GDPR · Art. 13/14

How we handle your data.

Last updated · 06 May 2026

This policy applies to tablario.com and the restaurant portal. The separate per-restaurant privacy notice — the one callers hear on the phone — lives at tablario.com/datenschutz/<restaurant-id>.

Controller

Who processes your data

Staqmind UG (haftungsbeschränkt)
Saalfelder Strasse 11 · 51103 Cologne · Germany
Represented by
Mirko Rossbach, Montassar Zaroui

Controller within the meaning of GDPR is Staqmind UG. No data protection officer is appointed — the conditions of § 38 BDSG are not met.

Collection & lawful bases

What we collect — and why

Server logs

Each access to our website automatically generates information at our web server:

Captured fields
IP address (anonymised) · date/time · requested URL · HTTP status · referrer · user agent
Lawful basis
GDPR Art. 6(1)(f) (legitimate interest: operational security, error analysis)
Retention
7 days

Demo requests / contact form

For form requests we collect name, email and optionally phone/restaurant name.

Lawful basis
GDPR Art. 6(1)(b) (pre-contractual measures)
Retention
12 months after handling

Account data (restaurant portal)

For contract performance we store restaurant master data and payment information (Stripe).

Lawful basis
GDPR Art. 6(1)(b) (contract performance)
Retention
Up to 30 days after contract end; invoices 10 years (§ 147 AO)

AI phone calls (data processing)

Tablario processes caller data on behalf of the restaurant (phone number, audio, transcript, reservation details). Tablario is a processor under GDPR Art. 28; the controller is the respective restaurant. Call audio is not stored — it is processed only transiently for real-time transcription. Only the text transcript is stored; by default it is anonymised after 30 days.

Lawful basis
GDPR Art. 6(1)(b) (contract performance of the restaurant towards the guest); GDPR Art. 6(1)(a) (consent via the AI disclosure at the start of the call)
Retention
Audio: not stored · transcripts: default 30 days, then anonymised

Live voice demo (tablario.com/demo)

Visitors who request the free voice demo provide their email, phone number, and UI language. We send a confirmation email (double opt-in); the demo only starts after the link is clicked. Demo audio and transcripts are NOT stored — processing happens in real time only. Per verified identity (email or phone), 3 minutes per day are available.

Lawful basis
GDPR Art. 6(1)(a) (consent). Consent is voluntary and revocable at any time (deletion link in every confirmation email).
Retention
Unconfirmed leads: max. 24 hours, then deleted. Confirmed leads: 30 days, then anonymised (hash kept for quota enforcement). Demo audio + transcript: not stored.
Cookies & tracking

What runs in the browser

We use strictly necessary cookies (session cookies, CSRF protection) and, for web analytics, Plausible Analytics — cookie-less, no personal data, no cross-site tracking (no consent required). To measure our advertising we additionally use Google Ads conversion tracking: it records sign-ups from our ads and sets a cookie (_gcl_aw) — only after your prior consent via our cookie banner. If you decline or make no choice, no Google cookie is set and no data is sent to Google. Via Google Consent Mode v2 only the signals required for conversion measurement are set (ad_storage, ad_user_data); no remarketing takes place (ad_personalization stays disabled). Processing is carried out by Google (including in the USA) on the basis of your consent (Art. 6(1)(a) GDPR, Sec. 25(1) TDDDG). You can withdraw your consent at any time with future effect by deleting the cookies in your browser. Data transfer encrypted via SSL/TLS.

Sub-processors

Who else is involved

We use the following service providers to deliver our services. A data processing agreement (GDPR Art. 28) is in place with each of them. AI voice processing takes place in the EU. Transfers to the USA occur only for the services marked accordingly and exclusively on the basis of the EU-US Data Privacy Framework (DPF) or the Standard Contractual Clauses (SCCs).

