HomePricingFeaturesHow toBlogContacts
LoginStart free trial
en

Privacy Policy

1. Identification of the Data Controller

"Резервейшън" ЕООД (in Latin script: Reservation Ltd)
UIC (Unified Identification Code) 203865762
Registered office and management address Varna, 1A Petar Raychev St.
Email for personal data inquiries [email protected]
Email for general support [email protected]
Phone +359 2 495 0888
Website https://www.reservation.tools

Reservation Ltd (hereinafter referred to as "the Company", "we" or "Reservation.tools") provides a multi-tenant SaaS platform for hospitality reservation management (restaurants, bars, clubs, pubs, beach venues and other establishments). In this Privacy Policy we describe what personal data we process, on what legal basis, with whom we share it, and what rights you have as a data subject.

Important note regarding our dual role: In some data processing activities the Company acts as a data controller, while in others it acts as a data processor on behalf of the venues that use the platform. This distinction is explained in detail in Section 4 (Categories of Data Subjects) and Section 6 (Purposes and Legal Bases).

2. Supervisory Authority

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with:

CPDP (Commission for Personal Data Protection)
Address Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.
Phone +359 2 915 3 518
Email [email protected]
Website https://www.cpdp.bg

Before filing a complaint with the CPDP (Commission for Personal Data Protection), we encourage you to contact us first at [email protected] — in most cases we can resolve the matter directly and promptly.

3. Principles of Personal Data Processing

When processing personal data, the Company complies with the principles set out in Art. 5 of Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR"):

  1. Lawfulness, fairness and transparency — we process data only on a clear legal basis and inform data subjects accordingly.
  2. Purpose limitation — we collect data for specified, explicit and legitimate purposes and do not process it in a manner incompatible with those purposes.
  3. Data minimisation — we collect only the data that is necessary for the respective purpose.
  4. Accuracy — we keep data up to date and provide mechanisms for correction.
  5. Storage limitation — we do not retain data longer than necessary (see Section 9).
  6. Integrity and confidentiality — we apply technical and organisational measures for protection (see Section 12).
  7. Accountability — we maintain internal documentation (Record of Processing Activities) and are prepared to present it upon request by the supervisory authority.

4. Categories of Data Subjects

The personal data we process relates to the following categories of natural persons:

4.1 Registered platform users (the Company = data controller)

Employees of venue clients who create an account on Reservation.tools to manage the venue's reservations, tables, customers and payments. These may include owners, managers, waiters and other staff members.

4.2 Visitors to www.reservation.tools (the Company = data controller)

Anonymous visitors to the platform's marketing website.

4.3 Recipients of product and service notifications (the Company = data controller)

Registered platform users who periodically receive notifications about new features, important service changes and related product communications. These notifications are sent only to existing platform clients — the Company does not maintain a separate public newsletter subscription form and does not send marketing communications to individuals who are not registered users. Each recipient may unsubscribe at any time via the unsubscribe link included in every email.

4.4 End customers of venues (the Company = data processor on behalf of the venue)

Natural persons who make a reservation at a venue using Reservation.tools — regardless of whether the reservation is made directly via the venue's web form, through Google Reserve, by phone, or entered manually by a venue employee.

Legal status: For this data the venue is the data controller, and the Company acts solely as a data processor within the meaning of Art. 28 of the GDPR. This means that:

  • The venue decides what data is collected, for what purposes and how long it is retained.
  • The Company processes this data only on the instructions of the venue and under a contract between the venue and the Company (including a Data Processing Agreement — DPA).
  • Requests for access, rectification, erasure and other GDPR rights regarding end customer data of venues should be directed first to the respective venue. The Company will assist the venue in fulfilling such requests.

4.5 Contact form submissions (the Company = data controller)

Visitors who submit the contact form on www.reservation.tools provide: name, email address, and a free-text message. This data is processed for responding to the inquiry. Additionally, if you have granted marketing consent via the cookie banner, a hashed (non-reversible) version of your contact details (email, name, phone) may be transmitted to Meta Platforms for the purpose of measuring advertising campaign effectiveness (Advanced Matching). Meta receives only the cryptographic hash — not the original values. Contact form submissions are retained for up to 12 months after the inquiry has been resolved.

