Privacy Policy

Last updated: 28 May 2026 · Effective: 28 May 2026

This Privacy Policy explains how EasyReza ("EasyReza", "we", "us") collects, uses, shares and protects personal data when you visit our website, sign up for an account, or make a reservation through a restaurant that uses EasyReza.

We comply with the Swiss Federal Act on Data Protection (revFADP, in force since 1 September 2023) and, where applicable, the EU General Data Protection Regulation (GDPR).

1. Who we are (Data Controller)

EasyReza is currently operated by an individual data controller based in Valais, Switzerland, acting as a sole proprietorship (raison individuelle).

Trading name: EasyReza

Jurisdiction: Canton of Valais, Switzerland

Privacy contact: privacy@easyreza.com

General contact: hello@easyreza.com

Transparency notice. The full legal name and registered address of the controller are not published on this page for personal privacy reasons but are available on request by emailing privacy@easyreza.com. We will respond within 5 working days.

EasyReza is in the process of being incorporated as a Swiss limited liability company (Sàrl). Once incorporated, this section will be updated to publish the company name, registered address and commercial register (CHE) number.

We have not appointed a Data Protection Officer. Privacy enquiries are handled directly by the controller via the email address above.

2. Our role: controller vs. processor

EasyReza is used by two distinct groups of people, and our legal role differs accordingly:

  • Restaurant clients — when a restaurant subscribes to EasyReza, we act as controller of the restaurant's account data (owner contact details, business information, billing, login credentials) and as processor for the reservation data the restaurant collects from its own guests.
  • Guests booking a table — when you book through a restaurant's public booking page, the restaurant is the controller of your reservation data. EasyReza processes that data strictly on the restaurant's behalf under a Data Processing Agreement (DPA) that forms part of our Terms of Service.

For privacy questions about a specific reservation, contact the restaurant directly. We will support the restaurant in fulfilling your request as required by law.

3. What personal data we collect

a) Restaurant account data (we are controller)

  • Identification: name, email address, phone number, role at the restaurant
  • Business information: restaurant name, address, opening hours, table layout, capacity rules
  • Authentication: hashed password, session tokens, multi-factor settings
  • Billing data: subscription plan, billing email; payment card data is collected directly by our payment provider and is not stored on our servers
  • Communications: support tickets, email exchanges, in-app messages

b) Guest reservation data (we are processor on behalf of the restaurant)

  • Identification: first name, last name, email, phone number
  • Reservation details: date, time, party size, special requests, allergies (if you disclose them), table preferences
  • History with the restaurant: prior visits, no-shows, notes added by restaurant staff, VIP/blacklist status

c) Technical data (we are controller)

  • IP address, user-agent, language, time zone, device identifiers
  • Aggregate, anonymous usage statistics (pages viewed, performance metrics) via Vercel Analytics
  • Cookie and local storage entries — see our Cookie Policy

We do not knowingly collect data revealing racial or ethnic origin, political opinions, religious beliefs, genetic or biometric data, or other special-category data within the meaning of GDPR Art. 9 / revFADP Art. 5(c). Allergy information disclosed in a reservation is treated as sensitive and is only used to serve you.

4. Why we process your data (purposes & legal bases)

PurposeLegal basis (GDPR / revFADP)
Create and operate your restaurant account; provide the reservation management servicePerformance of contract (Art. 6(1)(b) GDPR / revFADP Art. 31(2)(a))
Process reservations on behalf of the restaurant; send booking confirmations and remindersContract with the restaurant (Art. 6(1)(b) GDPR); for guests, the restaurant's legal basis applies
Security, fraud prevention, abuse detection, audit logsLegitimate interests (Art. 6(1)(f) GDPR)
Service improvement, debugging, anonymised analyticsLegitimate interests; for non-essential analytics cookies, your consent (Art. 6(1)(a) GDPR)
Comply with Swiss tax, accounting and other legal obligationsLegal obligation (Art. 6(1)(c) GDPR; Swiss CO Art. 958f)
Marketing emails (newsletters, product updates) to restaurant clientsYour consent, or legitimate interest in existing-customer communications (with an opt-out in every email)

5. Who we share your data with (subprocessors)

We rely on a small set of vetted service providers ("subprocessors") to operate EasyReza. Each is bound by a written data processing agreement and confidentiality obligations.

