirming reservations
  • Managing user accounts and access controls

5.2 Payment Processing

  • Processing payments, refunds, and card authorizations
  • Preventing fraudulent transactions
  • Maintaining financial records

5.3 Customer Support

  • Responding to inquiries and support requests
  • Resolving disputes and complaints
  • Providing technical assistance

5.4 Business Operations

  • Analyzing service usage and performance metrics
  • Improving platform functionality and user experience
  • Conducting security assessments and monitoring

6. Data Sharing and Disclosure

6.1 Sharing with Restaurant Users

When a Customer makes a reservation, we disclose the Customer's name, contact information, and booking details to the relevant Restaurant User for the sole purpose of fulfilling the reservation. This disclosure is necessary for contract performance.

6.2 Third-Party Service Providers

We engage the following categories of third-party processors:

  • Payment Processing: Stripe, Inc. processes payment data in accordance with PCI DSS standards
  • Analytics (Consent-Based): PostHog, Inc. processes usage analytics data when consent is provided
  • Technical Infrastructure: Cloud hosting and database management services
  • Communication Services: Email delivery and SMS notification providers

All third-party processors are bound by data processing agreements that ensure GDPR compliance.

6.3 Legal Disclosures

We may disclose personal data when required by law, court order, or regulatory authority, or when necessary to:

  • Protect the rights, property, or safety of Carta, our users, or the public
  • Investigate potential violations of our Terms of Service
  • Respond to legal process or governmental requests

6.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity, subject to appropriate notice and protection measures.

7. International Data Transfers

Certain third-party service providers may process personal data outside the European Economic Area (EEA). When such transfers occur, we ensure adequate protection through:

  • Adequacy Decisions: Transfers to countries with adequacy decisions from the European Commission
  • Standard Contractual Clauses: EU-approved contractual safeguards for transfers to third countries
  • Binding Corporate Rules: Where applicable for intra-group transfers

8. Data Retention Periods

We retain personal data for the following periods:

8.1 Restaurant User Data

  • Account data: Duration of account relationship plus seven (7) years for legal and tax compliance
  • Business and menu data: Duration of account relationship plus three (3) years
  • Communication records: Three (3) years from last communication

8.2 Customer Data

  • Booking data: Twenty-four (24) months from reservation date
  • Payment data: As determined by Stripe's retention policies and applicable payment card industry requirements
  • Communication records: Twenty-four (24) months from last interaction

8.3 Technical Data

  • Access logs: Twelve (12) months
  • Security logs: Twenty-four (24) months
  • Analytics data: Eighteen (18) months (in aggregated, non-identifiable form)

Data may be retained longer if required by applicable law or ongoing legal proceedings.

9. Data Subject Rights

Under the GDPR, data subjects have the following rights:

9.1 Right of Access (Article 15)

You may request confirmation of whether we process your personal data and obtain a copy of such data.

9.2 Right to Rectification (Article 16)

You may request correction of inaccurate or incomplete personal data.

9.3 Right to Erasure (Article 17)

You may request deletion of your personal data under certain circumstances.

9.4 Right to Restrict Processing (Article 18)

You may request limitation of processing activities under specific conditions.

9.5 Right to Data Portability (Article 20)

You may request transfer of your personal data in a structured, machine-readable format.

9.6 Right to Object (Article 21)

You may object to processing based on legitimate interests or for direct marketing purposes.

9.7 Right to Withdraw Consent

Where processing is based on consent, you may withdraw such consent at any time.

To exercise these rights, submit a written request to our Data Protection Officer. We will respond within thirty (30) days of receipt.

10. Security Measures

We implement appropriate technical and organizational measures to ensure data security, including:

  • Encryption of data in transit and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and vulnerability testing
  • Employee training on data protection obligations
  • Incident response and breach notification procedures

11. Cookies and Tracking Technologies

We use the following types of cookies on our platform:

11.1 Essential Cookies

These cookies are necessary for the platform to function:

  • Authentication Cookies: Session management and user authentication
  • Security Cookies: Fraud prevention and security monitoring

11.2 Analytics Cookies (Consent Required)

When you consent to analytics cookies, we use PostHog to collect usage analytics:

  • PostHog Analytics: Collects anonymous usage data including page views, feature usage, and user behavior patterns to help improve our service
  • Retention Period: Analytics data is retained for up to 18 months in aggregated, anonymized form
  • Data Processing: PostHog processes this data in accordance with GDPR and their own privacy policy

11.3 Payment Processing Cookies

When you attempt to make a payment, Stripe automatically sets cookies required for secure payment processing:

  • Stripe Payment Cookies: Required for PCI-compliant payment processing, fraud detection, and transaction security
  • Automatic Setting: These cookies are set automatically when you interact with payment forms and cannot be disabled without preventing payment functionality
  • Data Processing: Stripe processes payment data according to their privacy policy and PCI DSS standards

11.4 Cookie Management

You can manage your cookie preferences through our cookie consent banner that appears when you first visit our site. You may:

  • Accept all cookies (including analytics)
  • Decline optional cookies (analytics only)
  • Change your preferences at any time by clearing your browser data

Note: Essential cookies and payment processing cookies cannot be disabled without affecting core functionality. Disabling analytics cookies will not impact your ability to use our service.

12. Automated Decision-Making and Profiling

We do not engage in automated decision-making or profiling activities that produce legal effects or similarly significant impacts on data subjects.

13. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that present high risks to data subject rights and freedoms, in accordance with Article 35 of the GDPR.

14. Children's Data

Our Service is not directed to individuals under sixteen (16) years of age. We do not knowingly collect personal data from children under 16. If we become aware of such collection, we will delete the data promptly.

15. Supervisory Authority

You have the right to lodge a complaint with the Spanish Data Protection Authority (Agencia Española de Protección de Datos):

  • Website: www.aepd.es
  • Address: C/ Jorge Juan, 6, 28001 Madrid, Spain
  • Telephone: +34 901 100 099

16. Policy Updates

We may update this Privacy Policy periodically to reflect changes in our practices or applicable law. Material changes will be communicated through:

  • Email notification to registered users
  • Prominent notice on our platform
  • Updated "Last Modified" date

Continued use of our Service after such notification constitutes acceptance of the revised Policy.

17. Governing Law and Jurisdiction

This Privacy Policy is governed by Spanish law and the GDPR. Any disputes arising from this Policy shall be subject to the exclusive jurisdiction of the courts of Barcelona, Spain.

18. Contact Information

For questions regarding this Privacy Policy or our data processing practices, contact:

Data Protection Officer
Carta Servicios de Hospitalidad SL
Av. d'Eduard Maristany 13, 08930 Sant Adria de Besos, Barcelona, Spain
Email: privacy@carta.app