Privacy Policy

The controller of personal data is Grata Oy, a company incorporated under Finnish law with registered office at Helsinki, Finland, Y-tunnus 0756383-4 (EU VAT FI07563834), operator of the tavolameet.com platform.

To exercise the rights provided by the GDPR or for any matter relating to the processing of data, the controller may be contacted at privacy@tavolameet.com.

Depending on the interaction with the Platform, TavolaMeet processes the following categories of data:

• Registration data: first name, last name, email, password (hashed with bcrypt), role (Guest/Host/Admin), preferred language.
• Profile data: profile picture, city of operation, description, contact details.
• Payment data: handled entirely by Stripe Payments Europe Ltd. TavolaMeet does not store card data. It only stores Stripe identifiers (customer ID, charge ID).
• Additional Host data: address where events are held, VAT number (for Restaurant Host), Stripe Connect onboarding data, Stripe Identity verification.
• Generated content: event descriptions, photos of food and venue, reviews, reports.
• Technical data: IP address, user-agent, access timestamps, security logs, acceptance of the terms with legal evidence (version + IP + UA).

3.1Performance of the contract (Art. 6.1.b GDPR): account management, bookings, payments, transactional communications (confirmations, receipts, reminders).

3.2Legal obligation (Art. 6.1.c GDPR): retention of invoices and tax reports (10 years), GDPR consent audit trail, KYC/anti-money-laundering for payments.

3.3Legitimate interest (Art. 6.1.f GDPR): fraud prevention, security of the Platform, moderation through the reporting system, internal aggregated statistics.

Data may be disclosed to the following parties, appointed as data processors under Art. 28 GDPR:

• Stripe Payments Europe Ltd. (Ireland) — payment processing, Host KYC, identity verification.
• Resend, Inc. (USA) — sending of transactional emails. Transfer based on Standard Contractual Clauses.
• Cloudflare, Inc. (USA) — hosting of photos and static objects (R2). Transfer based on Standard Contractual Clauses.
• Hostinger International Ltd. (Cyprus) — application and PostgreSQL database hosting.
• Judicial and police authorities — only upon formal legal request.

• Account data: for the entire duration of the account, plus 12 months after deletion for security reasons.
• Booking and invoicing data: 10 years (Italian civil and tax obligation).
• Security logs and consent audit trail: 5 years.
• Reviews and public content: remain visible even after account deletion, in anonymised form.

The data subject may exercise at any time the rights provided by Articles 15-22 of the GDPR, by writing to privacy@tavolameet.com:

• right of access to one's data;
• right of rectification;
• right to erasure (right to be forgotten), compatible with legal retention obligations;
• right to restriction of processing;
• right to data portability;
• right to object;
• right to lodge a complaint with the competent supervisory authority — for Italian data subjects the Garante per la protezione dei dati personali (garanteprivacy.it), for Finnish data subjects the Tietosuojavaltuutetun toimisto (tietosuoja.fi).

Some providers (Stripe Identity USA, Resend, Cloudflare) operate outside the European Economic Area. Transfers are based on the Standard Contractual Clauses approved by the European Commission (Decision 2021/914).

TavolaMeet adopts adequate technical and organisational measures: password hashing with bcrypt, HTTPS with TLS 1.3 throughout, database network isolation, access via SSH key, logging of administrative access, daily backups.

This Notice may be updated at any time; any material changes will be notified by email with 15 days' notice.