Privacy Policy
Effective 30 June 2026
·Version 1
⚠️ DRAFT v0.1 — pending legal review. This document has not yet been reviewed by counsel and may change before formal publication. By using InstaTable, you agree to the terms as published at the time of your access.
Privacy Policy
1. Who we are
InstaTable is a restaurant reservation, marketing, and guest-management platform operated by InstaTable Limited (in formation). Our entity registration is currently in progress; this notice will be updated when registration completes.
- Trading name: InstaTable
- Contact email: privacy@instatable.net
- Postal address: [To be added when entity registration completes]
- Data Protection contact: privacy@instatable.net
In this Privacy Policy, "we", "us" and "our" mean InstaTable Limited.
2. What this policy covers
This Privacy Policy explains how we collect, use, disclose, store and protect personal information when you interact with:
- our marketing website at instatable.net;
- our restaurant operator dashboard at app.instatable.net;
- our public booking widget hosted at book.instatable.net and embedded on restaurant websites;
- our operations console at op.instatable.net;
- any APIs, emails, SMS, WhatsApp messages, and other communications we send.
This policy is written to meet the requirements of the New Zealand Privacy Act 2020, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Canada's Anti-Spam Legislation (CASL), and the EU/UK General Data Protection Regulation (GDPR / UK GDPR) where it applies.
3. Important note about restaurants and guests
InstaTable is a Software-as-a-Service used by restaurants (our "tenants") to manage their own bookings, guest lists, marketing and gift cards.
- When you, as a guest, make a booking through a restaurant that uses InstaTable, you are entering into a relationship with the restaurant, not with InstaTable. The restaurant decides what guest information to collect, how to use it, and how long to keep it.
- For guest data, the restaurant is the data controller (PIPEDA) / agency holding personal information (NZ Privacy Act) / controller (GDPR). InstaTable is the data processor / service provider acting on the restaurant's documented instructions under our Data Processing Addendum.
- If you have a privacy question about a specific booking, please contact the restaurant directly first. We will assist the restaurant in responding.
For our own marketing website, our operator accounts, and any direct dealings with you, InstaTable is the controller and this policy applies in full.
4. Information we collect
4.1 From tenants (restaurants and their staff)
When a restaurant signs up for, or applies to join, InstaTable, we collect:
- account information — name, email, password (hashed), phone, role;
- business information — restaurant name, address, city, country, number of tables, current system, business description;
- billing information — billing name, address, tax number where applicable, last 4 digits of card or payment reference held by our payment processor (we do not store full card numbers);
- communications — emails, support messages, onboarding answers.
4.2 From guests of restaurants
When a guest books a table, redeems a gift card, or joins a waitlist through a restaurant using InstaTable, we process on the restaurant's behalf:
- name, email address, phone number;
- party size, date, time, table preference;
- dietary requirements, allergies, accessibility notes, special occasion notes (only if the guest provides them);
- booking history with that restaurant;
- marketing consents (separate flags for email, SMS, and WhatsApp);
- gift-card purchases, balances and redemption history;
- any free-text notes the guest leaves for the restaurant.
4.3 Automatically collected information
When you visit our websites or use our dashboards, we and our service providers automatically collect:
- IP address, approximate location derived from IP;
- device type, operating system, browser, screen size;
- referring URL, pages viewed, actions taken, timestamps;
- cookies and similar identifiers (see our Cookie Policy);
- error and performance logs.
4.4 Information from third parties
We may receive information from:
- payment processors (Cashfree initially; Stripe Connect in future) — confirming a transaction succeeded or failed;
- email delivery providers (Brevo, Resend) — bounce, complaint and delivery events;
- authentication providers (Supabase Auth) — sign-in metadata.
5. Legal bases for processing
We rely on the following lawful bases, drawn from GDPR and applied as best practice in NZ and Canada:
- Performance of a contract — to provide the platform to tenants, process bookings and gift cards, deliver transactional emails (booking confirmations, reminders), and bill subscriptions.
