GDPR · Art. 13/14

How we handle your data.

Last updated · 06 May 2026

This policy applies to tablario.com and the restaurant portal. The separate per-restaurant privacy notice — the one callers hear on the phone — lives at tablario.com/datenschutz/<restaurant-id>.

Controller

Who processes your data

Staqmind UG (haftungsbeschränkt)
Saalfelder Strasse 11 · 51103 Cologne · Germany
Represented by
Mirko Rossbach, Montassar Zaroui

Controller within the meaning of GDPR is Staqmind UG. No data protection officer is appointed — the conditions of § 38 BDSG are not met.

Collection & lawful bases

What we collect — and why

Server logs

Each access to our website automatically generates information at our web server:

Captured fields
IP address (anonymised) · date/time · requested URL · HTTP status · referrer · user agent
Lawful basis
GDPR Art. 6(1)(f) (legitimate interest: operational security, error analysis)
Retention
7 days

Demo requests / contact form

For form requests we collect name, email and optionally phone/restaurant name.

Lawful basis
GDPR Art. 6(1)(b) (pre-contractual measures)
Retention
12 months after handling

Account data (restaurant portal)

For contract performance we store restaurant master data and payment information (Stripe).

Lawful basis
GDPR Art. 6(1)(b) (contract performance)
Retention
Up to 30 days after contract end; invoices 10 years (§ 147 AO)

AI phone calls (data processing)

Tablario processes caller data on behalf of the restaurant (phone number, audio, transcript, reservation details). Tablario is a processor under GDPR Art. 28; the controller is the respective restaurant. Call audio is stored for up to 30 days and then automatically anonymised.

Lawful basis
GDPR Art. 6(1)(b) (contract performance of the restaurant towards the guest); GDPR Art. 6(1)(a) (consent via the AI disclosure at the start of the call)
Retention
Audio max. 30 days · transcripts default 30 days (configurable)
Cookies & tracking

What runs in the browser

We use only strictly necessary cookies (session cookies, CSRF protection). For web analytics we use Plausible Analytics — cookie-less, no personal data, no cross-site tracking. No consent banner required. Data transfer encrypted via SSL/TLS.

Sub-processors

Who else is involved

We use the following service providers. DPAs (GDPR Art. 28) are in place with all of them. Data transfers to the USA rest on the EU-US Data Privacy Framework (DPF) or Standard Contractual Clauses (SCCs).

ProviderPurposeLocationThird-country basis
Amazon Web Services EMEA SARLCloud hosting, compute, DB, CDN, Cognito auth, SES emaileu-central-1 · Frankfurt
Telnyx Ireland LimitedTelephony routing, numbers, SMSDublin, IrelandSCCs (EU/USA flow possible)
LiveKit, Inc.Voice orchestration (WebRTC/SIP)USA / EUDPF / SCCs
Deepgram, Inc.Speech-to-text (STT) · default providerUSADPF / SCCs
Soniox Inc.Speech-to-text (STT) · alternativeUSASCCs
ElevenLabs Inc.Text-to-speech (TTS)EU residency / USADPF / SCCs
Anthropic, PBCAI language model (Claude)USADPF / SCCs
Stripe, Inc.Payment processingUSA / IrelandDPF / SCCs
ImprovMX (Reflexion Networks)Inbound email forwardingUSASCCs
Functional Software (Sentry)Error monitoring & stability analysisUSADPF / SCCs
Plausible AnalyticsWeb analytics (cookie-less)EU

LiveKit, Deepgram, Soniox, ElevenLabs and Anthropic only process data within the AI phone assistant on behalf of our restaurant customers.

Retention periods

How long we keep things

Server logs
7 days
Contact requests
12 months after handling
Invoices
10 years · § 147 AO
Business correspondence
6 years · § 257 HGB
Call audio
Max. 30 days · then anonymised
Call transcripts
30 days default · configurable per restaurant
Your rights

What you are entitled to

You have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20) and objection (Art. 21 GDPR). Contact us at:

datenschutz@tablario.com

Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority. Our competent authority is:

Data Protection Commissioner of North Rhine-Westphalia (LDI NRW)
Kavalleriestr. 2-4 · 40213 Düsseldorf
www.ldi.nrw.de
Automated decision-making

No profiling

No profiling under GDPR Art. 22 occurs. The AI makes no legally binding decisions; the restaurant retains full control over reservation rules at all times and can manually adjust bookings.

Data security

Technical & organisational measures

We take appropriate measures under GDPR Art. 32:

  • SSL/TLS encryption for all data transfers
  • Server location EU · AWS Frankfurt (eu-central-1)
  • Encryption at rest · Aurora PostgreSQL, S3, Secrets Manager · KMS
  • Access control on a need-to-know basis
  • MFA enforced on platform accounts · adaptive auth (Cognito Threat Protection)
  • Web Application Firewall (AWS WAF) with rate limiting and reputation filters
  • Regular security updates and container scanning
  • No payment data stored on our servers
Security incidents

What happens in a data breach

We commit to detecting, investigating and reporting personal data breaches without undue delay. For notifiable breaches under GDPR Art. 33 we notify the supervisory authority within 72 hours. Where high-risk breaches affect data subjects we inform them without delay (Art. 34 GDPR). Restaurant customers also receive a processor notification.

Detection
Monitoring & alerts (AWS GuardDuty, Sentry, WAF logs)
Authority report
Within 72 h · GDPR Art. 33
Data-subject info
Without delay if high-risk · GDPR Art. 34
Customer report
DPA reporting duty to restaurants · GDPR Art. 33(2)
Updates

Changes to this policy

We update this policy whenever our services or legal requirements change. The current version is always available here.

Reply within 1 business day
Weekdays between 9 am and 6 pm CET
GDPR compliant
Servers in Germany · no data sales
Made in Germany
Founder-led support straight from Cologne
Cancel monthly
No contract, no setup fee

Questions we did not cover?

Drop us a message — we reply within one business day.

Compliance overview Contact