Acceptable Use Policy

Posto may be used solely for legitimate restaurant reservation management purposes, including:

• Accepting and managing guest reservations at your venue(s)
• Communicating with guests about their bookings (confirmations, reminders, modifications, cancellations)
• Collecting deposits for reservations where clearly disclosed to guests
• Accessing analytics about your venue's booking performance
• Managing your team's access to the platform for legitimate operational purposes

You must not use Posto to:

• Contact guests for any purpose unrelated to their booking (e.g. unsolicited marketing without consent)
• Share guest data with third parties without a lawful basis and appropriate data processing agreements
• Collect deposits without clearly disclosing the amount and cancellation/refund policy to guests before booking
• Misrepresent your venue or its availability to guests
• Attempt to circumvent Posto's booking limits, rate limiting, or security controls
• Reverse engineer, copy, or resell any part of the Posto platform
• Use Posto to manage bookings for venues you are not authorised to represent
• Upload or transmit malicious code, scripts, or content
• Attempt to access data belonging to other operators or their guests
• Use the platform in any way that violates applicable law, including UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR)

As an operator, you are the Data Controller for your guests' personal data. You are responsible for:

• Having a lawful basis for processing each category of guest data
• Providing guests with a clear privacy notice before collecting their data
• Handling Subject Access Requests and right-to-erasure requests promptly (within 30 days)
• Ensuring any marketing communications are sent only to guests who have opted in
• Not retaining guest data beyond the periods set out in your privacy notice

Posto provides tools to help you meet these obligations (including erasure and export functionality) but compliance is your responsibility as Data Controller.

You are responsible for:

• Keeping your account credentials secure and not sharing them with unauthorised individuals
• Notifying Posto immediately at security@getposto.com if you suspect unauthorised access to your account
• Ensuring any API keys you generate are kept confidential and revoked when no longer needed

Posto is designed for genuine restaurant reservation management. Automated or programmatic use of the platform beyond normal operational needs (e.g. bulk data scraping, automated spam booking creation) is prohibited and may result in immediate suspension.

If you are building an integration using the Posto API, please contact us at hello@getposto.com to discuss your use case.

Posto reserves the right to investigate suspected breaches of this policy. If a breach is confirmed, we may take any of the following actions without prior notice:

• Issue a warning
• Suspend your account temporarily
• Terminate your account and subscription
• Report the matter to relevant authorities where the breach involves illegal activity

If you believe another operator is using Posto in breach of this policy, or if you have a security concern, please contact us at hello@getposto.com.

We may update this policy from time to time. Continued use of the platform after changes are notified constitutes acceptance of the revised policy. Material changes will be communicated with 30 days' notice via email to the account holder.