Security & Compliance
Last updated: March 2026 · Trust Center for IT and procurement
At a glance
- Encryption: Data encrypted in transit (TLS) and at rest. OAuth tokens and credentials encrypted.
- Data location: UK/EU data centres where applicable (Supabase). No sale or sharing of your data.
- Access control: Row-level security; each restaurant sees only its own data. Role-based access for multi-location (e.g. store manager vs group view) available.
- GDPR: UK & EU GDPR compliant. Data use and retention described in our Privacy Policy.
- Compliance: ICO registered (UK). Data processing agreements with subprocessors.
Data encryption and security
All data is encrypted in transit using TLS. Data at rest is encrypted using industry-standard encryption. OAuth tokens and API credentials (e.g. for POS and booking integrations) are stored encrypted. We use a multi-tenant architecture with row-level security (RLS) so that your restaurant's data is isolated from every other customer—no cross-tenant access. We regularly review and update our security practices.
Where your data lives
Data is processed and stored in UK/EU data centres where applicable (via our infrastructure provider Supabase). We do not sell your data. We do not use your data for advertising or share it with third parties for their marketing. Where we use subprocessors (e.g. hosting, payments), we ensure appropriate safeguards and data processing agreements are in place. For international transfer details, see our Privacy Policy.
Access control (RBAC)
Access to data is controlled so that:
- Single-location: Users see only the data for their restaurant. No access to other tenants' data.
- Multi-location: For groups and chains, role-based access allows store managers to see only their location; group or F&B directors can see aggregated or multi-location data as configured. Enterprise plans can include custom roles and scoping.
- Authentication is required for all access; sessions are secured and can be revoked.
Revenue, orders, timing metrics, and employee-related data (e.g. waiter performance) are only visible within your organisation and only to users who have been granted access to the relevant location(s).
GDPR and data use
We comply with the UK GDPR and EU GDPR where applicable. We are registered with the Information Commissioner's Office (ICO); registration number: 00013447026. Personal data is processed only as necessary to provide the Service. We do not use your restaurant or order data for our own analytics or marketing; we use it only to provide the Service to you. Retention periods and your rights (access, rectification, erasure, portability, objection, complaint) are set out in our Privacy Policy. You can export your data to CSV at any time from within the Service.
Subprocessors and compliance
We use a limited set of subprocessors for hosting, payments, and operational tools. They process data on our instructions and under contractual obligations that meet applicable data protection requirements. A list of key subprocessors and compliance documentation is available on request for enterprise and procurement reviews. Contact us using the details below.
Security and compliance contact
RestaurantIQ Ltd is the data controller. For security questionnaires, compliance documentation, or data protection enquiries, contact: iakovos.petrocheilos@restaurantiq.co.uk. Registered office: 71-75 Shelton Street, Covent Garden, London WC2H 9JQ.