Privacy Policy
Effective Date: January 29, 2026 | Last Updated: May 29, 2026 | Version: 1.0
1. Introduction
Welcome to TableFlow ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how TableFlow Hospitality Management Systems collects, uses, discloses, and safeguards your information when you use our restaurant reservation platform, including our websites (tableflow.ca and tableflow.biz), mobile applications, and related services (collectively, the "Services").
TableFlow operates as a restaurant reservation and management platform serving both diners seeking to book tables and restaurant businesses managing their operations. We act as a data controller for information collected directly through our platform and as a data processor for certain restaurant business data.
2. Information We Collect
2.1 Information You Provide Directly
| Category | Examples | Purpose |
|---|---|---|
| Account Information | Name, email address, phone number, password | Account creation and authentication |
| Reservation Details | Date, time, party size, special requests, dietary restrictions | Processing and managing reservations |
| Payment Information | Credit card number, billing address (processed by Stripe) | Processing payments and deposits |
| Business Information | Restaurant name, address, menu, operating hours, photos | Restaurant profile and booking management |
| Guest Profiles | Dietary preferences, food allergies, birthday (month/day), VIP status, visit history | Personalizing dining experience, safety (allergies), marketing (birthday offers) |
| Communications | Customer support inquiries, feedback, reviews | Providing support and improving services |
Sensitive Data: Dietary preferences and food allergies are considered sensitive personal information under certain privacy laws. We collect this data only with your explicit consent, solely to ensure your safety and enhance your dining experience. You may withdraw consent at any time.
2.2 Information Collected Automatically
| Category | Examples | Purpose |
|---|---|---|
| Device Information | IP address, browser type, operating system, device identifiers | Security, analytics, and service optimization |
| Usage Data | Pages visited, search queries, features used, time on site | Improving user experience and services |
| Location Data | Approximate location based on IP address or GPS (with consent) | Showing nearby restaurants and localized content |
| Cookie Data | Session identifiers, preferences, authentication tokens | Website functionality and personalization |
2.3 Information from Third Parties
- Social Login Providers: If you sign in using Google or Facebook, we receive your name, email, and profile picture.
- Payment Processors: Stripe provides transaction confirmations and fraud prevention data.
- Restaurant Partners: Restaurants may share reservation history and dining preferences.
3. How We Use Your Information
We use the collected information for the following purposes:
3.1 Service Delivery
- Processing and confirming restaurant reservations
- Enabling communication between diners and restaurants
- Processing payments and refunds
- Sending reservation confirmations and reminders
- Managing restaurant profiles and availability
3.2 Service Improvement
- Analyzing usage patterns to improve our platform
- Personalizing restaurant recommendations
- Developing new features and services
- Conducting research and analytics
3.3 Communication
- Responding to customer support inquiries
- Sending service-related notifications
- Marketing communications (with your consent)
- Surveys and feedback requests
3.4 Security and Legal
- Detecting and preventing fraud
- Enforcing our Terms of Service
- Complying with legal obligations
- Protecting rights and safety of users
4. Legal Basis for Processing (GDPR)
Under the GDPR, we process your personal data based on the following legal grounds:
| Legal Basis | Processing Activities |
|---|---|
| Contract Performance | Processing reservations, managing accounts, payment processing |
| Consent | Marketing communications, analytics cookies, location services |
| Legitimate Interests | Fraud prevention, service improvement, security measures |
| Legal Obligation | Tax records, regulatory compliance, legal requests |
6A. Artificial Intelligence and Automated Processing
TableFlow uses artificial intelligence to enhance restaurant operations. We believe in full transparency about how AI is used in our platform.
What AI Does
- Kitchen Search Tags: Automatically generates searchable keywords for menu items to help kitchen staff find orders faster.
- Inventory Auto-Setup: Suggests ingredients and recipes based on your menu items to accelerate inventory configuration.
What Data AI Sees
Only menu item names and descriptions are sent to our AI provider (Anthropic Claude). No guest personal data, no reservation data, no payment data, and no identifying information is ever sent to the AI.
Important Guarantees
- No training on your data: Anthropic does not use API inputs or outputs to train their models.
- Suggestions only: All AI outputs are suggestions that you can edit, accept, or reject. The AI does not make automated decisions that affect individuals.
