This Privacy Policy explains how Rezvion (“Rezvion,” “we,” “our”) collects, uses, shares, and protects personal data when you use the Rezvion platform — the dashboard, point‑of‑sale (POS), kitchen display (KDS), online ordering storefronts we host on behalf of restaurants, the marketing website at rezvion.nl, and any related services (together, the “Service”).
It is written to satisfy our information obligations under Articles 13 and 14 of the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the Dutch Implementation Act (Uitvoeringswet AVG, “UAVG”), and the ePrivacy provisions of the Dutch Telecommunications Act (Telecommunicatiewet).
1. Who we are
Data controller for the Service: Rezvion, a private company with limited liability incorporated in the Netherlands.
- Registered office: Groest 51, 1211 CZ Hilversum, the Netherlands
- KVK number: 92336752
- BTW (VAT) number: NL866012576B01
- Contact for all enquiries (general, privacy, security disclosure): hello@rezvion.nl
Rezvion is established in the European Union, so an Article 27 GDPR representative is not required. Our lead supervisory authority is the Dutch Autoriteit Persoonsgegevens (“AP”).
2. Our role: controller and processor
Rezvion plays two distinct GDPR roles depending on whose data is at issue.
- Controller — for personal data of restaurant operators and their staff who hold a Rezvion account, for visitors to rezvion.nl, for our billing records, and for our own marketing.
- Processor — for personal data of restaurant guests (diners, online‑order customers, reservation holders, loyalty members) that the restaurant collects through the Service. The restaurant is the controller of that data; Rezvion processes it strictly on the restaurant’s documented instructions, under the Data Processing Agreement (“DPA”) that forms part of every subscription.
This Policy describes our practices in our controller capacity. Where we act as a processor, the restaurant’s own privacy notice and our DPA govern; please contact the restaurant directly for guest‑data requests. We will assist the restaurant with any request we forward to them.
3. Personal data we collect
3.1 Information you provide directly (controller capacity)
- Account data — name, work email, phone (optional), role, password (stored only as an Argon2id hash), the restaurant(s) you are associated with, language and time-zone preferences.
- Billing data — restaurant’s legal name, billing address, KVK/BTW number, invoice history, payment-method metadata (last four digits, brand, expiry). Card and bank details are tokenised by Adyen N.V. (see §6) and never stored on Rezvion systems.
- Communications — content of support tickets, emails, chat transcripts, and SMS opt‑in confirmations.
- Marketing‑site forms — name, email, restaurant name, message and reason when you submit the contact form on rezvion.nl.
- Recruitment data — if you apply for a role, the CV and information you send to careers@rezvion.nl.
3.2 Information collected automatically (controller capacity)
- Usage data — features used, pages viewed, timestamps, in‑app actions, performance metrics.
- Device & connection data — IP address (truncated for analytics), browser type and version, operating system, device type, language preference.
- Cookies and similar technologies — see our Cookie Policy.
- Error and diagnostic data — stack traces and contextual logs captured via Sentry when something goes wrong, which can include user identifiers.
3.3 Information from third parties (controller capacity)
- Authentication or profile data when a restaurant operator signs in via a connected delivery, review, or marketing platform (Google, Meta, Tripadvisor, HubRise, etc.).
- Payment confirmation, refund, and dispute information from Adyen.
- Publicly available business directory data (KVK, BTW VIES) used for fraud screening at sign-up.
3.4 Guest data we process for restaurants (processor capacity)
For transparency, the categories of guest personal data the Service typically processes on behalf of restaurants include: name, contact details (email, phone, delivery address), order and reservation history, dietary preferences and allergens (where the guest provides them), loyalty programme membership and points balance, marketing preferences, and payment-method metadata returned by Adyen. This data is governed by the restaurant’s privacy notice and our DPA.
4. Why we process your data and on which legal basis
| Purpose | Categories of data | Legal basis (Art. 6 GDPR) |
|---|---|---|
| Provide the Service (account creation, authentication, core features) | Account, usage | Contract performance — Art. 6(1)(b) |
| Bill restaurants and process subscription payments | Billing, payment metadata | Contract performance — Art. 6(1)(b); legal obligation for invoice retention — Art. 6(1)(c) |
| Customer support | Communications, account, usage | Contract performance — Art. 6(1)(b) |
| Security, fraud prevention, abuse detection | Connection, usage, error | Legitimate interest — Art. 6(1)(f) (operating a secure platform) |
| Service improvement and aggregated analytics | Usage, device | Legitimate interest — Art. 6(1)(f) (improving the Service for all users) |
| Marketing emails and product‑update newsletters to existing customers about similar Rezvion features | Account, usage | Legitimate interest — Art. 6(1)(f); ePrivacy “soft opt‑in” (Telecommunicatiewet art. 11.7(3)) with a clear opt‑out in every message |
| Marketing emails to non‑customers (e.g. newsletter sign‑ups) | Marketing‑site form | Consent — Art. 6(1)(a) |
| Recruitment | Recruitment | Pre‑contractual measures — Art. 6(1)(b); consent — Art. 6(1)(a) for retaining your CV beyond the role you applied for |
| Comply with tax, accounting, anti-money-laundering and other legal obligations | Billing, account | Legal obligation — Art. 6(1)(c) |
| Establish, exercise or defend legal claims | Any of the above | Legitimate interest — Art. 6(1)(f); legal claim — Art. 9(2)(f) where special-category data is unavoidable |
You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. You may also object to processing based on legitimate interest by contacting us; we will weigh your reasons against our overriding interests, and stop processing unless we can demonstrate compelling legitimate grounds.
