Privacy Policy
Last updated: May 25, 2026
This Privacy Policy explains how Tapeo ("we," "us," or "our") collects, uses, and protects your personal data when you use our platform and website (collectively, the "Service"). This policy complies with the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Spanish Organic Law 3/2018 on Data Protection and Digital Rights Guarantee ("LOPDGDD").
1. Data Controller
Tapeo acts as the data controller for your personal data when you use the Service. For data processed on behalf of Merchants (restaurant customers' data), Tapeo acts as a data processor and the Merchant is the data controller. Contact our Data Protection Officer at hola@tapeo.app.
2. Data We Collect
Account Data
Name, email address, phone number (optional), and password (hashed). Restaurant name, country, logo, and restaurant photo (optional).
Usage Data
Menu items, categories, prices, descriptions. Orders, table assignments, and payment records. Dashboard metrics and analytics.
Technical Data
IP address, browser type, and device information. Cookies and similar tracking technologies. Pages visited and interactions with the Service.
3. How We Use Your Data
We use your data for the following purposes: (a) to provide, maintain, and improve the Service (legal basis: contract performance, Art. 6.1.b GDPR); (b) to process orders and payments (contract performance); (c) to send administrative emails such as verification, password reset, and account notifications (contract performance); (d) to contact you via phone for account-related matters if you provided your phone number (contract performance); (e) to analyse usage and improve user experience (legitimate interest, Art. 6.1.f GDPR); (f) to comply with legal obligations (Art. 6.1.c GDPR); and (g) to send marketing communications if you have given consent (Art. 6.1.a GDPR).
4. Legal Basis for Processing
We process your personal data based on the following legal grounds: Contract performance: to provide the Service you requested. Consent: for marketing cookies and optional communications. Legitimate interest: to improve our Service and ensure security. Legal obligation: to comply with applicable laws including tax and accounting regulations.
5. Data Sharing and Third Parties
We share your data only with: (a) payment processors such as Redsys (for payment processing under a data processing agreement); (b) cloud infrastructure providers including Railway (hosting) and Redis (caching); and (c) Google Analytics (anonymised usage data under Google's Data Processing Amendment). We do not sell your personal data to third parties. Where third parties process data outside the European Economic Area, we ensure appropriate safeguards through Standard Contractual Clauses.
6. Data Retention
We retain your data for as long as your account is active. After account deletion, we retain data for 90 days for legal compliance, after which it is permanently deleted. Order records may be retained longer for tax and accounting purposes as required by Spanish law (generally 5 years).
7. Your Rights (GDPR)
Under the GDPR, you have the following rights regarding your personal data:
- Access: Request a copy of your personal data (Art. 15 GDPR).
- Rectification: Correct inaccurate data (Art. 16 GDPR).
- Erasure ('Right to be Forgotten'): Request deletion of your data (Art. 17 GDPR).
- Portability: Receive your data in a structured, machine-readable format (Art. 20 GDPR).
- Restriction: Restrict processing of your data (Art. 18 GDPR).
- Objection: Object to processing based on legitimate interests (Art. 21 GDPR).
To exercise these rights, contact us at hola@tapeo.app. We will respond within 30 days as required by law. If you are not satisfied with our response, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.
8. Cookies
We use essential cookies for authentication and security. We also use Google Analytics cookies for anonymous usage analysis. You can manage cookie preferences in your browser settings or see our Cookie Policy for more details.
9. Data Security
We implement appropriate technical and organisational measures to protect your data, including: encryption at rest (AES-256) and in transit (TLS 1.3); access controls and authentication; regular security audits; and staff training on data protection. These measures are in line with Art. 32 GDPR.
10. International Transfers
Your data may be processed on servers located in the European Union and the United States. We ensure appropriate safeguards are in place through Standard Contractual Clauses adopted by the European Commission (Decision 2021/914) and, where applicable, the EU-US Data Privacy Framework.
11. Children's Privacy
The Service is not directed to children under 16 years of age. We do not knowingly collect personal data from children. If we become aware that a child under 16 has provided us with personal data, we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal obligations. Changes will be posted on this page with an updated date. Material changes will be notified by email.
13. Contact and Supervisory Authority
Data Protection inquiries: hola@tapeo.app. You may also contact the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD) at C/ Jorge Juan, 6, 28001 Madrid, Spain, or www.aepd.es.