Privacy Policy

1. Purpose and scope

This Privacy Policy explains how Reserve NI (“we”, “us”) processes personal data when you use reserveni.com and our booking and guest management platform for independent venues in Northern Ireland, including guest-facing booking, communications, payments facilitated through Stripe, and the staff dashboard.

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) as it forms part of the law of the United Kingdom by virtue of the European Union (Withdrawal) Act 2018, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR) where they apply, and related UK law.

2. Who is responsible for your data

Reserve NI as controller. We are the data controller for personal data we process to operate our service, authenticate venue users, take subscription payments, provide support, comply with law, and secure our systems.

Venues as controllers. Each venue that uses Reserve NI decides why and how guest data is used for its own bookings and marketing (where permitted). In those situations the venue is typically an independent data controller and we process that data as a processor on the venue's documented instructions, under our agreement with them, unless we are also required to process the same data as controller for our own legal or security purposes (for example fraud prevention).

If you make a booking, you may exercise privacy rights with the venue directly. You can also contact us and we will forward or assist where appropriate.

3. Contact details

Email: hello@reserveni.com (please include “Privacy” in the subject line).

If we need to verify your identity before fulfilling a rights request, we will tell you. Venue staff may use support@reserveni.com for account-related support; privacy rights about your own staff account can still be sent to hello@reserveni.com.

4. Personal data we collect

Guests. When you book or interact with a venue that uses Reserve NI, we may process name, email address, phone number, booking details (time, party size, occasion, dietary or accessibility notes you choose to provide), communications we send on the venue's behalf, and records of confirmations, cancellations, deposits, and no-shows as configured by the venue. Payment card data is collected by Stripe; we do not store full card numbers on our systems.

Venue users and account holders. We process account identifiers (such as email), profile and business details you supply, Stripe or billing references, usage and audit logs needed for security, and correspondence with support.

Website and enquiries. If you contact us via forms or email, we process what you send us and technical metadata needed to deliver the message.

5. Purposes and lawful bases (UK GDPR Article 6)

We process personal data on the following bases, as applicable:

• Contract (Article 6(1)(b)): to provide the Service, manage subscriptions, and facilitate bookings and payments you have asked for.
• Legitimate interests (Article 6(1)(f)): to secure the platform, troubleshoot, improve the Service in ways you would expect, and protect our business and users, balanced against your rights.
• Legal obligation (Article 6(1)(c)): to comply with tax, accounting, or lawful requests from authorities.
• Consent (Article 6(1)(a)): where the law requires consent (for example certain marketing cookies or optional marketing messages), which you may withdraw at any time.

Venues must identify their own lawful bases when they act as controllers for guest data (often contract and legitimate interests for service messages; consent or soft opt-in under PECR for some marketing, depending on context).

6. Special category and criminal offence data

If you give us or a venue health-related or other special category data (for example dietary information that reveals health), we expect venues to collect it only where necessary and lawful. We process it strictly to provide the Service and on appropriate legal grounds (which may include explicit consent or substantial public interest conditions as set out in UK law).

7. Recipients and processors

We share personal data only as needed to run the Service:

• The venue you book with, for operational and customer service purposes.
• Stripe (United States and other locations where Stripe operates): payment services and fraud prevention. Stripe acts as a controller for some processing; see stripe.com/gb/privacy. International transfers rely on appropriate safeguards such as the UK International Data Transfer Agreement or addendum, or adequacy regulations, as applicable.
• Supabase and infrastructure partners: hosting and database services. We configure services to use regions appropriate for our deployment (commonly EU or UK where available).
• SendGrid and Twilio (or equivalent providers): to send email and SMS as configured by you or the venue. Their use is governed by our agreements and their privacy notices.

We do not sell your personal data.

8. International transfers

Some providers may process data outside the UK and European Economic Area. Where we transfer personal data to countries not subject to a UK adequacy decision, we use appropriate safeguards recognised under UK law (such as the UK International Data Transfer Agreement / Addendum to the EU Standard Contractual Clauses, or provider-specific transfer mechanisms).

9. Retention

We keep personal data only as long as necessary for the purposes above, including legal, accounting, and dispute resolution needs. Booking and guest records may be retained for the period venues need to operate and as configured in the product, within limits we apply for the platform. When data is no longer needed, we delete or anonymise it in line with our internal schedules, subject to statutory retention duties.

10. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, loss, or destruction, including access controls and encryption in transit where standard for the Service. No online service is perfectly secure; we encourage strong passwords and prompt reporting of suspected misuse.

11. Your rights

Under UK data protection law you have the right to:

• access a copy of your personal data;
• rectify inaccurate data;
• erase data in certain circumstances;
• restrict processing in certain circumstances;
• object to processing based on legitimate interests or for direct marketing;
• data portability for data you provided where processing is automated and based on consent or contract;
• withdraw consent where processing is consent-based, without affecting earlier lawful processing;
• lodge a complaint with the UK Information Commissioner's Office (ico.org.uk).

To exercise rights against Reserve NI, email hello@reserveni.com. Where your booking data is controlled by a venue, we may need to direct you to them or work with them to respond.

12. Cookies and similar technologies

We use cookies and similar technologies that are strictly necessary to operate the site (for example session and security cookies). Where non-essential cookies are introduced in the future, we will obtain consent as required by PECR and UK GDPR. We do not use third-party advertising cookies on the core Service as described here.

13. Children

The Service is aimed at businesses and adults making bookings. It is not directed at children under 13 for commercial use. If you believe we hold data about a child in error, contact us and we will take appropriate steps.

14. Automated decision-making

We do not use solely automated decision-making that produces legal or similarly significant effects about you in the sense of Article 22 UK GDPR for core booking flows. Venues may apply their own rules (for example waitlists); those are the venue's responsibility.

15. Changes to this policy

We may update this Privacy Policy to reflect changes to our practices or the law. We will revise the “Last updated” date and, where changes are material for venue customers, notify them by reasonable means (such as email or an in-product notice).