- Consent — to send you marketing communications (emails, SMS, WhatsApp), to set non-essential cookies (analytics, marketing), and to process special categories of information where required.
- Legitimate interests — to keep the platform secure, prevent fraud and abuse, troubleshoot, improve our products, and run direct marketing to existing operator customers about features similar to those they already use, subject to your right to object.
- Legal obligation — to keep accounting records, respond to lawful requests from regulators or courts, and comply with anti-money-laundering and consumer-protection requirements.
Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of earlier processing.
6. How we use information
We use the information we collect to:
- create and manage tenant accounts and operator logins;
- accept, modify and cancel bookings, waitlist entries and gift-card transactions;
- send transactional messages (booking confirmations, reminders, receipts, account notices);
- process subscription payments and marketing-credit top-ups;
- send marketing campaigns on behalf of restaurants — only to guests who have given the appropriate consent;
- send our own marketing about InstaTable features and updates to operators who have not opted out;
- detect and prevent fraud, spam, abuse and security incidents;
- improve our product, including aggregated and de-identified analytics;
- meet our legal, tax and accounting obligations.
7. Sharing information
We share personal information only as needed to operate the platform:
- With restaurants — guest information collected through a restaurant's booking widget, marketing forms or gift-card sales is made available to that restaurant in their dashboard. We do not share a guest's data with any other restaurant.
- With service providers ("sub-processors") acting on our written instructions, including:
- Supabase (database, authentication, file storage — Sydney region for production data);
- Vercel (web hosting and edge functions);
- Brevo (transactional and marketing email);
- Resend (system and onboarding email);
- Cashfree (payment processing in initial markets);
- Google (font hosting and, optionally, analytics);
- Meta (optional marketing pixel, only with consent);
- Upstash / QStash (background job queues);
- Twilio or equivalent (SMS and WhatsApp delivery, where enabled).
- With professional advisors — lawyers, accountants and auditors bound by confidentiality.
- With acquirers — if InstaTable is acquired, merged or restructured, personal information may transfer to the successor entity subject to this policy.
- With authorities — where required by law, a binding order, or to protect our rights, safety or property, or those of our tenants and their guests.
We do not sell personal information.
8. International transfers
InstaTable hosts production data in the Supabase Sydney (ap-southeast-2) region. Some of our service providers (e.g. Vercel, Brevo, Resend, Cashfree, Google, Meta) may process data in the United States, the European Union, India, or other jurisdictions.
Where personal information is transferred outside New Zealand, Canada or the EEA/UK, we use one or more of the following safeguards:
- the recipient is in a jurisdiction that the relevant authority has recognised as offering comparable protection;
- the Standard Contractual Clauses (SCCs) issued by the European Commission, where the data of EEA/UK residents is involved;
- contractual data-processing terms requiring the recipient to apply protection materially equivalent to the NZ Privacy Act 2020 and PIPEDA.
A list of our current sub-processors and their locations is available on request from privacy@instatable.net.
9. Retention
We keep personal information only as long as necessary for the purpose for which it was collected:
| Category | Retention |
|---|---|
| Active tenant account data | While the account is active, then 7 years for accounting and tax records |
| Guest booking and gift-card records held for a restaurant | For as long as that restaurant chooses, or 7 years from the last booking by default |
| Marketing consent records | Until consent is withdrawn, then for 3 years to demonstrate compliance |
| Marketing message logs (sends, opens, clicks, bounces) | 24 months |
| Security and access logs | 90 days, longer if needed to investigate an incident |
| Support tickets and emails | 5 years |
| Backups | Up to 30 days rolling, then overwritten |
When data is no longer needed, we delete or de-identify it.
10. Your rights
You have rights over the personal information we hold about you. The exact rights depend on where you live.
10.1 In New Zealand — under the Privacy Act 2020
- the right to access the personal information we hold about you (Information Privacy Principle 6);
- the right to correct information you believe is inaccurate (IPP 7);
- the right to complain to the Office of the Privacy Commissioner (privacy.org.nz) if you believe we have breached your privacy.