ProviderPurposeLocationThird-country basis
Amazon Web Services EMEA SARLCloud hosting, compute, database, CDN, authentication (Cognito), AI language-model inference (Claude via AWS Bedrock), self-hosted media orchestration (LiveKit)eu-central-1 · Frankfurt
Telnyx Ireland LimitedTelephony routing, numbers, SMS sendingEU · data residency Germany
Soniox, Inc.Speech recognition (speech-to-text) for the AI telephonyEU regionSCCs / DPF (US company, processing at the EU endpoint)
ElevenLabs, Inc.Speech synthesis (text-to-speech) — receives only the spoken response text (incl. guest name), no phone number/identifierUSASCCs / DPF + DPA
Resend, Inc.Sending transactional emailsUSADPF / SCCs
Stripe Payments Europe Ltd.Payment processing for provider feesDublin, Ireland (EU/USA)DPF / SCCs
Sentry (Functional Software, Inc.)Technical error trackingUSADPF / SCCs
Plausible AnalyticsWeb analytics (cookie-less)EU
Google Ireland Ltd. / Google LLCGoogle Ads conversion tracking (consent only)USAConsent; DPF

Soniox and ElevenLabs process data exclusively within the AI-powered phone assistant on behalf of our restaurant customers. AI language-model inference (Claude) runs via AWS Bedrock in the EU; the media orchestration (LiveKit) we operate ourselves on AWS in the EU.

Retention periods

How long we keep things

Server logs
7 days
Contact requests
12 months after handling
Invoices
10 years · § 147 AO
Business correspondence
6 years · § 257 HGB
Call audio
Not stored (real-time processing only)
Call transcripts
30 days default · then anonymised
Demo leads (email/phone)
Unconfirmed: max. 24 h · Confirmed: 30 days, then anonymised · Demo audio/transcript: not stored
Your rights

What you are entitled to

You have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20) and objection (Art. 21 GDPR). Contact us at:

datenschutz@tablario.com

Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority. Our competent authority is:

Data Protection Commissioner of North Rhine-Westphalia (LDI NRW)
Kavalleriestr. 2-4 · 40213 Düsseldorf
www.ldi.nrw.de
Automated decision-making

Automated booking decision with safeguards

No profiling takes place (GDPR Art. 4(4)). The automated acceptance or rejection of a reservation by the AI assistant is carried out to enter into the contract (GDPR Art. 22(2)(a)) — with the safeguards of Art. 22(3): callers can request human handling at any time (transfer to the stored staff number), express their point of view and contest the decision; the restaurant retains full control over reservation rules and can manually adjust bookings.

Data security

Technical & organisational measures

We take appropriate measures under GDPR Art. 32:

  • SSL/TLS encryption for all data transfers
  • Server location EU · AWS Frankfurt (eu-central-1)
  • Encryption at rest · Aurora PostgreSQL, S3, Secrets Manager · KMS
  • Access control on a need-to-know basis
  • MFA enforced on platform accounts · adaptive auth (Cognito Threat Protection)
  • Web Application Firewall (AWS WAF) with rate limiting and reputation filters
  • Regular security updates and container scanning
  • No payment data stored on our servers
Security incidents

What happens in a data breach

We commit to detecting, investigating and reporting personal data breaches without undue delay. For notifiable breaches under GDPR Art. 33 we notify the supervisory authority within 72 hours. Where high-risk breaches affect data subjects we inform them without delay (Art. 34 GDPR). Restaurant customers also receive a processor notification.

Detection
Monitoring & alerts (AWS GuardDuty, Sentry, WAF logs)
Authority report
Within 72 h · GDPR Art. 33
Data-subject info
Without delay if high-risk · GDPR Art. 34
Customer report
DPA reporting duty to restaurants · GDPR Art. 33(2)
Updates

Changes to this policy

We update this policy whenever our services or legal requirements change. The current version is always available here.

Reply within 1 business day
Weekdays between 9 am and 6 pm CET
GDPR compliant
Servers in Germany · no data sales
Made in Germany
Founder-led support straight from Cologne
Cancel monthly
No contract, no setup fee

Questions we did not cover?

Drop us a message — we reply within one business day.