Privacy Policy

Waiterr is a hospitality operating system. This Privacy Policy explains what personal data we collect, why, who we share it with, and the rights you can exercise — whether you visit our marketing website, run your venue with our software, or place an order at a Waiterr-powered venue.

Last updated June 1, 2026Effective June 1, 2026

Legal imprint

One Solution

Belgium

BE 0763.648.435 privacy@waiterr.app

1.Who we are and how to reach us

One Solution BV (operating as Waiterr), a Belgian limited company with its registered office at Belgium, registered under enterprise number BE 0763.648.435, is the entity responsible for the processing described below.

We have appointed an internal data protection point of contact. You can reach our team by email at privacy@waiterr.app for any question, request, or complaint about this policy.

In line with the GDPR, we may act either as data controller (when we decide why and how data is processed — e.g. on the marketing website, for our own customers, for billing) or as data processor (when we host data on behalf of a Waiterr venue — typically end-customer order data). The applicable role is identified in each section below.

2.Scope of this policy

This policy covers personal data processed in three distinct contexts:

  • Marketing website (waiterr.app, our blog, our public forms): visitors browsing our website, requesting a demo, or starting an account through the onboarding wizard.
  • Manager / Operator app (manager.waiterr.app): the application used by hospitality professionals to run their venue (POS, kitchen display, reservations, menu management, analytics, staff). Data created by these professionals about their staff or their own clients is processed on their behalf.
  • Customer-facing apps (QR ordering, click-and-collect, online ordering, order tracking, digital receipts): the apps that end-customers (diners) of a Waiterr-powered venue interact with to order, pay, leave a review or join a loyalty program.

When you place an order at a venue using Waiterr, the venue is the controller of your order and contact data; we act as their processor under a Data Processing Agreement.

3.Personal data we collect

We only collect data that is strictly necessary to provide and improve the service. The categories below correspond to the three contexts described above.

3.1.Marketing website visitors and prospects

  • Identification & contact: first name, last name, professional email, phone number, country, preferred language.
  • Venue information provided through our venue search: business name, address, public phone, photos, website URL, opening hours, average price range, public rating.
  • Enriched venue data (when applicable): description, cuisine type, social media handles automatically extracted from your public website by our enrichment workflow.
  • Demo requests: company name, role, number of venues, message, scheduling preferences.
  • Browsing & technical data: IP address, user-agent, pages visited, referrer, language, anonymous events for security and abuse prevention.
  • Anti-abuse signals: CAPTCHA score, hidden honeypot field state, time-on-page on forms — never used for profiling, only to filter out automated submissions.

3.2.Hospitality professionals using the manager app

  • Account data: email, name, hashed password (or OAuth identifier if you sign in with external identity provider), preferred language, profile photo.
  • Venue & business data: legal entity, addresses, VAT/tax numbers, opening hours, menus, prices, photos, staff list, payout method, banking details for invoicing.
  • Subscription data: chosen plan, billing cycle and limited payment-method metadata. Full card details are handled directly by certified payment providers - we only retain non-sensitive references where needed for support.
  • Operational data: orders, reservations, table plans, kitchen tickets, inventory adjustments, end-of-day reports, analytics.
  • Support interactions: conversations with our support team, screenshots and diagnostic data you voluntarily share.
  • Authentication & security: session tokens, sign-in events, two-factor backup details if enabled.

3.3.End-customers of Waiterr-powered venues

When you order, pay or interact with a Waiterr-powered venue, the venue is the controller of your data. We process the following on its behalf:

  • Order data: items ordered, modifiers, table or pickup spot, time of order, special requests.
  • Contact data (only when needed for the service): first name, phone number, email, delivery address, allergens / dietary preferences.
  • Payment data: amount, payment method, payment reference. Card details are handled directly by certified payment providers under PCI-DSS — we never see them.
  • Loyalty / CRM data (only if the venue offers a loyalty program and you opt in): order history, points balance, marketing preferences.
  • Reviews & ratings: ratings and free-text feedback you submit voluntarily.
  • Technical data: device type, IP address, locale, anonymous analytics events.

