Skip to content
stoveops
  • Solutions
  • Pricing
  • Blog
  • About
English
  • English
  • Français (CA)
  • Português (BR)
  • Español
Contact
  • Solutions
  • Pricing
  • Blog
  • About

Draft — subject to legal review

Data Processing Agreement

This Data Processing Agreement (DPA) is incorporated by reference into the StoveOps Terms of Service and forms part of the agreement between StoveOps and each customer (the restaurant). It reflects the model terms of Article 28(3) GDPR and Article 39 LGPD and applies whenever StoveOps processes personal data on the customer’s behalf.

This text is a draft published for transparency and is subject to human legal review before it is relied upon as a signed instrument.

Last updated: 2026-07-03

Roles and subject matter

The customer is the controller (or business / equivalent decision-maker) for personal data it submits to StoveOps; StoveOps is the processor (service provider / operator) acting only on the customer’s documented instructions. The subject matter is the provision of the StoveOps restaurant-operations service.

Duration

This DPA applies for the term of the agreement and for as long as StoveOps processes personal data on the customer’s behalf, including any wind-down period required for return or deletion.

Nature and purpose of processing

StoveOps processes personal data to provide waitlist, guest messaging, digital menu/site, marketing-workflow, analytics, billing and support features, and to keep the service secure and reliable.

Categories of data and data subjects

Data subjects include restaurant operators and staff, website visitors and restaurant guests. Categories include contact details, account and billing data, restaurant content, guest data (name, contact, party size, status, notes the restaurant chooses to store) and messaging metadata. The customer must not submit special-category data except as disclosed to and lawful for the guest.

Processor obligations

StoveOps processes personal data only on the customer’s documented instructions (including this DPA and the product configuration), ensures persons authorized to process are bound by confidentiality, and does not sell personal data or use it for its own purposes outside the agreement.

Subprocessors

The customer authorizes StoveOps to engage the subprocessors below to deliver the service. StoveOps imposes data-protection terms on each and remains responsible for their performance. We will give notice of intended changes so the customer may object.

  • Cloudflare — application hosting, edge network, CAPTCHA and storage.
  • Neon — managed PostgreSQL database hosting.
  • Resend — transactional email delivery.
  • sent.dm — SMS and WhatsApp message delivery.
  • Stripe — subscription billing and payment processing.
  • Grafana stack (self-hosted by StoveOps) — logs, traces and product telemetry.

Security

StoveOps maintains administrative, technical and organizational measures appropriate to the risk, including access controls, least-privilege permissions, encrypted transport, audit logging and provider review, consistent with the Security section of the Privacy Policy.

Assistance with data subject requests

Taking into account the nature of the processing, StoveOps assists the customer with appropriate measures to respond to data-subject (DSAR) requests — access, correction, deletion, portability, objection and restriction — including the in-product erasure tooling, within the timelines stated in the Privacy Policy.

Personal data breach notification

StoveOps notifies the customer without undue delay after becoming aware of a personal data breach affecting the customer’s data, with the information the customer reasonably needs to meet its own notification obligations.

International transfers

Where personal data is transferred across borders (for example to the United States), StoveOps relies on recognized transfer mechanisms such as the EU Standard Contractual Clauses (SCCs) and equivalent safeguards under other applicable laws.

Return and deletion

On termination, and at the customer’s choice, StoveOps returns or deletes personal data processed on the customer’s behalf, subject to limited retention required by law or for backup/security logs, which then expire on their normal cycle. Guest-offboarding deletion runs automatically after the contractual relationship ends.

Audits and contact

StoveOps makes available the information necessary to demonstrate compliance with this DPA and supports reasonable audits. Questions and requests under this DPA can be sent to contact@stoveops.com.

DPA contact: contact@stoveops.com

  • Terms
  • Privacy
stoveops

Waitlist and reservation tools for busy restaurants.

contact@stoveops.com

StoveOps solutions

  • Solutions
  • Compare
  • Blog
  • Pricing
  • About
  • Contact

Legal

  • Privacy
  • Terms
  • Acceptable Use

Language

  • English
  • Français (CA)
  • Português (BR)
  • Español

© 2026 StoveOps. All rights reserved.