5. Categories of Personal Data

5.1 Registered platform users

  • Identification data: name, email address, phone number
  • Authentication data: password (stored in hashed form, not in plain text)
  • Profile data: platform role (owner, manager, viewer, etc.), language, time zone
  • Session and technical data: IP address, browser type, operating system, last login time
  • Activity audit logs

5.2 Visitors to www.reservation.tools

  • Technical data: IP address (pseudonymised when analytics is used), browser type, pages visited, referrer
  • Cookies — described in detail in a separate Cookie Policy (see Section 11)

5.3 Recipients of product notifications

This category coincides with registered platform users (see 5.1). For sending product emails, the following data is processed:

  • Email address and name of the registered user
  • Engagement metadata (delivery, opens, clicks) — for measuring effectiveness and improving content

5.4 End customers of venues (processed on behalf of the venue)

  • Identification data: name, email address, phone number
  • Reservation data: reservation date and time, number of guests (including number of children), table/area, status
  • Preferences: dietary restrictions, special requests, notes from the venue
  • Reservation history at the respective venue
  • External identifiers (where applicable): Stripe customer ID — generated and stored by the venue's Stripe account; Google Reserve User ID — when the reservation comes through Google Reserve

What we do NOT collect: We do not collect sensitive ("special") categories of personal data within the meaning of Art. 9 of the GDPR — racial or ethnic origin, political opinions, religious beliefs, genetic or biometric data, health data, sexual orientation. Exception: if a venue enters dietary information (e.g. "nut allergy"), it may contain indirect health information — the responsibility for this lies with the venue as the data controller.

Payment data (cards, etc.): The Company does not store or process payment card data. When a venue accepts payments through the platform, these payments are processed directly by Stripe (via Stripe Connect Standard) or myPOS (via embedded checkout) — see Section 7.4.

5.5 Mobile app users (iOS and Android)

  • Device data: device model, operating system version, app version
  • Push notification token (Apple Push Notification Service / Firebase Cloud Messaging) — used solely for delivering service-related notifications (reservation reminders, status updates)
  • Camera access (only when explicitly granted by the user) — for scanning QR codes within the app

The mobile apps do not collect location data, contacts, or other sensitive device information. Push notification tokens are not shared with third parties for marketing purposes.

5.6 Contact form submissions

  • Identification data: name, email address
  • Free-text message content

6. Purposes and Legal Bases for Processing

We process personal data on the following grounds under Art. 6(1) of the GDPR:

Purpose of processing Category of data subject Categories of data Legal basis GDPR Art.
Registration and maintenance of a user account Registered users Name, email, password, role Performance of a contract Art. 6(1)(b)
Sending operational notifications (registration confirmation, password reset, account notifications) Registered users Email, phone Performance of a contract Art. 6(1)(b)
Issuing invoices and accounting records Registered users / clients Name, UIC (for legal entities), address Legal obligation Art. 6(1)(c) — Bulgarian Accounting Act
Protection against abuse, bots, spam and fraud Visitors / users IP, technical identifiers Legitimate interest Art. 6(1)(f)
Platform improvement (debugging, error tracking) Users Technical data, error logs Legitimate interest Art. 6(1)(f)
Sending product and service notifications Registered users Email, name Legitimate interest — informing existing customers about the service they use, with the right to unsubscribe at any time Art. 6(1)(f)
Marketing website analytics (GA4) Visitors to www Cookies, IP, behaviour Consent (cookie banner) Art. 6(1)(a) + Art. 4a of the Bulgarian Electronic Communications Act
Marketing analytics and remarketing (Facebook Pixel) Visitors to www Cookies, IP, behaviour; hashed contact details when Advanced Matching applies (see Section 4.5) Consent (cookie banner) Art. 6(1)(a) + Art. 4a of the Bulgarian Electronic Communications Act
Processing of end customer data of venues End customers of venues Reservation data Contract between the venue and the Company (as processor) Art. 28

Brief explanation of legitimate interest: When we rely on legitimate interest, we apply the so-called "balancing test" — we weigh our interest against the rights and freedoms of the data subject. You have the right to object to such processing at any time (see Section 10).

