Privacy Policy
This Privacy Policy explains how Seats at, LLC (“seatsat”, “we”, “us”) collects, uses, and protects personal data when you visit seatsat.com, use app.seatsat.com, or make a reservation through a restaurant that uses seatsat.
1. Who we are
The data controller is Seats at, LLC, a limited liability company organised in Delaware, United States, with its registered address at 131 Continental Dr, Newark, DE 19702, USA. You can reach us about privacy at privacy@seatsat.com.
Data Protection Officer: Not appointed — the Article 37 thresholds (large-scale systematic monitoring, or large-scale special-category processing) are not met by the service. As we are established outside the EU/UK, our Article 27 representative is Gianluca Esposito, contact at gianluca@seatsat.com.
A note on roles: for the reservation, guest, and menu data a restaurant manages through seatsat, the restaurant is the controller and seatsat acts as its processor under a Data Processing Agreement. This policy covers the data for which seatsat itself is the controller (operator accounts, billing, website visitors).
2. Information we collect
2.1 Information you provide
- Account and profile: name, email, password, preferred language.
- Restaurant and venue details you enter (name, address, hours, menus, booking settings).
- Billing information, handled by our payment provider — we do not store full card numbers (see §4).
- Reservation and guest data your team enters or receives through the product.
- Anything you send us in support requests or messages.
2.2 Information we collect automatically
Usage data, device and browser information, IP address, and similar technical data, including via cookies and similar technologies — see our Cookie Policy.
2.3 Information from third parties
If you sign in with or connect a third-party service (like the optional Google Calendar synchronisation, operator-initiated via Google's API, and Stripe-hosted checkout + billing portal for payments.), we receive the data that service shares with us.
3. How we use your information
| Purpose | Lawful basis (GDPR Art. 6) |
|---|---|
| Provide and operate the service | Performance of a contract |
| Billing and subscription management | Performance of a contract |
| Transactional notifications (e.g. booking confirmations) | Performance of a contract |
| Security, fraud prevention, and debugging | Legitimate interests |
| Product analytics and improvement | Legitimate interests (Art 6(1)(f)) — we use PostHog for cookieless, anonymous product analytics. No cookies or other storage are read from or written to your device, and we do not identify you or build profiles; the data is aggregate and used only to understand and improve the service. |
| Marketing communications | Consent |
| Complying with legal obligations | Legal obligation |
4. How we share your information
4.1 Service providers (sub-processors)
We share personal data with the vendors that help us run seatsat. Confirm and complete this list against your live stack:
| Provider | Purpose | Location | Policy |
|---|---|---|---|
| Stripe | Payments & subscription billing | US / EU | https://stripe.com/privacy |
| Vercel | Application hosting, CDN & background jobs | US / EU | https://vercel.com/legal/privacy-policy |
| Resend | Transactional email (booking + account notifications) | United States | https://resend.com/legal/privacy-policy |
| Optional operator calendar synchronisation (Calendar API) | US / EU | https://policies.google.com/privacy | |
| PostHog | Cookieless, anonymous product analytics (no guest data; operator/visitor usage only) | European Union (Frankfurt) | https://posthog.com/privacy |
| Neon (a Databricks company) | Managed Postgres database (data storage) | European Union (Frankfurt) | https://www.databricks.com/legal/privacynotice |
4.2 Legal and safety
We may disclose data where required by law or to protect our rights, our users, or the public.
4.3 Business transfers
If seatsat is involved in a merger, acquisition, or asset sale, data may transfer as part of that transaction.
4.4 With your consent
We share data in other ways only with your consent. We do not sell personal data.
5. International data transfers
seatsat is operated from the United States, and our providers may process data in The European Union and the United States, where our hosting, payment, email, calendar and analytics providers operate. Where we transfer personal data out of the EEA or UK, we rely on appropriate safeguards recognized under applicable data protection law, including the European Commission's Standard Contractual Clauses and, where applicable, the UK International Data Transfer Addendum.
6. Data retention
| Data | Retained for |
|---|---|
| Account & profile | 60 days after account closure |
| Reservation / guest records | for the duration of the agreement; then deleted or returned to the operator as set out in the DPA |
| Billing & invoices | 7 years, or longer where required by applicable tax, accounting, or regulatory obligations. |
| Logs & analytics | 180 days |
| Marketing data | Until consent is withdrawn |
7. Your rights
Subject to applicable law, you have the right to access, rectify, erase, restrict, and port your personal data, to object to processing, and to withdraw consent at any time. To exercise these rights, email privacy@seatsat.com.
You also have the right to lodge a complaint with a supervisory authority. Seats at, LLC is not established in the European Union and therefore does not have a lead supervisory authority under the GDPR one-stop-shop mechanism. Regulatory communications may also be directed through our appointed EU representative.
Automated decision-making: We do not carry out automated decision-making that produces legal or similarly significant effects.
8. Security
We protect personal data with encryption in transit (TLS) and at rest, access controls, and Encryption in transit (HTTPS/TLS) and at rest; least-privilege access controls; a fail-fast configuration/secrets contract validated at start-up; managed, access-controlled application hosting and database; and signed, signature-verified payment webhooks. No method of transmission or storage is completely secure.
9. Children’s privacy
seatsat is not directed to children and is not intended for anyone under 16. We do not knowingly collect their personal data.
10. Changes to this policy
We may update this policy from time to time. Material changes will be notified through the service or by email; the “last updated” date above always reflects the current version.
11. Contact us
Questions about this policy or your data: privacy@seatsat.com, or write to Seats at, LLC, 131 Continental Dr, Newark, DE 19702, USA.
12. Region-specific information
Additional rights may apply to individuals located in certain jurisdictions, including the European Economic Area, the United Kingdom, and Switzerland. If applicable privacy laws grant you additional rights regarding your personal data, we will honor those rights as required by law.