Privacy Policy

This Privacy Notice provides information on how Codera Ltd (T/A TablePath) collects and processes your Personal Data when you use our services and our website ('the website') (including any data which you may provide through the website when you contact us to provide feedback or to make a complaint). In some cases, we also obtain personal data from third parties (e.g., restaurants, business partners, or other third parties). This Privacy Notice ("Notice") together with any disclaimers sets out the basis on which any personal data we collect from you or that you provide to us, or that is provided to us relating to you ("Personal Data") by any means will be processed. Please read the following carefully to understand our use of personal data. Please note that this Privacy Notice relates only to living individuals in relation to personal data relating directly to themselves, and not to persons in any other capacity. This Privacy Notice is provided to you, in line with the following Data Protection Legislation:

• The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 also known as the General Data Protection Regulation (GDPR), which became enforceable across the EU and the EEA from May 25th, 2018 having replaced the previous Directive 95/46/EC; In Ireland, the national law, which amongst other things, gives further effect to the GDPR, is the Data Protection Act 2018 ('the 2018 Act').
• The Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 also known as the ePrivacy Directive, amending the Directive 2002/22/EC on universal service and users' rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws.

This Privacy Notice sets out the basis on which any Personal Data we collect from you, or from others, will be processed by us. Please read the following carefully to understand our practices regarding your personal data and how we will treat it.

We generally act as a data controller, meaning we determine the purposes and means of processing your personal data through our services. Under certain TablePath programs, restaurants may engage us to provide them with certain processing services related to personal data controlled by the restaurant. Please refer the relevant Restaurants Privacy Notice in each case.

Contact details
If you have any questions about this Privacy Notice or our data protection practices, including any requests to exercise your legal rights, contact privacy@tablepath.com. At any time, you have the right to make a data protection complaint to the relevant supervisory authority. However, before doing so, we do request that you contact us in the first instance to provide us with an opportunity to resolve the matter. If we have been unable to resolve your concerns and you wish to lodge a complaint with a supervisory authority, please contact the Data Protection Commission (www.dataprotection.ie).

Personal data means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. We may collect, use, store and transfer different kinds of personal data about you, which we have grouped together as follows:

• Identity data includes first and last names.
• Contact data includes e-mail address and telephone number(s).
• Financial data includes the card-holder's name, card type, card number, expiry date and CVV number.
• Transaction data includes details about payments for our products or services.
• Technical data includes Internet protocol addresses, location data (to order and pay for products, uses GPS technology to determine your current location and requires location data for certain features to work), operating system/platform and other technology on the devices you use to access our website. See our Cookie Notice for further details.
• Usage data includes information about how you use our website, apps and other services.

We do not collect any special categories of personal data about you as a Customer (this includes details about your race, ethnicity, religious/philosophical beliefs, sexual orientation, political opinions, health and genetic/biometric data).

Where we need to collect personal data by law, or under the terms of a contract we have with you, and, when requested you fail to provide that data, we may be unable to perform the contract we have or are trying to enter into with you. As a result, we may have to cancel a product or service which you have with us; if this is the case, we will notify you.

We use different methods to collect data from and about you, including through:

• direct interactions – including any information you provide to us when using our services
• automated technologies or interactions – as you interact with our website, we will automatically collect technical data about your equipment, browsing actions and patterns. We collect this data using cookies and other similar technologies. See our Cookie Notice for further details.
• third parties or publicly available sources – we receive personal data about you from various third parties and public sources, as set out below:
  • technical data from analytics providers, such as Google, based outside of the European Economic Area (EEA)
  • In some cases, we also obtain personal data from third parties (e.g., restaurants, business partners or other third parties).
  • contact, financial and transaction data from providers of technical, payment and delivery services, such as Stripe and GoCardless

We will use your personal data only when the law allows permits it. Most commonly, we will use your personal data in the circumstances where:

• we need to perform the contract into which we are about to enter/have entered into with you.
• it is necessary for our legitimate interests (or those of a third party), and your interests and fundamental rights do not override those interests.
• we need to comply with a legal or regulatory obligation.

Generally, we do not rely on consent as a legal basis for processing your personal data.

The table below describes the purposes for which we may use your personal data and the legal basis for data-processing.

Purpose/activity	Type of data	Lawful basis for processing, including basis of legitimate interest
To register you as a new customer To keep our services and your account secure. To authenticate your account credentials and identify you, as necessary to log you into the Services and as part of our efforts to keep our services and your account secure.	(a) identity (b) contact	Performance of a contract with you
To provide our service (a) managing payments, fees and charges (b) collecting and recovering money owed to us (c) sending receipts to you	(a) identity (b) contact (c) financial (d) transaction (e) usage	(a) performance of a contract with you (b) necessary for our legitimate interests (to recover debts due to us)
To enable you to: (a) correspond with us via post, phone, e-mail or otherwise (b) provide feedback, submit a subject access request or lodge a complaint	(a) identity (b) contact	(a) performance of a contract with you (b) necessary for our legitimate interests (to obtain feedback from our customers, process complaints and grow our business around our customers' needs)
To use application improvement analytics to improve our website, products & services	(a) technical (b) usage	Necessary for our legitimate interests (to keep our website updated/relevant and to develop our business). Google analytics used only on consent.
Log information – for troubleshooting	(a) identity (b) technical (c) usage	(a) performance of a contract with you (b) necessary for our legitimate interests (to help resolve problems)
Checking and verifying your identification for the prevention of crime and disorder	(a) identity	(a) compliance with legal and regulatory requirements
To provide you with relevant marketing, offers and services, including for the purposes of advertising and delivering more relevant content, including communicating with you about services or products offered by TablePath, our business partners and other marketing communications that we believe you would be interested in, as permitted by law.	(a) identity (b) contact	(a) necessary for our legitimate interests

You can set your browser to refuse some or all (non-required) browser cookies or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our website or apps may become inaccessible or may not function properly. For more information about the cookies we use, see our Cookie Notice.