7. Recipients of Personal Data (Sub-processors)

To provide the platform, we use service providers who act as sub-processors of data for which we are the controller or processor. With each of them we have (or apply automatically through the provider's terms) a Data Processing Agreement (DPA) that meets the requirements of Art. 28 of the GDPR.

7.1 What does "sub-processor" mean

A sub-processor is a third party to which the Company entrusts the performance of specific personal data processing operations (e.g. database hosting, delivery of transactional emails, sending SMS). Sub-processors act strictly on the Company's instructions and are bound by contractual obligations of confidentiality and security.

7.2 Current list of sub-processors

# Provider Purpose of processing Jurisdiction Transfer mechanism DPA
1 Amazon Web Services EMEA SARL Platform hosting, file storage (S3), transactional emails (SES) Ireland (eu-west-1) EU/EEA — no transfer outside the EU AWS GDPR DPA (automatically applicable under AWS Service Terms)
2 MailerLite Limited Sending product and service emails to registered users Lithuania (EU) EU/EEA — no transfer outside the EU MailerLite DPA
3 Cloudflare, Inc. Bot protection and DDoS mitigation, edge delivery of static content USA (with edge points in the EU) EU–U.S. Data Privacy Framework + Standard Contractual Clauses (SCC) Cloudflare Customer DPA
4 Rollbar, Inc. Technical error tracking and debugging (does not contain personal data of end customers; may contain technical identifiers of registered users) USA EU–U.S. Data Privacy Framework + SCC Rollbar DPA
5 GatewayAPI ApS Sending SMS notifications (reservation reminders, etc.) Denmark (EU) EU/EEA — no transfer outside the EU GatewayAPI DPA
6 LINK Mobility AS Alternative SMS channel for specific regions Norway (EEA) EEA — no transfer outside the EEA LinkMobility DPA
7 Google LLC / Google Ireland Limited (a) Google Reserve — accepting reservations via Google Maps and Google Search; (b) Google Analytics 4 — anonymised web analytics only on the marketing website www.reservation.tools, only with consent USA (with EU sub-entity for European clients) EU–U.S. Data Privacy Framework + SCC Google Cloud DPA
8 Mixpanel, Inc. Product analytics in the application (rt-app) — measuring feature usage for product improvement Germany (Frankfurt — EU residency) EU/EEA — no transfer outside the EU Mixpanel DPA
9 Meta Platforms Ireland Limited Facebook/Instagram Pixel — marketing analytics and advertising campaign effectiveness measurement, only on the marketing website www.reservation.tools, only with consent Ireland (EU) + USA (Meta Platforms, Inc.) EU–U.S. Data Privacy Framework + SCC Meta Business Tools Terms (includes data processing obligations)

7.3a SMS and email data flows

When a venue sends SMS notifications through the platform (e.g. reservation confirmations, reminders), the end customer's phone number and message content are transmitted to the SMS provider (GatewayAPI or LINK Mobility) for delivery. Similarly, transactional emails (e.g. reservation confirmations) are sent via Amazon SES. These providers act as sub-processors and process this data solely for the purpose of message delivery — they do not retain message content beyond what is necessary for delivery and regulatory compliance.

7.3 Changes to the list of sub-processors

The Company may add, remove or replace sub-processors when necessary to improve the service, migrate to better providers or due to termination of the service by an existing provider. When adding a new sub-processor, the Company:

  • Updates the table in Section 7.2 of this Privacy Policy
  • Notifies its clients (venues) by email before the new sub-processor begins processing personal data, within a reasonable period that allows for objections

A venue client has the right to raise a reasoned objection against a new sub-processor. In the event of an unresolvable dispute, the parties reserve the right to terminate the contract in accordance with the terms of the DPA.

7.4 Disclosure required by law

The Company may disclose personal data to public authorities when required by a legal act (e.g. a court order, an order of a competent authority). In such cases, the Company verifies the legitimacy of the request and discloses only the data specifically required by the respective act.

