This Privacy Policy explains how Hospitality Labs ("Hospitality Labs," "we," "us," or "our"), collects, uses, shares, and protects your personal data when you use Table Alert (the "Service"), including our website at tablealert.app and all related features, notifications, and communications.
We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), and other applicable data protection laws.
Please read this Privacy Policy carefully. By creating an Account or using the Service, you acknowledge that you have read and understood this Privacy Policy.
The data controller responsible for your personal data is:
Hospitality Labs
Email: info@tablealert.app
If you have any questions or concerns about how we process your personal data, you may contact us using the details above.
We collect and process the following categories of personal data:
Account Data: When you create an Account, we collect your name, email address, and password (stored in hashed form). If you subscribe to a paid plan, we also collect your billing address and country.
Preference Data: Restaurant selections you add for monitoring, including restaurant names, desired dates, party sizes, time preferences, and alert settings.
Communication Data: When you contact us for support or send us feedback, we collect the content of your messages and any attachments, along with your contact details.
Usage Data: We collect information about how you interact with the Service, including pages visited, features used, actions taken (such as adding or removing Monitored Restaurants), and timestamps.
Device and Technical Data: We collect your IP address, browser type and version, operating system, device type, screen resolution, language preferences, and referring URLs.
Alert Interaction Data: We collect data about Alerts sent to you, including delivery status, whether you opened an Alert email, and whether you clicked through to a restaurant reservation platform.
Log Data: Our servers automatically record information in server logs, including your IP address, access times, pages viewed, and system activity.
Payment Data: When you subscribe to a paid plan, your payment is processed by Stripe, Inc. ("Stripe"). We receive limited information from Stripe, including the last four digits of your payment card, card type, expiry date, billing country, and transaction status. We do not receive or store your full payment card number. Stripe's collection and use of your data is governed by Stripe's Privacy Policy.
We process your personal data only where we have a lawful basis to do so under Article 6 of the GDPR. The table below sets out our processing purposes and their corresponding legal bases.
| Purpose | Categories of Data | Legal Basis (Art. 6 GDPR) |
|---|---|---|
| Creating and managing your Account | Account Data | Performance of contract (Art. 6(1)(b)) |
| Providing the Service, including monitoring restaurants and sending Alerts | Account Data, Preference Data, Alert Interaction Data | Performance of contract (Art. 6(1)(b)) |
| Processing payments and managing subscriptions | Account Data, Payment Data (via Stripe) | Performance of contract (Art. 6(1)(b)) |
| Responding to your support requests and communications | Account Data, Communication Data | Performance of contract (Art. 6(1)(b)) |
| Improving and optimising the Service | Usage Data, Device and Technical Data, Alert Interaction Data | Legitimate interest (Art. 6(1)(f)) |
| Ensuring the security and integrity of the Service | Device and Technical Data, Log Data, Usage Data | Legitimate interest (Art. 6(1)(f)) |
| Enforcing our Terms of Service | Account Data, Usage Data, Preference Data | Legitimate interest (Art. 6(1)(f)) |
| Sending service-related communications (receipts, password resets, account notices) | Account Data | Performance of contract (Art. 6(1)(b)) |
| Sending newsletter and product-update emails | Account Data | Consent (Art. 6(1)(a)) |
| Sending reminders to users who started but did not complete signup | Account Data, signup timestamp | Legitimate interest (Art. 6(1)(f)) — recovering an incomplete signup the user initiated |
| Measuring website traffic, acquisition sources and conversion funnels | Device and Technical Data, Usage Data, UTM parameters | Consent (Art. 6(1)(a)) |
| Complying with legal obligations | Account Data, Payment Data | Legal obligation (Art. 6(1)(c)) |
Legitimate Interest Assessments: Where we rely on legitimate interest as a legal basis, we have conducted balancing assessments to ensure that our interests do not override your fundamental rights and freedoms. You may request information about these assessments by contacting us.
We use cookies and similar technologies on our website. Cookies are small text files stored on your device that help us provide and improve the Service. We group the cookies we use into four categories:
Essential cookies. These cookies are required to run Table Alert. They cannot be turned off because the website would not work without them (for example, session management, authentication, CSRF protection, and storing your cookie-consent choice itself). Essential cookies are exempt from the consent requirement under Article 5(3) of the ePrivacy Directive.
Functional cookies. These cookies result in an improved experience on our website. Disabling these cookies may decrease the website's functionality.
Analytics cookies. These cookies help us understand how visitors find and use this site. We currently use Google Analytics 4 (deployed via Google Tag Manager), configured with IP anonymisation enabled and Google Consent Mode v2, which means no analytics cookies or identifiers are set, and no measurement data is sent to Google, until you have given your consent.
Marketing cookies. These cookies are placed by our advertising partners (currently Google Ads and Reddit Inc.) to measure the effectiveness of our advertising and to show you more relevant ads on those platforms. They will only load after you give your consent via the cookie banner. When you visit our site with marketing cookies enabled, we share the following information with Reddit Inc. (operator of reddit.com): your hashed email address (SHA-256), your hashed IP address (SHA-256), your browser User-Agent string, and a Reddit-issued click identifier (rdt_cid) when present in the URL of your initial visit. This data is shared via Reddit's Pixel (browser-side) and Reddit's Conversions API (server-to-server, fired when a paid subscription is completed) so that Reddit can attribute conversions to specific ad campaigns and improve future ad targeting. You can opt out at any time by rejecting marketing cookies in our cookie preferences, or via Reddit's own ad-personalisation controls at https://www.reddit.com/settings/account.
