Privacy Policy

1. Introduction

This Privacy Policy explains how personal data is collected, used, stored, and shared when you use websites, web applications, mobile applications, booking widgets, APIs, and related services operated under the Yiasemis Collection brand (together, the “Services”), including the table reservations product branded as “Table Circuit”.

Depending on how you interact with us, different companies may act as controller (they decide why and how data is used) or processor (they handle data on another party's instructions). Where a restaurant, hotel, or other venue (“Venue”) uses our software to run their business, that Venue is typically the controller of guest and staff data processed in their account, and we process such data on documented instructions as a processor. Where we determine the purposes of processing for our own operations (for example account administration, security monitoring of our platform, or product analytics tied to our legitimate interests), we act as a controller. If you are unsure who is responsible in your case, contact us using the details at the end of this policy and we will help route your request.

This policy is written to align with common requirements under the EU and UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and comparable laws. It does not waive protections that mandatory local laws grant you.

2. Data we may collect

We may process the following categories of personal data, depending on your role:

• Account and profile: name, email address, phone number, job title or role, organisation, username, password hash, security preferences, profile photo if you upload one, language and time zone, and marketing preferences where applicable.
• Authentication and security: sign-in logs, device or session identifiers, IP address, multi-factor authentication factors (for example TOTP seeds managed by our auth provider), trusted-device records, and fraud-prevention signals.
• Operational data (Table Circuit and related modules): reservation details (date, time, party size, table or area, special requests), guest contact details, notes entered by staff, communications sent through the platform (for example confirmation or reminder messages), pre-order or deposit metadata, waitlist entries, and audit or change logs required for service integrity.
• Payments: when payments or card storage are enabled, our payment partners (such as Stripe) process card numbers and verification data. We typically receive limited tokens, last four digits, brand, expiry, and transaction status — not full card numbers.
• Communications: messages you send to support, feedback forms, and records of consents or legal notices you accept.
• Technical and usage data: browser type, operating system, app version, crash diagnostics, approximate location derived from IP, and product usage events used to maintain, secure, and improve the Services.
• Widget and public booking flows: data you submit when booking as a guest, including contact fields required by the Venue.

3. Sources

We obtain personal data from:

• Information you provide directly;
• Venues and authorised users who administer accounts on your behalf;
• Automated technologies when you use our apps and sites;
• Service providers who assist with hosting, email delivery, analytics, or payments;
• Publicly available sources only where permitted and relevant (for example company registrations for billing verification).

4. Purposes and legal bases (EEA, UK, and similar jurisdictions)

Where GDPR-style rules apply, we rely on one or more of the following legal bases:

• Contract (Art. 6(1)(b)): providing the Services you or your Venue requested, including reservations, messaging, authentication, and support.
• Legitimate interests (Art. 6(1)(f)): securing the platform, detecting abuse, improving features, analysing aggregated usage, and managing business operations, balanced against your rights.
• Legal obligation (Art. 6(1)(c)): tax, accounting, or regulatory compliance where applicable.
• Consent (Art. 6(1)(a)): optional cookies or marketing communications where we ask for consent separately. You may withdraw consent at any time without affecting prior processing that was lawful.
• Vital interests or public task only in rare cases required by law.

5. Cookies and similar technologies

We use cookies and local storage as needed for session management, security, preferences, and (where enabled) analytics. Where required, we will present a consent banner or preference centre for non-essential cookies. You can control cookies through your browser settings; disabling strictly necessary cookies may affect sign-in.

6. Sharing and subprocessors

We share personal data with a limited set of categories of recipients: cloud hosting and database providers (for example Supabase for authentication and data storage), payment processors (for example Stripe), email and notification providers (for example Resend or comparable services), error monitoring or logging tools, and professional advisers bound by confidentiality. Venues may also export or connect data to their own tools according to their policies.

We require subprocessors who handle personal data to provide appropriate contractual commitments, including Standard Contractual Clauses or equivalent safeguards for international transfers where relevant.

7. International transfers

Our infrastructure or subprocessors may be located outside your country, including in the United States or the European Economic Area. Where GDPR applies, we implement appropriate safeguards such as Standard Contractual Clauses approved by the European Commission, supplemented by technical and organisational measures. You may request a copy of relevant transfer mechanisms by contacting us.

8. Retention

We retain personal data only as long as necessary for the purposes described, including to satisfy legal, accounting, or reporting requirements. Retention periods vary by data category: security logs may be kept for months; contract and billing records for years as required by law; guest reservation data may be retained according to Venue configuration and statutory hospitality or tax rules. When data is no longer needed, we delete or anonymise it where feasible.

9. Security

We implement technical and organisational measures appropriate to the risk, including encryption in transit, access controls, role-based permissions, logging, and secure development practices. No method of transmission or storage is completely secure; if you believe your interaction with us has been compromised, notify us promptly.

10. Your rights

Depending on your location, you may have rights to access, rectify, erase, restrict, or object to certain processing, and to data portability. You may also lodge a complaint with a supervisory authority. Where we act as processor for a Venue, we may need to forward your request to that Venue for action on their instructions.

To exercise rights against us as controller, email privacy@yiasemis.com. We will verify your identity before fulfilling requests and respond within the timelines required by applicable law (often within one month, extendable where permitted).

11. California residents (CCPA/CPRA)

California residents may have the right to know, delete, and correct personal information, and to opt out of certain “sharing” or “selling” as defined by California law. We do not sell personal information for money. Where targeted advertising uses personal information in scope of “sharing,” we will honour opt-out signals such as the Global Privacy Control where required once our cookie tooling is configured for your deployment.

You may designate an authorised agent; we may require proof of authorisation. We will not discriminate against you for exercising privacy rights.

12. Other regions

If you reside in Brazil (LGPD), Canada, Switzerland, Japan, South Korea, Australia, or other jurisdictions with privacy laws, you may have comparable rights. Contact us and we will respond in line with applicable requirements.

13. Children

The Services are not directed to children under 16 (or the higher age required locally). Venues should not collect children's data through Table Circuit except where legally permitted and with appropriate consent. If you believe we have collected a child's data inappropriately, contact us for deletion.

14. Automated decision-making

We do not use personal data for solely automated decisions that produce legal or similarly significant effects unless we expressly notify you, explain logic, and provide meaningful human review rights where required.

15. Changes

We may update this Privacy Policy to reflect product, legal, or regulatory changes. We will revise the “Last updated” date and, where changes are material, provide additional notice (for example by email or in-product banner).

16. Contact

Questions about this Privacy Policy or our privacy practices: privacy@yiasemis.com.