4.Why we process your data — purposes and legal bases

Under Article 6 GDPR, every processing operation must be tied to a lawful basis. The list below sets out each purpose and the basis we rely on.

  • Provide the service (host your venue data, process orders, sync devices, enable POS, KDS, reservations, deliver the website experience): performance of a contract or pre-contractual steps (Art. 6(1)(b)).
  • Bill you and process payouts (subscription invoicing, payout reconciliation, accounting): performance of a contract + legal obligation (Art. 6(1)(b) + 6(1)(c)).
  • Comply with accounting, VAT, anti-money-laundering and consumer-protection laws (e.g. retain invoices for up to 10 years in Belgium): legal obligation (Art. 6(1)(c)).
  • Secure the platform (rate limiting, fraud detection, abuse signals, audit logs): legitimate interest in keeping the service safe (Art. 6(1)(f)).
  • Provide product support (answer your tickets, debug issues, propose fixes): performance of a contract (Art. 6(1)(b)).
  • Onboarding enrichment (auto-populate your venue profile from your public website to save you typing): legitimate interest in delivering a frictionless onboarding (Art. 6(1)(f)). You can ask us to delete enrichment data at any time.
  • Send transactional emails (confirmations, password reset, receipts, invoices, security notices): performance of a contract (Art. 6(1)(b)).
  • Send commercial emails about Waiterr products (newsletters, product updates, occasional offers): consent (Art. 6(1)(a)) where required, soft opt-in to existing customers under Belgian / EU rules. You can opt out at any time.
  • Improve the product (anonymous usage analytics, A/B testing, error monitoring): legitimate interest in improving the platform (Art. 6(1)(f)). We rely on aggregation and pseudonymisation wherever possible.
  • Defend our rights (handling disputes, enforcing the Terms, complying with court orders): legitimate interest + legal obligation (Art. 6(1)(f) + 6(1)(c)).

5.Who we share data with - categories of recipients

We do not sell your data. We share it only with carefully vetted providers and professional advisers where necessary to deliver, secure, support, bill and improve the service. Each provider is bound by contractual confidentiality and data-protection obligations that prohibit secondary use.

  • Infrastructure and hosting providers: hosting, storage, CDN, backups, network protection and operational logs.
  • Payment and billing providers: subscription billing, card processing, QR/mobile payments, invoices and payout reconciliation.
  • Communication providers: transactional emails, receipts, account notifications and customer support messages.
  • Security and anti-abuse providers: bot protection, rate limiting, authentication, fraud prevention and abuse detection.
  • Product and reliability providers: crash reporting, performance monitoring, diagnostics and aggregated product analytics.
  • Mapping, venue search and enrichment providers: venue lookup, geocoding, public-business-data enrichment and onboarding assistance.
  • Professional advisers and authorities: accountants, lawyers, auditors, insurers, courts or regulators where legally required.

For customers that need the exact provider list for procurement, DPIA or Article 28 GDPR records, we provide it through the DPA or on verified request at privacy@waiterr.app.

6.International data transfers

Whenever a sub-processor transfers personal data outside the European Economic Area (EEA), we put in place appropriate safeguards under Articles 44–49 GDPR. In practice this means Standard Contractual Clauses (SCCs) with the vendor, complemented by a transfer impact assessment and additional technical measures (encryption in transit and at rest, key management) where required.

Where applicable, we also rely on recognised adequacy mechanisms such as the EU-US Data Privacy Framework. You can request information about the safeguards in place for a specific transfer by emailing privacy@waiterr.app.