7.5 Payment services — NOT sub-processors of the Company

When a venue accepts payments through the platform, the payments are processed in the so-called "facilitator" model — the Company is not a party to the payment and does not process payment data:

  • Stripe (via Stripe Connect Standard): the venue has its own Stripe account connected to the platform via OAuth (scope=read_write). Payment data (including card data) is processed directly between the end customer and the venue's Stripe account via the "Direct Charges" mechanism with the Stripe-Account header. The Company does not store card data, is not the merchant of record and does not receive commissions from transactions.
  • myPOS (via embedded Checkout): the venue has its own myPOS merchant account with a unique Store ID and certificates. The platform redirects the end customer to a payment form using the venue's own merchant credentials. The Company is not a party to the payment.

In these two cases, Stripe and myPOS are sub-processors of the venue as data controller, not of the Company. The terms for processing payment data are governed by the direct contractual relationship between the venue and the respective payment provider.

7.6 Booking widget embedded on venue websites

When a venue embeds the Reservation.Tools booking widget on its own website, the widget connects to the Reservation.Tools platform to display availability and accept reservations. The data collected through the widget (name, phone, email, reservation details) is processed under the venue's privacy policy, with the Company acting as processor. The widget does not set any cookies on the venue's website beyond what is strictly necessary for the booking session.

7.7 Third-party services embedded on www.reservation.tools

The marketing website embeds Calendly for demo scheduling on the pricing page. When you interact with the Calendly widget, Calendly processes your data (name, email, selected time) as an independent data controller under its own privacy policy (https://calendly.com/privacy). The Company does not receive or store Calendly booking data in its own systems — it is used solely for scheduling the demo.

8. International Data Transfers

Our main infrastructure and sub-processors are located in the European Union / European Economic Area (EU/EEA):

  • Hosting and infrastructure — Amazon Web Services, region eu-west-1 (Ireland)
  • Marketing emails — Lithuania (EU)
  • SMS — Denmark and Norway (EEA)

For some services (e.g. authentication via Google, bot protection, error tracking), data may be processed by providers in the United States of America. In these cases the transfer is protected by one of the following mechanisms under Art. 44–49 of the GDPR:

  • EU–U.S. Data Privacy Framework (DPF) — the provider is certified under the EU–U.S. Data Privacy Framework. You can verify the certification status at https://www.dataprivacyframework.gov
  • Standard Contractual Clauses (SCC) — for providers that are not certified under the DPF, the European Commission-approved Standard Contractual Clauses apply

For specific details on which provider operates in which jurisdiction and under which mechanism — see the current list of sub-processors (Section 7.2).

The Company does not carry out transfers to third countries outside the EU/EEA and the USA.

9. Retention Periods

The retention period is determined for each category of data based on the purpose and applicable legislation:

Data type Period Basis
Active user accounts (data of registered users) For the duration of the active contract + 30 days after termination Performance of a contract
Closed user accounts Deleted or anonymised within 30 days after termination, unless a legal obligation requires longer retention Data minimisation
Invoices and accounting documents 10 years from the beginning of the year following the year of issuance Bulgarian Accounting Act, Art. 12
Payment metadata (Stripe / myPOS reference IDs in our database) For the duration of the accounting obligation (10 years) Bulgarian Accounting Act
Server logs (access logs, error logs) Up to 12 months Legitimate interest — security and debugging
System error records (Rollbar) Up to 30 days Legitimate interest
Product emails — recipient list For the duration of the active account; until unsubscription Legitimate interest
Product emails — engagement statistics Up to 24 months from sending Legitimate interest
Website analytics data (GA4) Up to 14 months Consent
Database backups For the technical period necessary for disaster recovery, after which they are automatically rotated Operational continuity and recovery
End customer data of venues (when we are the processor) According to the instructions of the venue as data controller; upon termination of the contract with the venue — deleted or returned to the venue in accordance with the DPA Art. 28 — processing on the controller's instructions

Contact form submissions
Up to 12 months after resolution of the inquiry
Legitimate interest — responding to customer inquiries

Mobile app push notification tokens
For the duration of the active account; until the user uninstalls the app or revokes push permission
Performance of a contract

Note on backups: The right to erasure ("right to be forgotten") applies to backups as well. When data is deleted from the production database, it will be permanently removed from backups within the rotation cycle (up to 30 days). Until then, backups are retained solely for the purposes of disaster recovery and are not used for any other purpose.

