MenuDetay

Privacy Policy

Last updated: 10 March 2026

1. Who We Are

Tabless ("we", "us", "our") operates a commission-free digital menu and ordering platform for restaurants in the United Kingdom. Our registered contact email for data protection matters is privacy@tabless.co.uk.

2. Data We Collect

We collect and process the following categories of personal data:

  • Restaurant owners/staff: email address, name, and account credentials (collected at registration).
  • QR scan data: anonymised device hashes to count unique scans per day. We do not store IP addresses or device identifiers in a way that can identify individual diners.
  • Orders: items ordered, table number, order timestamps, and payment status.
  • Payments: payment method type and confirmation status. We do not store card numbers or bank account details of diners.

3. Lawful Basis for Processing

We process personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 on the following legal bases:

  • Contract: processing necessary to deliver the Tabless service to restaurant owners.
  • Legitimate interest: anonymised QR scan counting for billing purposes.
  • Legal obligation: financial record-keeping as required by UK law.

4. Cookies and Tracking

Tabless does not use cookies for advertising or analytics tracking. We use only the essential session cookies required by our authentication provider (Supabase Auth) to keep you signed in. No third-party tracking cookies are set.

5. Data Retention

  • Orders: retained for 2 years from creation, after which they are automatically deleted.
  • QR scan records: retained for billing and invoicing purposes for the duration of the account plus 6 years (as required by HMRC).
  • Invoices and financial records: retained for 6 years in accordance with UK tax obligations.
  • Account data: retained until you delete your account or request erasure.

6. Data Sharing

We do not sell your personal data. We share data only with:

  • Supabase: our infrastructure provider for database hosting and authentication.
  • OpenRouter: for AI-powered features (menu suggestions). Only anonymised restaurant data is sent.

7. Your Rights Under UK GDPR

You have the right to:

  • Access: request a copy of your personal data.
  • Rectification: request correction of inaccurate data.
  • Erasure: request deletion of your data (subject to legal retention requirements).
  • Portability: receive your data in a structured, commonly used format.
  • Object: object to processing based on legitimate interest.
  • Restriction: request restriction of processing in certain circumstances.

To exercise any of these rights, contact us at privacy@tabless.co.uk or use the data export and deletion features in your account settings.

8. Data Security

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), row-level security policies on our database, and strict access controls.

9. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

10. Changes to This Policy

We may update this privacy policy from time to time. We will notify registered users of material changes by email. The "last updated" date at the top of this page indicates when the policy was last revised.