We will use your personal data only for the purposes for which we collect it, unless we reasonably consider that we need to use it for another purpose which is compatible with the original one.

We may share your personal data with provide you with our services. For example, our web hosting provider. In addition, we may disclose your personal data to third parties if we are under a duty to disclose or share your information in order to comply with any legal obligation, or in order to enforce or apply our terms of use and other agreements; or to protect our rights, property, or safety, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction. We may share your information with selected third parties including:

• Business partners, suppliers, and sub-contractors for the performance of any contract we enter into with them or you.
• Third parties with whom: (i) we need to share your information to facilitate transactions you have requested, and (ii) you ask us to share your information.
• Statutory and regulatory bodies (including central and local government) and law enforcement authorities in order to comply with any applicable laws, grant applications and/or court orders.
• Service providers who provide us with service including website and online platforms, and sub contractors who provide a service to us, and sub processors.

We do not allow our third-party processors to use your personal data for their own purposes. We permit them to process your personal data only for specified purposes and in accordance with our instructions. Any payment transactions carried out by us or our chosen third-party provider of payment-processing services will be encrypted.

We will, from time to time, make use of services provided by third parties for the delivery of our services which may necessitate the transfer of personal data outside the EU/EEA. For example, we use a variety of cloud-based tools such as Microsoft Office 365 and Google. Where Personal Data needs to be transferred or processed outside the EU/EEA, we chose providers who process Personal Data on the basis of:

• SCC
• An Adequacy Decision from the European Commission.

If you want further information on the specific mechanism used by us, if your data is transferred outside of the EEA, please contact us at privacy@tablepath.com.

We have appropriate security measures in place to prevent your personal data from being accidentally lost, altered, disclosed or accessed/used in an unauthorised way. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties with a business need to know. They will process your personal data only on our instruction and are subject to a duty of confidentiality. We have implemented procedures to deal with any suspected personal data breach – where legally required to do so, we will notify you (and any applicable regulator) of a breach.

We will retain your personal data only for as long as necessary to fulfil the purposes we collected it, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. In some circumstances, you can ask us to delete your data – see 'Your legal rights', below, for further information.

As an individual, under EU law you have certain rights to apply to us to provide information or make amendments to how we process your Personal Data. These rights apply in certain circumstances and are set out below:

1. The right to access Personal Data relating to you ('access right').
2. The right to rectify/correct Personal Data relating to you ('right to rectification').
3. The right to object to processing of Personal Data relating to you ('right to object').
4. The right to restrict the processing of Personal Data relating to you ('right to restriction').
5. The right to erase/delete Personal Data relating to you (i.e., the "right to erasure") and
6. The right to 'port' certain Personal Data relating to you from one organisation to another ('right to Personal Data portability').

These rights are not absolute and only apply in certain circumstances. You may exercise any of the above rights by sending an e-mail to privacy@tablepath.com.

You may lodge a complaint with your local supervisory authority with respect to our processing of your personal data. The local Supervisory Authority in Ireland is the Data Protection Commission. The website is www.dataprotection.ie.

Where our processing of your personal data is based on your consent to that processing, you have the right to withdraw that consent at any time but any processing that we have carried out before you withdrew your consent remains lawful. The exercise of Data Subjects' rights as some other "interactions" requires the univocal identification of the person submitting such request as being, in fact, the Data Subject to whom such Personal Data pertains to, hence we may have to set in place a process or mechanism that allows it to document having undergone such assertive identification.

Can I stop getting emails, text messages and other communications from you?
Yes! If you no longer wish us to contact you in a particular way, for example, to no longer send you text messages, just advise us of that and we will respect your wishes.

It may be necessary for us to contact you from time to time in connection with services, for example to ensure your Personal Data is correct.

If you no longer wish to receive marketing communications by electronic means, just use the opt-out facility in any of our communications, OR advise us at privacy@tablepath.com.

Our website may include links to third-party websites, plug-ins and applications, e.g., links to third-party sites which we work with to provide certain services. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control third-party websites and are not responsible for their privacy statements. When you leave our website or apps, we encourage you to read the Privacy Notice of every website plug-in and/or application which you visit.

We reserve the right to change this Privacy Notice from time to time in our sole discretion. If we make any changes, we will post those changes here so that you can see what information we gather, how we might use that information and in what circumstances we may disclose it.

Questions, comments, requests and complaints regarding this Privacy Notice and your Personal Data we hold are welcome and should be addressed to us at Privacy Compliance Co-Ordinator at privacy@tablepath.com. All requests will be dealt with promptly and efficiently.

This Notice is effective from 10th of February, 2024.