ProviderPurposeHosting location
Supabase, Inc.Database, authentication, file storageSwitzerland (Zurich region) — data stays in Switzerland
Vercel, Inc.Application hosting, edge network, privacy-friendly analyticsEuropean edge regions; control plane in the United States
Twilio SendGrid, Inc.Transactional email delivery (booking confirmations, account emails)United States

We may disclose personal data to: (a) competent authorities where required by law or court order; (b) professional advisors (lawyers, accountants) under confidentiality; and (c) a successor entity in the context of a merger, acquisition or asset sale, in which case you will be notified.

We do not sell personal data. We do not engage in targeted advertising or profiling for advertising purposes.

6. International data transfers

Our primary data store (Supabase) is hosted in Switzerland, which the EU recognises as offering an adequate level of data protection and which is the home jurisdiction for restaurant clients in Switzerland.

Some subprocessors (Vercel, SendGrid) are US-based or may process limited operational data in the United States. Where transfers of personal data outside Switzerland/EEA occur, we rely on:

  • EU Standard Contractual Clauses (SCCs) and, where relevant, the Swiss equivalent issued by the FDPIC;
  • the EU-US Data Privacy Framework and its Swiss extension, where the provider is certified;
  • supplementary technical measures such as TLS in transit and encryption at rest.

A copy of the relevant transfer mechanism is available on request at privacy@easyreza.com.

7. How long we keep your data (retention)

Data categoryRetention period
Restaurant account & profileFor the lifetime of the account, plus 12 months after closure
Guest reservation data24 months after the reservation date, unless the restaurant configures a shorter period
Billing, invoices & accounting records10 years (Swiss Code of Obligations, Art. 958f)
Security & audit logs12 months
Support correspondence36 months from last interaction

When the retention period ends, data is deleted or irreversibly anonymised.

8. Your rights

Subject to the conditions of the revFADP and GDPR, you have the following rights regarding your personal data:

  • Access — obtain confirmation of whether we process your data and a copy of it.
  • Rectification — have inaccurate or incomplete data corrected.
  • Erasure ("right to be forgotten") — have your data deleted, subject to legal retention obligations.
  • Restriction — limit our processing while a dispute or correction is pending.
  • Data portability — receive your data in a structured, machine-readable format.
  • Object — object to processing based on legitimate interests, including direct marketing.
  • Withdraw consent — where processing is based on consent, at any time, without affecting prior lawful processing.
  • Automated decisions — we do not subject you to fully-automated individual decisions producing legal or similarly significant effects.
  • Lodge a complaint with a supervisory authority (see Section 11).

To exercise any of these rights, email privacy@easyreza.com. We respond within 30 days; complex requests may be extended once by an additional 60 days with notice.

9. Security

We implement technical and organisational measures appropriate to the risk, including:

  • TLS encryption for all data in transit
  • Encryption at rest for the database and file storage
  • Strict access controls, with administrator access limited to named individuals
  • Row-level security policies that isolate each restaurant's data from others
  • Hashed and salted passwords; secure session token rotation
  • Regular backups and disaster-recovery procedures
  • Subprocessor due-diligence and contractual safeguards

If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours where required, and inform affected individuals without undue delay.

No system can guarantee absolute security. You are responsible for keeping your account credentials confidential.

10. Children

EasyReza is intended for restaurant professionals and adult diners. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Supervisory authorities & complaints

You always have the right to lodge a complaint with a competent data protection authority:

  • Switzerland — Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, CH-3003 Bern. www.edoeb.admin.ch
  • EU/EEA — the supervisory authority of your country of residence, place of work, or place of the alleged infringement. A directory is available on the European Data Protection Board website: edpb.europa.eu.

We would appreciate the chance to address your concerns first — please email us at privacy@easyreza.com before escalating.

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our service, in applicable law, or in subprocessor arrangements. Material changes will be notified by email to active restaurant account holders or by an in-product notice at least 30 days before they take effect. Non-material changes (typos, clarifications) take effect on publication. The "Last updated" date at the top of this page always reflects the current version.

13. Contact us

For any question relating to this Privacy Policy or our handling of your personal data, please write to privacy@easyreza.com.