10. Rights of Data Subjects

As a data subject, you have the following rights under the GDPR (Art. 15–22):

  1. Right of access (Art. 15) — to obtain confirmation as to whether we process your data and a copy thereof.
  2. Right to rectification (Art. 16) — to request the correction of inaccurate data or the completion of incomplete data.
  3. Right to erasure / "right to be forgotten" (Art. 17) — to request the erasure of your data, except where a legal obligation or legitimate interest requires its retention.
  4. Right to restriction of processing (Art. 18) — to request a temporary suspension of processing in certain cases.
  5. Right to data portability (Art. 20) — to receive your data in a structured, machine-readable format.
  6. Right to object (Art. 21) — to object to processing based on legitimate interest or direct marketing.
  7. Right to withdraw consent (Art. 7(3)) — for processing based on consent, at any time. Withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.
  8. Right to lodge a complaint with a supervisory authority (Art. 77) — with the CPDP (Commission for Personal Data Protection) (see Section 2).

10.1 How to exercise your rights

Send a written request to: [email protected]

Please include sufficient information to enable us to identify you and process your request (e.g. the email address used during registration). Where there are reasonable doubts regarding your identity, we may request additional information for verification.

10.2 Response timeframe

The Company responds to requests within 30 days of receipt. In the case of complex or numerous requests, the period may be extended by a further 60 days, of which we will notify you.

10.3 Free of charge

The exercise of your rights is free of charge. The Company may refuse or impose a reasonable fee only if requests are manifestly unfounded or excessive (particularly due to their repetitive nature).

10.4 Requests regarding end customer data of venues

If you have been a customer of a venue using our platform and wish to exercise your rights over your data (reservations, phone, email), please contact the respective venue first, as it is the data controller for that data. The Company will assist the venue in fulfilling your request.

11. Cookies and Similar Technologies

11.1 What are cookies

A cookie is a small text file that a website stores in your browser to remember information between visits — such as preferred language, login status or consent to analytics. Cookies themselves do not contain personal information (name, email, etc.), but may be used to recognise a device or browser on subsequent visits.

In this policy, "cookies" also encompasses related technologies: local storage, session storage, web beacons, pixels.

11.2 Categories of cookies we use

The Company categorises cookies into three groups, in accordance with the EDPB guidelines and Art. 4a of the Bulgarian Electronic Communications Act:

  1. Strictly necessary — required for the core functioning of the service (platform login, session maintenance, bot protection, saving your choice under this policy). Do not require consent.
  2. Analytics — measure in an anonymised manner how the marketing website is used, in order to improve it. Require consent.
  3. Marketing / advertising — used to measure the effectiveness of advertising campaigns and remarketing. Require consent.

11.3 Specific cookies

11.3.1 Strictly necessary (no consent required)

Cookie Provider Purpose Duration
cc_cookie Reservation.tools Saves your choice regarding cookie categories from the consent banner 6 months
PHPSESSID Reservation.tools Maintains the user session in the platform after login (Secure, SameSite=Lax) Until the browser is closed
__cf_bm Cloudflare Bot protection and automated attack mitigation (Bot Management) 30 minutes
cf_clearance Cloudflare Proof that the visitor has passed a bot challenge Up to 30 days

11.3.2 Analytics (consent required only — only on www.reservation.tools)

Cookie Provider Purpose Duration
_ga Google Analytics 4 Unique browser identifier used to measure visits 2 years
_ga_DCDZNY25K7 Google Analytics 4 Maintains session and measures engagement for the specific GA4 property of the site 2 years

Important note about GA4 on the marketing website: GA4 is loaded only after you give consent for the "Analytics" category in the cookie banner. Until consent is given, GA4 does not execute and does not record data about your visit. Upon withdrawal of consent, GA4 stops processing new data. In the user application, Google Analytics is not used — there, feature usage measurement is performed via Mixpanel (with EU data residency, without cookies on the marketing website).