5. Special categories of data
Rezvion does not seek to process special-category personal data (Art. 9 GDPR) about its account holders. Restaurant guests may voluntarily share allergen or dietary information when placing an order — that data is processed for the restaurant under Art. 9(2)(a) GDPR (explicit consent, in the form of providing it for the order to be prepared safely) and is governed by the DPA.
6. How long we keep your data
| Data category | Retention period |
|---|---|
| Active account data | For the duration of the contract. |
| Account data after termination | Anonymised or deleted within 30 days, except where retention is required by law or to defend legal claims. |
| Invoices and tax records | 7 years (art. 52 Algemene wet inzake rijksbelastingen). |
| Connection and security logs | 12 months. |
| Sentry error events | 90 days. |
| Support communications | 3 years from last interaction. |
| Marketing‑site contact‑form submissions | 3 years from last interaction. |
| Recruitment data (unsuccessful applicants) | 4 weeks after the procedure ends, or up to 1 year with your consent. |
| Cookies | Up to 13 months — see Cookie Policy. |
7. Recipients and sub‑processors
We share personal data only with the parties listed in our Sub‑processors register, and only to the extent necessary for the stated purpose. Each sub‑processor is bound by a written agreement that meets Article 28 GDPR. Material changes to that list (additions or replacements) are notified to controller customers at least 30 days in advance, allowing a right of objection in line with the DPA.
We may also disclose personal data when required by law, court order, or a binding request from a competent authority, or where strictly necessary to protect rights, property, or safety. We assess each government-access request for legality and proportionality and challenge overbroad requests where possible.
8. International transfers
Most personal data is stored in the European Union. Where transfers outside the EEA occur — for example to US‑parented sub‑processors — we rely on one or more of the following safeguards:
- The EU‑U.S. Data Privacy Framework, where the recipient is certified;
- European Commission Standard Contractual Clauses (Implementing Decision (EU) 2021/914), with the relevant module and Annexes completed;
- UK International Data Transfer Addendum where the UK GDPR applies;
- Supplementary technical and organisational measures, including encryption in transit and at rest, pseudonymisation where appropriate, and access logging;
- A documented Transfer Impact Assessment (“TIA”) for each third-country recipient.
You may request a copy of the safeguards in place at hello@rezvion.nl.
9. Your rights under the GDPR
- Access (Art. 15) — receive a copy of the data we hold about you.
- Rectification (Art. 16) — correct inaccurate or incomplete data.
- Erasure (Art. 17) — request deletion in the cases the law allows.
- Restriction (Art. 18) — limit processing while a dispute is resolved.
- Portability (Art. 20) — receive your data in a structured, commonly used, machine‑readable format (we provide JSON or CSV).
- Objection (Art. 21) — object to processing based on legitimate interest, including profiling, and at any time to direct marketing.
- Withdraw consent (Art. 7(3)) — without affecting the lawfulness of prior processing.
- Lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl), or with the supervisory authority of your habitual residence.
To exercise any right, email hello@rezvion.nl. We respond within one month and may extend that period by two further months for complex requests, in which case we will explain why and what you can do if you disagree. We do not charge a fee unless your request is manifestly unfounded or excessive.
10. Automated decision‑making and AI features
Rezvion does not take decisions producing legal or similarly significant effects on individuals on a solely automated basis (Art. 22 GDPR). Some Service features (e.g. recommended menu pricing, fraud signals, AI‑generated analytics summaries) use algorithmic scoring or generative AI, but a human always remains in control of the resulting action.
Where a Rezvion feature relies on a generative AI model (currently OpenAI’s API for opt‑in analytics summaries and copy suggestions), we clearly label the output as AI-generated in line with our transparency commitments under Article 50 of the EU AI Act (Regulation (EU) 2024/1689). We do not use customer or guest personal data to train third-party general-purpose AI models, and our agreement with OpenAI prohibits such training on our API traffic.
11. Security
We apply a defence‑in‑depth approach: PostgreSQL row‑level security to enforce tenant isolation, TLS 1.2+ for all connections, encryption at rest for databases and object storage, Argon2id for password hashing, principle‑of‑least‑privilege access controls, mandatory two‑factor authentication for staff with production access, audit logs, and continuous error and security monitoring. We test backups and run periodic restoration drills. Security details are summarised on our GDPR page and in greater depth in the DPA annex.
12. Children
The Service is not directed to children under 16 and we do not knowingly collect their personal data. If you believe a child has provided us with personal data, please contact hello@rezvion.nl and we will delete it. Restaurants using the Service to run loyalty or marketing programmes are responsible, as controller, for any age-gating on those flows.
13. Changes to this policy
We may update this Policy from time to time. The “Last updated” date at the top reflects the most recent change. For material changes affecting your rights, we will notify account holders by email or through the dashboard at least 30 days before the change takes effect. Prior versions are kept on file and available on request.
14. Contact us
Email hello@rezvion.nl, or write to Rezvion, Groest 51, 1211 CZ Hilversum, the Netherlands.