- Always optional: You can disable all AI features and manually configure search tags and inventory instead.
- Data minimization: We send the minimum data necessary (menu text only) and do not store AI processing logs.
7. Data Retention
We retain your personal information only for as long as necessary to fulfill the purposes outlined in this policy:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account Information | Until account deletion + 30 days | Service provision and recovery period |
| Reservation History | 7 years | Tax and legal compliance |
| Payment Records | 7 years | Financial regulations and dispute resolution |
| Analytics Data | 26 months | Service improvement (anonymized after) |
| Marketing Preferences | Until consent withdrawal | Respecting your communication choices |
| Support Communications | 3 years | Quality assurance and dispute resolution |
8. Your Privacy Rights
Depending on your location, you have the following rights regarding your personal information:
8.1 Rights for All Users
- Access: Request a copy of the personal information we hold about you.
- Correction: Request correction of inaccurate or incomplete information.
- Deletion: Request deletion of your personal information (subject to legal retention requirements).
- Opt-Out: Unsubscribe from marketing communications at any time.
8.2 Additional Rights for EU/UK Residents (GDPR)
- Data Portability: Receive your data in a structured, machine-readable format.
- Restrict Processing: Request limitation of how we use your data.
- Object: Object to processing based on legitimate interests.
- Withdraw Consent: Withdraw consent at any time without affecting prior processing.
- Lodge Complaint: File a complaint with your local data protection authority.
8.3 Additional Rights for California Residents (CCPA/CPRA)
- Right to Know: Request disclosure of personal information collected, used, and shared.
- Right to Delete: Request deletion of personal information.
- Right to Correct: Request correction of inaccurate information.
- Right to Opt-Out: Opt-out of sale/sharing of personal information (we do not sell).
- Right to Non-Discrimination: Equal service regardless of privacy choices.
- Right to Limit Use: Limit use of sensitive personal information.
8.4 Additional Rights for Canadian Residents (PIPEDA & Law 25)
- Access: Request access to your personal information.
- Correction: Request correction of inaccurate information.
- Withdrawal: Withdraw consent (subject to legal restrictions).
- Portability: Request data in a commonly used format (Quebec Law 25).
- De-indexing: Request de-indexing from search results (Quebec Law 25).
8.5 Exercising Your Rights
To exercise any of these rights, please contact us at:
- Email: [email protected]
- Online Form: tableflow.ca/contact
We will respond to your request within 30 days (or 45 days for CCPA requests). We may need to verify your identity before processing your request.
9. Data Security
We implement industry-standard security measures to protect your personal information:
- Encryption: All data transmitted via HTTPS/TLS 1.3 encryption.
- Payment Security: PCI-DSS compliant payment processing through Stripe.
- Access Controls: Role-based access controls and multi-factor authentication.
- Credential Hashing: Account passwords and staff terminal PINs are stored hashed (bcrypt) — never in plain text, and not retrievable by anyone, including us.
- Session Protection: Idle terminals automatically lock or sign out according to the restaurant's configured policy; staff resume with a personal PIN. Login activity (time, IP address, device) is recorded for security monitoring, and payment terminals re-authenticate within 15 minutes of inactivity in line with PCI-DSS.
- Data Centers: Secure cloud infrastructure with SOC 2 Type II certification.
- Regular Audits: Periodic security assessments and vulnerability testing.
- Employee Training: Privacy and security training for all team members.
10. International Data Transfers
TableFlow is headquartered in Canada. Your information may be transferred to and processed in countries other than your own, including:
- Canada: Primary data storage and processing.
- United States: Cloud infrastructure and service providers.
When transferring data internationally, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data processing agreements with all service providers
- Adequacy decisions where applicable
11. Children's Privacy
Our Services are not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected], and we will take steps to delete such information.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes:
- We will update the "Last Updated" date at the top of this policy.
- We will notify you via email or prominent notice on our website.
- For significant changes, we may request your renewed consent.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
13. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
TableFlow Hospitality Management Systems
Privacy Officer
- [email protected]
- tableflow.ca
- Toronto, Ontario, Canada
For EU/UK Data Protection Inquiries:
You may also contact your local Data Protection Authority if you have concerns about our data processing practices.
Response Time:
We aim to respond to all privacy-related inquiries within 30 days.