10.2 In Canada — under PIPEDA
- the right to access your personal information and be told how it is used and disclosed;
- the right to correct inaccurate information;
- the right to withdraw consent at any time, subject to legal or contractual restrictions;
- the right to complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca).
If you are in Québec, you also have rights under An Act respecting the protection of personal information in the private sector (Law 25), including the right to be informed of automated decision-making and to request portability.
10.3 In the EU / UK — under GDPR / UK GDPR
- access, rectification, erasure, restriction, portability, and objection;
- the right to withdraw consent at any time;
- the right to lodge a complaint with your local supervisory authority (e.g. the ICO in the UK).
10.4 In Australia, the US and elsewhere
We will respond to reasonable requests for access, correction and deletion subject to applicable law.
11. How to exercise your rights
To exercise any of these rights, email privacy@instatable.net with:
- enough information for us to verify your identity (we may ask for additional confirmation);
- a clear description of what you would like us to do;
- if you are a guest of a specific restaurant, the name of that restaurant.
We aim to respond within 20 working days (NZ Privacy Act) or 30 days (PIPEDA / GDPR). Where a request is complex or we receive a large number from you, we may extend by a further 60 days and tell you why. There is no fee for reasonable requests.
12. Marketing communications
12.1 By restaurants to their guests
When a restaurant uses InstaTable to send marketing emails, SMS or WhatsApp messages to its guests, the restaurant is responsible for obtaining the consent required by NZ's Unsolicited Electronic Messages Act 2007 (UEMA) and Canada's Anti-Spam Legislation (CASL). We help by:
- collecting separate, granular consents at the time of booking for email, SMS and WhatsApp;
- recording the consent timestamp, IP address and consent text;
- including a clearly identified sender, business contact, and one-click unsubscribe in every marketing email;
- providing STOP/HELP keyword handling for SMS;
- automatically suppressing addresses after a hard bounce, spam complaint or unsubscribe.
12.2 By us to operators
We may email operators about new features, product updates and important changes to the service. These are sent on the basis of legitimate interests (existing customer marketing). You can unsubscribe at any time using the link in any email — your account and transactional notifications will continue.
13. Children
InstaTable is not intended for children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact privacy@instatable.net and we will delete it.
14. Security
We take reasonable steps to protect personal information from loss, misuse, unauthorised access, disclosure, alteration and destruction. Measures include:
- TLS 1.2+ for all data in transit;
- encryption at rest for our primary database and file storage;
- role-based access controls and least-privilege for staff;
- multi-factor authentication for administrative access;
- audit logging of administrative actions;
- regular dependency and infrastructure patching;
- periodic security reviews and penetration testing as the platform grows;
- a documented incident-response process, with notification to affected parties and regulators as required by the NZ Privacy Act 2020, PIPEDA, and GDPR.
No method of transmission or storage is 100% secure. If we become aware of a notifiable privacy breach, we will notify affected individuals and the relevant Privacy Commissioner as required by law.
15. Cookies and similar technologies
We use cookies, local storage and similar technologies to keep you signed in, remember your preferences, measure performance, and (with consent) deliver targeted marketing. See our Cookie Policy at /legal/cookies for full details, including how to change your choices.
16. Changes to this policy
We may update this policy from time to time. For material changes we will notify operators by email and display a banner on the dashboard at least 30 days before the change takes effect, except where a shorter period is required by law. The "Effective" date at the top of this page always shows when the current version came into force.
Older versions are retained in our internal version history and can be supplied on request.
17. Contact
Questions, requests or complaints about this Privacy Policy or our handling of personal information should go to:
- Email: privacy@instatable.net
- Subject line: "Privacy request"
- Postal: [To be added when entity registration completes]
If you are not satisfied with our response, you may contact the supervisory authority in your country (see section 10).
Questions about this document?
privacy@instatable.netSee also: Privacy · Terms · Cookies · Acceptable Use