Privacy Policy

Last updated: March 2026

This Privacy Policy describes how TabbPay ("we", "our", or "us") collects, uses, and protects the personal data of visitors to this website and users of the TabbPay platform.

1. Data Controller

TabbPay is the data controller for personal data collected through this website and the TabbPay platform. For questions about this policy, contact us at privacy@tabbpay.com.

2. What Data We Collect

Venue Owners & Managers

When you create a TabbPay account we collect:

• Your name and email address (via Clerk authentication)
• Your restaurant name, address, and business details
• Bank account / IBAN details (for Stripe Connect or Viva Wallet payouts, stored by the respective payment provider, not by us)
• Subscription and billing records

Restaurant Guests

When a guest uses TabbPay to order and pay at a venue:

• Table session identifiers (no guest login required)
• Order content (items, quantities, price), linked to the table session only
• Payment confirmation references (we receive a token from Viva Wallet / Stripe; we do not store card numbers)

We deliberately minimise the collection of personally identifiable guest information in line with GDPR data minimisation principles.

3. Legal Basis for Processing

We process personal data under the following legal bases. Account management (owners) is processed under performance of contract. Processing guest orders is based on legitimate interest in restaurant operations. Analytics and improvements rely on legitimate interest. Marketing communications are processed only with your consent.

4. How We Use Your Data

• To operate and improve the TabbPay platform
• To process payments and transfer funds to venues
• To provide customer support
• To send service-related notifications (e.g. trial expiry reminders)
• To comply with legal obligations (invoicing, tax, fraud prevention)

We will never sell your data to third parties or use it for targeted advertising.

5. Data Sharing

We share personal data only where necessary:

• Stripe / Viva Wallet to process payments. Both providers are PCI-DSS Level 1 certified.
• Clerk to manage authentication. Clerk stores only email and organisation data.
• Our hosting infrastructure on AWS / Vercel, both with EU data residency options.
• Legal authorities where required by applicable law.

6. Data Retention

• Account data is retained for as long as the account is active and for 7 years after closure (tax/audit requirements).
• Guest session and order data is retained for 90 days, then anonymised.
• Event logs are retained for 1 year.

7. Your Rights Under GDPR

As a data subject you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate data
• Erase your data ("right to be forgotten")
• Restrict or object to processing
• Data portability
• Withdraw consent at any time

To exercise any right, email privacy@tabbpay.com. We will respond within 30 days.

8. Cookies

TabbPay uses only essential session cookies for authentication and security. See our Cookie Policy for details.

9. Security

We implement industry-standard security measures: HTTPS everywhere, encrypted data at rest, access controls, and regular security reviews. Payment card data is never processed or stored by TabbPay. It is handled entirely by Viva Wallet or Stripe.

10. Changes to This Policy

We may update this policy from time to time. We will notify account holders by email of any material changes.