Server logs
Each access to our website automatically generates information at our web server:
- Lawful basis
- GDPR Art. 6(1)(f) (legitimate interest: operational security, error analysis)
- Retention
- 7 days
Last updated · 06 May 2026
This policy applies to tablario.com and the restaurant portal. The separate per-restaurant privacy notice — the one callers hear on the phone — lives at tablario.com/datenschutz/<restaurant-id>.
Controller within the meaning of GDPR is Staqmind UG. No data protection officer is appointed — the conditions of § 38 BDSG are not met.
Each access to our website automatically generates information at our web server:
For form requests we collect name, email and optionally phone/restaurant name.
For contract performance we store restaurant master data and payment information (Stripe).
Tablario processes caller data on behalf of the restaurant (phone number, audio, transcript, reservation details). Tablario is a processor under GDPR Art. 28; the controller is the respective restaurant. Call audio is not stored — it is processed only transiently for real-time transcription. Only the text transcript is stored; by default it is anonymised after 30 days.
Visitors who request the free voice demo provide their email, phone number, and UI language. We send a confirmation email (double opt-in); the demo only starts after the link is clicked. Demo audio and transcripts are NOT stored — processing happens in real time only. Per verified identity (email or phone), 3 minutes per day are available.
We use strictly necessary cookies (session cookies, CSRF protection) and, for web analytics, Plausible Analytics — cookie-less, no personal data, no cross-site tracking (no consent required). To measure our advertising we additionally use Google Ads conversion tracking: it records sign-ups from our ads and sets a cookie (_gcl_aw) — only after your prior consent via our cookie banner. If you decline or make no choice, no Google cookie is set and no data is sent to Google. Via Google Consent Mode v2 only the signals required for conversion measurement are set (ad_storage, ad_user_data); no remarketing takes place (ad_personalization stays disabled). Processing is carried out by Google (including in the USA) on the basis of your consent (Art. 6(1)(a) GDPR, Sec. 25(1) TDDDG). You can withdraw your consent at any time with future effect by deleting the cookies in your browser. Data transfer encrypted via SSL/TLS.
We use the following service providers to deliver our services. A data processing agreement (GDPR Art. 28) is in place with each of them. AI voice processing takes place in the EU. Transfers to the USA occur only for the services marked accordingly and exclusively on the basis of the EU-US Data Privacy Framework (DPF) or the Standard Contractual Clauses (SCCs).
| Provider | Purpose | Location | Third-country basis |
|---|---|---|---|
| Amazon Web Services EMEA SARL | Cloud hosting, compute, database, CDN, authentication (Cognito), AI language-model inference (Claude via AWS Bedrock), self-hosted media orchestration (LiveKit) | eu-central-1 · Frankfurt | — |
| Telnyx Ireland Limited | Telephony routing, numbers, SMS sending | EU · data residency Germany | — |
| Soniox, Inc. | Speech recognition (speech-to-text) for the AI telephony | EU region | SCCs / DPF (US company, processing at the EU endpoint) |
| ElevenLabs, Inc. | Speech synthesis (text-to-speech) — receives only the spoken response text (incl. guest name), no phone number/identifier | USA | SCCs / DPF + DPA |
| Resend, Inc. | Sending transactional emails | USA | DPF / SCCs |
| Stripe Payments Europe Ltd. | Payment processing for provider fees | Dublin, Ireland (EU/USA) | DPF / SCCs |
| Sentry (Functional Software, Inc.) | Technical error tracking | USA | DPF / SCCs |
| Plausible Analytics | Web analytics (cookie-less) | EU | — |
| Google Ireland Ltd. / Google LLC | Google Ads conversion tracking (consent only) | USA | Consent; DPF |
Soniox and ElevenLabs process data exclusively within the AI-powered phone assistant on behalf of our restaurant customers. AI language-model inference (Claude) runs via AWS Bedrock in the EU; the media orchestration (LiveKit) we operate ourselves on AWS in the EU.
You have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20) and objection (Art. 21 GDPR). Contact us at:
datenschutz@tablario.comYou have the right to lodge a complaint with a supervisory authority. Our competent authority is:
No profiling takes place (GDPR Art. 4(4)). The automated acceptance or rejection of a reservation by the AI assistant is carried out to enter into the contract (GDPR Art. 22(2)(a)) — with the safeguards of Art. 22(3): callers can request human handling at any time (transfer to the stored staff number), express their point of view and contest the decision; the restaurant retains full control over reservation rules and can manually adjust bookings.
We take appropriate measures under GDPR Art. 32:
We commit to detecting, investigating and reporting personal data breaches without undue delay. For notifiable breaches under GDPR Art. 33 we notify the supervisory authority within 72 hours. Where high-risk breaches affect data subjects we inform them without delay (Art. 34 GDPR). Restaurant customers also receive a processor notification.
We update this policy whenever our services or legal requirements change. The current version is always available here.
Drop us a message — we reply within one business day.