7.How long we keep your data

  • Marketing leads: 24 months from your last interaction with us. Unconverted prospects are deleted automatically afterwards.
  • Customer accounts: for the duration of the contract, then 13 months after termination for support continuity, then anonymised — except where a longer period is mandated by law (notably, Belgian accounting law requires invoices to be kept for up to 10 years).
  • End-customer orders processed on behalf of a venue: 13 months for active operations, then up to 10 years in aggregated form to meet accounting obligations. Personally identifiable details are pseudonymised after 13 months unless the venue instructs otherwise.
  • Technical / server logs: 30 days, longer for security incidents under investigation.
  • Crash and performance reports: 90 days.
  • Backups: encrypted, rotated within 35 days. Restores from backups follow the retention rules above.

When we delete data, we use secure deletion practices and rely on cryptographic shredding for backup tapes.

8.How we protect your data

We treat your data with the level of care a serious operator would expect. Our key safeguards include:

  • Encryption in transit via TLS 1.2+ on every endpoint, including API and webhooks.
  • Encryption at rest for the production database, file storage and backups.
  • Least privilege access. Only a small, named subset of engineers can reach production, with audit logging and 2FA.
  • Network isolation of the database, accessible only from the application VPC.
  • Continuous monitoring with intrusion detection, rate limiting on public endpoints and internal security alerts.
  • PCI-DSS scope reduction: full card data never touches our servers - it is collected directly by certified payment processors.
  • Regular penetration tests and dependency scanning on every deploy.
  • Incident response plan with a 72-hour notification commitment to affected parties and to the Belgian Data Protection Authority where applicable.

9.Your rights under the GDPR

You have the following rights with respect to your personal data:

  • Right of access — obtain a copy of the data we hold about you.
  • Right to rectification — correct inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten") — request deletion when there is no overriding ground for us to keep it.
  • Right to restriction of processing in specific cases (e.g. while you contest the accuracy of your data).
  • Right to data portability — receive your data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.
  • Right to object to processing based on our legitimate interests, including profiling, and unconditionally to direct marketing.
  • Right to withdraw consent at any time, where consent is the legal basis (this does not affect the lawfulness of processing carried out before withdrawal).
  • Right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects.

To exercise any of these rights, email privacy@waiterr.app. We respond within 30 days. We may need to verify your identity before acting on your request.

You also have the right to lodge a complaint with a supervisory authority. Our lead authority is the Belgian Data Protection Authority (APD/GBA), Rue de la Presse 35, 1000 Brussels, Belgium — dataprotectionauthority.be. You may also contact your local supervisory authority in your EU country of residence.

10.Cookies and similar technologies

We use a small number of cookies and similar technologies to operate our websites and apps, remember your preferences, secure forms against bots, and understand how the service is used.

For details on the categories of cookies we use, how to manage them in your browser, and how to withdraw consent, please refer to our dedicated Cookies Policy.

11.Children

Waiterr is a B2B tool marketed to professional hospitality operators. The customer-facing apps (QR ordering, etc.) are not directed at children under 16. We do not knowingly collect personal data from anyone under 16.

If you believe a minor has provided us with personal data, please contact privacy@waiterr.app and we will delete it promptly.

13.When we act as processor (B2B customers)

When you sign up as a Waiterr customer to operate your venue, you remain the controller of the personal data you upload or that your end-customers generate through the platform. We act as your processor and execute a Data Processing Agreement (DPA) with you, available on request and forming part of our contract.

In that capacity, we:

  • only process the data on your documented instructions;
  • impose strict confidentiality obligations on our staff and providers;
  • assist you (within reason) in responding to data subject requests;
  • assist you with your security, breach notification, DPIA and prior consultation obligations;
  • delete or return all data at the end of the contract, subject to legal retention obligations;
  • make available all information necessary to demonstrate compliance with Article 28 GDPR.

14.Changes to this policy

We may update this Privacy Policy to reflect changes to our services, our infrastructure, or applicable law. The "Last updated" date at the top of this page always reflects the latest version.

For material changes, we will notify you by email and/or by a prominent banner on the manager app at least 30 days before the change takes effect, so that you have time to review and exercise your rights.

15.Contact

For any question, request or complaint about your personal data:

For general queries, contact us at contact@waiterr.app.

Contact

One Solution

Belgium

privacy@waiterr.app · contact@waiterr.app