11.3.3 Marketing (consent required only — only on www.reservation.tools)

Cookie Provider Purpose Duration
_fbp Meta Platforms (Facebook Pixel) Browser identifier used to measure the effectiveness of advertising campaigns and remarketing 3 months
_fbc Meta Platforms (Facebook Pixel) Stores the click ID when transitioning from a Facebook/Instagram ad to the site 3 months

Important note about Facebook Pixel: The Pixel script is loaded only after you give consent for the "Marketing" category in the cookie banner. Upon withdrawal of consent, Pixel stops processing new data. Facebook Pixel transmits events (page visits) to Meta Platforms for the purposes of advertising optimisation. Details: Meta Cookie Policy.

11.4 Consent management

On your first visit to www.reservation.tools, a consent banner is displayed through which you can:

  • Accept all — you allow analytics and marketing cookies
  • Reject all — only strictly necessary cookies are loaded
  • Customise — you choose category by category

You can change your choice at any time via the "Manage cookies" link at the bottom of the site or through your browser settings.

11.5 Managing cookies through the browser

In addition to our banner, you can manage or delete cookies through your browser settings. Every modern browser supports deleting, blocking and viewing cookies. Please note that blocking strictly necessary cookies may impair the functioning of the platform.

Useful resources:

  • Google Chrome — chrome://settings/cookies
  • Mozilla Firefox — about:preferences#privacy
  • Safari — Preferences → Privacy
  • Microsoft Edge — edge://settings/privacy

12. Data Security (Technical and Organisational Measures)

The Company applies technical and organisational measures appropriate to the risk, in compliance with Art. 32 of the GDPR. These measures include:

  • Encryption in transit — all traffic to and from the platform is carried out over HTTPS / TLS
  • Encryption at rest — backups and stored files are encrypted
  • Access control — role-based access control (RBAC) to data in the platform; principle of least privilege for internal administrators
  • Strong authentication mechanisms — hashed passwords, support for third-party login (OAuth)
  • Audit logs — logs of significant actions in the platform
  • Tenant data segregation — multi-tenant isolation at database level (Doctrine filters by Account and Venue), preventing accidental or intentional cross-venue access
  • Data backup — automated backups with a defined rotation policy
  • Core infrastructure located in the EU — primary hosting is in region eu-west-1 (Ireland)
  • Sub-processor management — DPA with each provider; periodic reassessment of provider security
  • Incident response — internal action plan in the event of a security breach, including notification of the supervisory authority within 72 hours in accordance with Art. 33 of the GDPR

13. Changes to the Privacy Policy

The Company may periodically update this Privacy Policy, for example to reflect new features, new sub-processors or changes in legislation.

In the event of material changes, we will notify registered users by email and/or through a visible notification in the platform before the new version takes effect. Non-material changes (spelling corrections, updating contact details, adding clarifications without changing the substance) are reflected directly in the published version.

The current update date is indicated at the beginning of this document. We recommend that you periodically review this page.

14. Contact

For questions related to this Privacy Policy, requests to exercise GDPR rights or other questions related to the processing of personal data:

Reservation Ltd ("Резервейшън" ЕООД) Email: [email protected] Address: Varna, 1A Petar Raychev St.

For complaints to the supervisory authority: CPDP (Commission for Personal Data Protection), www.cpdp.bg (see Section 2 for full details).

This Privacy Policy has been prepared in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation) and applicable Bulgarian legislation.

The Data Processing Agreement (DPA) between the Company and venue clients is published as a separate document:

https://www.reservation.tools/dpa/

The DPA is incorporated by reference into the Terms of Use — by accepting the Terms of Use upon registration, the venue client also accepts the DPA.

HomePricingFeaturesHow toBlog
[email protected]
United States
+1 332 4550888
Bulgaria
+359 2 495 0888
United Kingdom
+44 3300 272 888
Sweden
+46 8 4200 2888
Romania
+40 31 2295 888
Malta
+356 203 41 888
Luxembourg
+352 20 301 888
Cyprus
+357 22 053 888
Spain
+34 664 560 578
official rep: Marketing Iberico
Greece
+302112341888

Have questions?

© 2018 Copyright Reservation Ltd.

Terms and conditionsPrivacy Policy