Legal
Privacy Policy
Last updated: 2 April 2026
1. Who we are
Posto is a restaurant reservation platform operated by Jon Simon (“we”, “us”, “our”). We provide software services to restaurant operators (“operators”) and process reservation data on their behalf.
For the purposes of UK data protection law, we act as both a Data Controller (for our operator customers’ account data) and a Data Processor (processing guest data on behalf of operators).
Contact us: privacy@getposto.com
2. What data we collect
Guest data (collected on behalf of operators)
- Name, email address, and phone number
- Reservation details: date, time, party size, occasion
- Special requests (which may include dietary requirements)
- Payment reference (deposit transactions processed via Stripe)
Operator data
- Name and email address
- Restaurant name and address
- Billing information (processed by Stripe — we do not store card data)
- Usage data and system logs
3. Lawful basis for processing
| Data | Lawful basis |
|---|---|
| Guest booking data | Contract performance — required to fulfil the reservation |
| Operator account data | Contract performance — required to provide the service |
| Booking confirmation emails | Legitimate interest |
| Marketing emails to operators | Consent — opt-in only |
| Dietary / health data | Explicit consent — special category data (Art. 9 UK GDPR) |
4. How we use your data
We use guest data solely to fulfil reservations on behalf of operators. We do not sell, rent, or share guest data with third parties for marketing purposes.
Operator data is used to provide and improve the Posto platform, process billing, and communicate service updates.
5. Data retention
| Data type | Retention period |
|---|---|
| Guest PII (name, email, phone) | 24 months after last booking |
| Dietary / health data | 48 hours after booking date |
| Payment references | 7 years (financial records) |
| Anonymised booking records | Indefinitely (analytics only) |
| Operator account data | Duration of contract + 90 days |
6. Sub-processors
We use the following third-party services to process personal data:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database and authentication | EU / US |
| Stripe | Payment processing | US |
| Resend | Transactional email | US |
| Vercel | Hosting and infrastructure | US |
US-based processors operate under Standard Contractual Clauses or equivalent UK-approved transfer mechanisms.
7. Your rights
Under UK GDPR you have the right to:
- Access — request a copy of the data we hold about you
- Rectification — correct inaccurate data
- Erasure — request deletion of your personal data
- Portability — receive your data in a machine-readable format
- Objection — object to processing based on legitimate interest
To exercise any right, contact the operator you made your reservation with, or email us at privacy@getposto.com. We will respond within 30 days.
8. Cookies
We use only essential cookies required for the platform to function (session management, authentication). No tracking or advertising cookies are set without your consent.
9. Contact and complaints
For privacy queries: privacy@getposto.com
You have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.