Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Easy Eatery Terms of Service (the “Terms”) between Easy Eatery (“Processor”, “we”, “us”) and the subscribing customer (“Controller”, “you”).

This DPA applies where Easy Eatery processes personal data on your behalf in connection with the Service.

Last Updated: 1st January 2026

1. Roles of the Parties

For the purposes of the UK General Data Protection Regulation (“UK GDPR”):

  • You act as the Data Controller.
  • Easy Eatery acts as the Data Processor.
  • Third-party payment processors (such as Stripe) act as independent Data Controllers in relation to payment data processed through their systems.

Nothing in this DPA relieves you of your obligations as Data Controller under UK GDPR.

2. Subject Matter and Duration

This DPA applies for the duration of your subscription to the Service and any post-termination data retention period specified in the Terms.

Processing relates to personal data submitted to or collected through your website and related platform functionality.

3. Nature and Purpose of Processing

Easy Eatery processes personal data solely for the purpose of providing the Service, including:

  • Hosting and operating your website
  • Managing bookings
  • Enabling gift voucher functionality
  • Maintaining customer address book functionality
  • Sending transactional communications (such as booking confirmations and voucher delivery emails)
  • Providing customer support

Easy Eatery does not send marketing communications to data subjects on your behalf.

4. Categories of Data Subjects

Data subjects may include:

  • Your customers
  • Website visitors
  • Voucher purchasers
  • Your authorised staff users

5. Categories of Personal Data

Personal data processed may include:

  • Name
  • Email address
  • Telephone number
  • Booking details
  • Voucher purchase information
  • IP address
  • Browser and device information

Payment card information is processed solely by your payment processor and is not stored or controlled by Easy Eatery.

6. Processor Obligations

Easy Eatery shall:

  • Process personal data only on your documented instructions (including these Terms and this DPA)
  • Ensure that persons authorised to process personal data are subject to appropriate confidentiality obligations
  • Implement appropriate technical and organisational measures to protect personal data
  • Assist you, where reasonably possible, in responding to data subject rights requests
  • Notify you without undue delay upon becoming aware of a personal data breach affecting your data
  • Inform you if, in our opinion, an instruction infringes applicable data protection law
  • Delete or return personal data in accordance with Section 11

7. Security Measures

Easy Eatery implements appropriate technical and organisational measures designed to protect personal data, including:

  • Encrypted data transmission (HTTPS)
  • Secure UK-based hosting infrastructure
  • Role-based access controls
  • Secure authentication procedures
  • Logical separation of customer data

Each customer’s data is stored in a logically separate database environment and is not commingled with data belonging to other customers.

Access to production databases is restricted to authorised personnel only.

8. Sub-Processors

Easy Eatery uses trusted third-party service providers to support delivery of the Service, including:

  • Krystal – UK-based hosting provider (London data centres)
  • Bunny.net – Content delivery network for static assets and images
  • Postmark – Transactional email delivery provider

Where sub-processors process personal data on our behalf, we ensure they are subject to contractual data protection obligations consistent with UK GDPR.

Easy Eatery remains responsible for the acts and omissions of its sub-processors in relation to personal data processing under this DPA.

A current list of sub-processors is available upon request.

9. International Data Transfers

Primary customer data (including booking data and customer database information) is hosted in the United Kingdom.

Certain service providers, including transactional email and content delivery services, may process limited personal data outside the United Kingdom.

Where personal data is transferred outside the United Kingdom, appropriate safeguards will be implemented in accordance with UK GDPR, including reliance on adequacy regulations or approved international data transfer mechanisms where required.

10. Data Subject Rights

You are responsible for responding to data subject requests under UK GDPR.

Easy Eatery will provide reasonable assistance, where technically feasible, to help you fulfil such obligations.

11. Data Retention and Deletion

Upon termination or expiry of your subscription:

  • Personal data will be retained for up to six (6) months.
  • You may request data export during this period.
  • After six (6) months, personal data may be permanently deleted.

Easy Eatery is not responsible for retaining backup copies beyond this retention period.

12. Personal Data Breach Notification

In the event of a personal data breach affecting your data, Easy Eatery will notify you without undue delay after becoming aware of the breach and provide reasonable information to assist you in meeting your regulatory obligations.

13. Liability

Liability arising under this DPA is subject to the limitations of liability set out in the Easy Eatery Terms of Service.

cookieA notice about cookies

We use necessary cookies to make our site work. We would like to set additional cookies to better understand how visitors use our website, enabling us to make improvements. Additionally, we use cookies set by other sites to help deliver content from their services.