Privacy Policy

Last updated: 1 July 2026

This Privacy Policy explains how [Legal entity name] ("Superpotion", "we", "us" or "our"), registered in the Netherlands under Chamber of Commerce (KvK) number [KvK number] with its registered office at [Registered address], processes personal data in connection with the Superpotion reservation-management platform, website, and booking widget (the "Service"). We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and Dutch data-protection law.

1. Who this policy applies to

This policy applies to two groups: (a) restaurant customers and their users who register for and use the Service ("Restaurants"), and (b) guests who make reservations through a Superpotion-powered booking channel ("Guests").

2. Our role: controller and processor

  • For Restaurant account data, website visitors, and our own business operations, Superpotion is the data controller.
  • For Guest reservation data collected on behalf of a Restaurant, the Restaurant is the controller and Superpotion acts as its processor, handling that data only on the Restaurant’s documented instructions and to provide the Service.

3. Personal data we process

Depending on how you use the Service, we may process:

  • Restaurant account data: your name, email address, password (stored only in hashed form), restaurant name and details, and settings.
  • Guest reservation data: name, email address, phone number, party size, date and time, and any allergies, preferences, or notes you choose to provide.
  • Payment-related data: where a prepayment or no-show fee applies, payment is handled by our payment provider (Stripe). We receive limited transaction information (such as status and amount) but do not store full card details.
  • Communications: messages you send us (for example via our contact form or support).
  • Technical and usage data: IP address, device and browser information, and log data generated when you use the Service, used for security and to operate the platform.

4. Purposes and legal bases

We process personal data for the following purposes and legal bases:

  • To provide and administer the Service, including creating and managing reservations, the waitlist, and accounts — performance of a contract.
  • To send transactional emails such as confirmations, reminders, and cancellations — performance of a contract and our (and the Restaurant’s) legitimate interest in reducing no-shows.
  • To process prepayments and no-show fees — performance of a contract.
  • To secure, maintain, and improve the Service and prevent abuse — legitimate interest.
  • To respond to enquiries and provide support — legitimate interest or performance of a contract.
  • To comply with legal obligations, such as accounting and tax requirements — legal obligation.
  • Where we rely on consent (for example for certain optional communications), you may withdraw it at any time.

5. Cookies and the booking widget

Our booking widget is designed to be lightweight and does not set advertising cookies. It may use temporary browser storage strictly to keep your booking flow working (for example, to hold a reservation while you complete a prepayment). Our website may use functional cookies necessary for it to operate. Any use of analytics or non-essential cookies will be handled in line with applicable law and, where required, based on your consent.

6. Recipients and sub-processors

We share personal data only as necessary to run the Service, with:

  • The Restaurant you book with (Guests’ reservation data is made available to that Restaurant).
  • Stripe – to process prepayments and no-show fees.
  • Resend – to deliver transactional emails.
  • Our hosting provider, [hosting provider] – to host the application and database.
  • Professional advisers, and public authorities where required by law.

We enter into data-processing agreements with our sub-processors where required and do not sell personal data.

7. International transfers

We aim to keep personal data within the European Economic Area (EEA). Where a provider processes data outside the EEA, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses or an adequacy decision.

8. Retention

We retain personal data only for as long as necessary for the purposes described above or as required by law. Guest reservation data is retained on behalf of, and according to the instructions of, the relevant Restaurant. Account data is retained for the life of the account and for a reasonable period afterwards; data required for accounting is retained for the statutory period. [Confirm specific retention periods.]

9. Security

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit, hashed storage of passwords, access controls, and processing payments through a PCI-compliant provider. No system can be guaranteed to be perfectly secure, but we work to protect your data and to address incidents promptly.

10. Your rights

Subject to applicable law, you have the right to:

  • access the personal data we hold about you;
  • have inaccurate data rectified;
  • have your data erased in certain circumstances;
  • restrict or object to certain processing;
  • receive your data in a portable format;
  • withdraw consent where processing is based on consent.

To exercise these rights, contact us at [contact email]. If your reservation data is held by a Restaurant (where we act as processor), we will direct your request to that Restaurant. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

11. Children

The Service is not directed at children and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can remove it.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version here and revise the "last updated" date above. Where changes are material, we will take reasonable steps to notify you.

13. Contact

For any questions about this policy or how we handle personal data, contact us at [contact email], at [Registered address], or via superpotion.nl/contact.