Legal

GDPR Compliance

Last updated: 10 May 2026

As a platform serving European restaurants and their guests, Rezvion is built around the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the Dutch Implementation Act (Uitvoeringswet AVG, “UAVG”). This page summarises our role, the safeguards we apply to personal data, and how individuals and customers can exercise their rights. It complements — and does not replace — our Privacy Policy and our Data Processing Agreement.

1. Our roles under the GDPR

  • Controller — for personal data of restaurant operators and their staff who hold a Rezvion account, marketing‑site visitors, and our own billing and HR records.
  • Processor — for personal data restaurants collect from their guests through the Service (orders, reservations, loyalty profiles, delivery contact details). The restaurant is the controller; we act strictly on its documented instructions.

2. Data Processing Agreement (DPA)

Every Rezvion subscription is accompanied by a Data Processing Agreement that satisfies Article 28 GDPR. The DPA covers, at minimum:

  • The subject‑matter and duration of processing;
  • The nature and purpose of processing;
  • The types of personal data and categories of data subjects;
  • Our obligations and the controller’s rights;
  • Confidentiality, security, and breach‑notification commitments;
  • Use of sub‑processors and the controller’s right to object;
  • Assistance with data‑subject requests and DPIAs;
  • Audit rights and the conditions for return or deletion of data on termination.

The current DPA is published at /dpa and is automatically incorporated into the Terms of Service for every paid subscription.

3. Sub‑processors and international transfers

We publish a current list of sub‑processors at /sub-processors, with their roles, regions, and the safeguards in place. We notify customers of additions or replacements at least 30 days before they take effect, in line with Article 28(2) GDPR and the DPA.

For transfers outside the EEA, we rely on Standard Contractual Clauses (Implementing Decision (EU) 2021/914), the EU‑U.S. Data Privacy Framework where the recipient is certified, the UK International Data Transfer Addendum where the UK GDPR applies, and supplementary technical measures including encryption in transit and at rest. Each third-country recipient is covered by a documented Transfer Impact Assessment.

4. Security measures

  • Tenant isolation via PostgreSQL row‑level security and an authentication layer that always scopes queries to the right restaurant.
  • Encryption in transit (TLS 1.2+) and at rest (managed disk encryption + object‑storage encryption).
  • Identity: Argon2id password hashing, JWT access tokens with short lifetimes, refresh‑token rotation, mandatory two‑factor authentication for staff.
  • Least privilege: role‑based access control inside the platform; production access is restricted, audited, and time‑bound for staff.
  • Monitoring: structured request logs, error tracking via Sentry, anomaly detection, and rate‑limited public endpoints.
  • Backups: encrypted, retained for 30 days, restoration tested at least quarterly.
  • Personnel: confidentiality agreements, security training, background screening for roles handling production data.
  • Vulnerability disclosure: responsible disclosure programme at hello@rezvion.nl; PGP key on request.

5. Data‑subject rights

Individuals can exercise the following rights under Articles 15–22 GDPR: access, rectification, erasure, restriction, portability, objection, and the right to withdraw consent without affecting prior processing.

  • If you are a Rezvion account holder, contact hello@rezvion.nl. We respond within one month (extendable by two months for complex requests, with reasons).
  • If you are a guest of a restaurant using Rezvion, please contact the restaurant directly: it is the controller of your data. We will assist the restaurant in fulfilling your request, in line with Article 28(3)(e) GDPR.

6. Personal‑data breach notification

Where Rezvion becomes aware of a personal‑data breach affecting Customer Data, we notify affected controller customers without undue delay and in any event within 48 hours of confirmation, providing the information required under Article 33(3) GDPR so the controller can meet its 72‑hour notification obligation toward the supervisory authority. We maintain an internal incident-response runbook with defined severities, communication templates, and post-incident review.

7. Records of processing (Article 30)

Rezvion maintains an internal Record of Processing Activities for the processing it carries out as a controller and as a processor. The record is available to the AP and to controller customers exercising their audit rights under the DPA.

8. Data Protection Impact Assessments (DPIAs)

We assist controller customers with DPIAs where the processing they carry out through the Service is likely to result in a high risk to individuals (Article 35 GDPR) — for example for large‑scale loyalty profiling or behavioural advertising. Contact us to obtain a current DPIA information pack, including a template description of Service processing, technical safeguards, and our risk assessment of the platform.

9. EU AI Act compliance

Some Service features use generative AI (currently OpenAI’s API for opt‑in analytics summaries and copy suggestions). We treat these as limited‑risk AI systems under the EU AI Act (Regulation (EU) 2024/1689) and label all AI‑generated output accordingly, in line with Article 50 of that regulation. We do not deploy any system that would qualify as a prohibited or high-risk AI system under the Act, and we do not use customer or guest personal data to train third‑party general‑purpose AI models.

10. European Accessibility Act

From 28 June 2025, the European Accessibility Act (Directive (EU) 2019/882) applies to consumer‑facing digital services in scope. The ordering storefronts hosted by Rezvion for restaurants are a consumer‑facing service and we work toward conformity with WCAG 2.1 Level AA. See our Accessibility Statement for the current conformance status, known issues, and feedback channel.

11. Food information and allergen data

The Service supports restaurants in meeting their information obligations under Regulation (EU) 1169/2011 (food information to consumers) by allowing structured allergen and dietary attributes per menu item. The accuracy and completeness of that data is the restaurant’s responsibility as controller and as the food business operator.

12. Supervisory authority and Data Protection Officer

Our lead supervisory authority is the Dutch Autoriteit Persoonsgegevens. You also have the right to lodge a complaint with the supervisory authority of your habitual residence.

Rezvion has not formally designated a Data Protection Officer because our processing does not currently meet the criteria of Article 37(1) GDPR (no large‑scale systematic monitoring as core activity, no large‑scale processing of special‑category data as core activity, and we are not a public authority). We have nonetheless appointed a privacy lead reachable at hello@rezvion.nl. If our processing changes such that a DPO becomes mandatory, we will designate one and update this page.

13. Children

The Service is not intended for users under 16. We expect controller customers to ensure that any guest‑facing flows (loyalty sign‑up, marketing) include appropriate age controls where relevant.

14. Changes to this page

We update this page as our compliance posture evolves. Material changes will be communicated through the dashboard and/or by email to account holders.

15. Contact

Email hello@rezvion.nl with the subject “GDPR” or write to Rezvion, Groest 51, 1211 CZ Hilversum, the Netherlands.

GDPR — Rezvion