← BACK
FLOWNEST
LEGAL

Privacy Notice

Last updated: 3 June 2026
TEMPLATE NOTICE

This Privacy Notice is a template and must be reviewed by a qualified UK solicitor before being used commercially. The information below describes how data is handled in the FlowNest platform but does not constitute legal advice.

1. Who we are

FlowNest Limited ("FlowNest", "we", "us") operates the FlowNest Reservations platform used by participating restaurants ("Restaurants") to manage table bookings. Our registered address is [INSERT REGISTERED OFFICE]. We can be contacted at privacy@flownest.xyz.

2. Joint controllership

When you make a booking at a Restaurant through this platform, both FlowNest and that Restaurant act as joint controllers of your personal data for booking purposes. FlowNest provides the technical platform; the Restaurant uses your booking to host you. The Restaurant's contact details appear on its booking page and confirmation emails.

3. What we collect

When you book a table, we collect:

  • Your full name
  • Your email address
  • Optionally, your phone number
  • Your party size and chosen time
  • Any special requests you provide (allergies, accessibility needs, occasion)
  • Technical data: IP address, browser type, timestamp, cookie identifiers (see Cookie Policy)

4. Why we collect it (lawful bases)

  • Performance of contract (UK GDPR Art. 6(1)(b)) — to provide the booking service you requested
  • Legitimate interests (Art. 6(1)(f)) — fraud prevention, platform security, service improvement
  • Legal obligation (Art. 6(1)(c)) — to comply with UK law, including allergen records under food safety regulations
  • Consent (Art. 6(1)(a)) — for non-essential cookies and marketing communications, where applicable

5. Special category data

Allergy information may constitute special category data (health data) under UK GDPR Art. 9. We process this on the basis of your explicit consent (Art. 9(2)(a)) when you provide it in a booking note. You can choose not to share it; the Restaurant will then be unable to accommodate dietary requirements.

6. Who we share it with

  • The Restaurant you book at — to host your reservation
  • Resend (email service provider, Delaware USA) — to send your confirmation. Data transferred under the UK Addendum to the EU Standard Contractual Clauses
  • Supabase Inc. (database host, hosted in the EU) — our underlying database provider
  • Cloudflare Inc. (US/global CDN and security) — handles network traffic. Data transferred under the UK Addendum
  • Vercel Inc. (US, application hosting) — our application host. Data transferred under the UK Addendum
  • UK authorities — when legally required

We do not sell your personal data to third parties.

7. How long we keep it

  • Active booking data: until completion of your reservation plus 90 days
  • Customer record (for repeat visits): retained while you have an active relationship with the Restaurant, deleted on request
  • Audit logs: 12 months
  • Backups: 30 days rolling

8. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you
  • Have inaccurate data corrected
  • Request erasure ("right to be forgotten")
  • Restrict processing
  • Receive your data in a portable format
  • Object to processing based on legitimate interests
  • Withdraw consent at any time (where consent is the lawful basis)
  • Complain to the Information Commissioner's Office (ico.org.uk, telephone 0303 123 1113)

To exercise any of these rights, email privacy@flownest.xyz.

9. International transfers

Some of our service providers are located outside the UK (notably in the United States). Where personal data is transferred to such jurisdictions, we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses to ensure an adequate level of protection.

10. Security

We implement appropriate technical and organisational measures including encryption in transit (HTTPS/TLS), encryption at rest, role-based access controls, row-level security in our database, and regular security review. No system is perfectly secure; we cannot guarantee absolute security.

11. Changes to this notice

We may update this Privacy Notice from time to time. The "last updated" date at the top of this page indicates when the most recent changes were made. Material changes will be communicated by email to active users.

12. Contact

Questions about this Privacy Notice or how we handle your data: privacy@flownest.xyz.