If you are visiting from the European Union, the European Economic Area, or the United Kingdom, we display a cookie consent banner on your first visit. You can either click Accept all or click Manage preferences to open a preferences panel that lets you enable or disable cookie categories individually. The four categories are:
If you disable a category (or leave it disabled), no cookies from that category are set and no data is sent to the corresponding processor.
If you are visiting from outside the EU/EEA/UK, we do not display the banner and all non-essential categories (Functional, Analytics and Marketing) are enabled by default, consistent with the law in your jurisdiction. You can manage your choice at any time — regardless of where you are — by clicking the Cookie Settings link in the footer of our website, which re-opens the preferences panel and lets you disable any category. You can also configure your browser to reject cookies, though this may affect certain functionality of the Service.
We honour the "Reject" choice on our cookie banner as the authoritative signal for your analytics preferences. Browser-level "Do Not Track" signals are not a reliable or universally-supported standard, so we do not rely on them as an alternative to the on-site banner.
In addition to the transactional emails that are essential to the Service (such as availability alerts, receipts, password resets and account notices), we may send you:
How to opt out: Every marketing email contains a one-click unsubscribe link in the footer. You may also email us at info@tablealert.app and we will remove you from all marketing lists within 72 hours. Opting out of marketing emails does not affect transactional emails, which remain necessary for the Service to function.
We do not sell, rent or share your email address with any third party for their own marketing purposes. Marketing emails are sent exclusively by us through our email processor (Postmark), listed in Section 5.
We do not sell your personal data. We share your personal data only in the following circumstances:
We engage trusted third-party service providers to help us operate the Service. These providers process your data on our behalf and under our instructions, in accordance with data processing agreements that comply with Article 28 of the GDPR.
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| Stripe, Inc. | Payment processing | United States | EU-US Data Privacy Framework; Standard Contractual Clauses |
| Hetzner | Infrastructure and hosting | United States | EU-US Data Privacy Framework |
| Postmark (ActiveCampaign, LLC) | Transactional email delivery (availability alerts, receipts, password resets, account notices) and — with your consent — newsletter, product-update and signup-reminder emails | United States | EU-US Data Privacy Framework; Standard Contractual Clauses |
| Google Analytics 4 (Google LLC) | Website analytics and conversion measurement | United States | EU-US Data Privacy Framework; Standard Contractual Clauses; IP anonymisation; Consent Mode v2 |
| Google Tag Manager (Google LLC) | Tag management for analytics and marketing pixels | United States | EU-US Data Privacy Framework; Standard Contractual Clauses |
| Reddit Inc. | Advertising attribution and conversion measurement (Reddit Pixel and Reddit Conversions API). Receives hashed email, hashed IP, browser User-Agent, and Reddit click ID, only when marketing cookies are accepted. | United States | EU-US Data Privacy Framework; Standard Contractual Clauses; consent-gated |
We may disclose your personal data if required to do so by law, regulation, legal process, or governmental request, or where we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
In the event of a merger, acquisition, reorganisation, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you of any such change.
Hospitality Labs is based in the Netherlands. Some of our service providers are located outside the European Economic Area ("EEA"), particularly in the United States.
When we transfer personal data outside the EEA, we ensure that appropriate safeguards are in place, including:
You may request a copy of the safeguards we have in place by contacting us.
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:
| Data Category | Retention Period |
|---|---|
| Account Data | Duration of Account, plus up to 30 days after deletion |
| Preference Data | Duration of Account; deleted when Account is deleted |
| Payment and Billing Data | Duration of Account, plus up to 7 years (tax/accounting obligations) |
| Usage and Log Data | Up to 12 months, then anonymised or deleted |
| Communication Data | Up to 24 months from last communication |
| Alert Interaction Data | Up to 12 months, then anonymised or deleted |
| Marketing Consent Records | Duration of Account, plus 3 years after withdrawal |
| Newsletter and product-update subscriber records | Until you unsubscribe, plus 3 years for proof of consent |
| Signup-reminder drip state (for users who did not complete checkout) | Up to 30 days after the final reminder email, then deleted |
| Analytics data (Google Analytics 4) | 14 months (GA4 default); aggregated reports retained indefinitely |
After the applicable retention period, we will securely delete or anonymise your personal data.
As a data subject under the GDPR, you have the following rights:
To exercise any of these rights, please contact us at info@tablealert.app. We will respond within one month.
We implement appropriate technical and organisational measures to protect your personal data, including encryption of data in transit (TLS/SSL) and at rest, secure hashing of passwords, and access controls limiting data access to authorised personnel.
In the event of a personal data breach likely to result in a risk to your rights, we will notify the relevant supervisory authority within 72 hours and notify you directly where the risk is high.
The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children under 18. If you believe that a child under 18 has provided us with personal data, please contact us at info@tablealert.app.
The Service may contain links to third-party websites, including restaurant reservation platforms. This Privacy Policy applies only to the Service. We encourage you to review the privacy policies of any third-party services you visit.
We do not engage in automated decision-making, including profiling, that produces legal effects concerning you. Any enforcement action under our Fair Use Policy involves human review.
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date and notify you by email or by a prominent notice on the Service at least thirty (30) days before the changes take effect.
If you have any questions about this Privacy Policy, please contact us at:
Hospitality Labs
Email: info@tablealert.app