Legal area

Privacy PolicyConsumers andEnd Users

How Dishup processes the personal data of consumers and end users who use the web app and related features.

All documents
  • Legal document
  • Italian version
  • Updated June 6, 2026

Legal document

Consumer and End User Privacy Policy

Privacy information for consumers, end customers and webapp users.

Version 1.0 Last update date: June 6, 2026 Effective date: [●]

1. Data controller

This information describes how Dishup S.r.l., with registered office in [●], tax code and VAT number [●], PEC [●], e-mail privacy [●] ("Dishup"), processes the personal data of end customers who use the Dishup webapp, site, customer accounts, wallets, notifications and other digital features ("Customer" or "User").

Dishup processes some data as an independent data controller. Restaurants, bars, clubs and other businesses that use Dishup ("Restaurateurs") process other data as independent data controllers for the sale, administration, preparation, delivery, assistance, taxation and management of the relationship with the Customer.

When Dishup processes data on behalf of the Restaurateur, Dishup acts as data processor under the agreement entered into with the Restaurateur. This information concerns the processing carried out by Dishup as an independent data controller, unless otherwise indicated.

2. When this policy applies

This information applies when the Customer:

  1. visit or use the Dishup web app or pages /dine;
  2. create or use a customer account;
  3. log in through Google, Apple or other supported providers;
  4. consult menus, open sessions, send orders or pay;
  5. use wallets, vouchers, local credit, dishband or similar tools;
  6. receives operational or push notifications;
  7. requests assistance from Dishup;
  8. exercise privacy rights or send communications to Dishup.

For processing activities carried out by the Restaurateur, the Customer must also consult the Restaurateur's privacy policy.

3. Personal data processed

Dishup may process the following categories of data:

  1. Identification and contact data: name, surname, display name, email, telephone, language, avatar, account identifiers.
  2. Authentication data: provider used, provider identifier, technical tokens, sessions, refresh token, access log, device.
  3. Order and session data: restaurant, table, session, items ordered, quantity, notes, order status, payment status, receipts, collection, delivery, operational history.
  4. Payment data: technical payment identifiers, amounts, currency, outcome, provider, latest non-sensitive information returned by the payment provider. Dishup does not store your complete card number.
  5. Wallet data and local credit: technical balances, top-ups, expenses, refunds, vouchers, QR presentation, movements, history and audit.
  6. Tax data: if entered, name or company name, address, tax code, VAT number, PEC, recipient code and data necessary for the invoice or receipt.
  7. Notification data: preferences, push tokens, browser endpoints, push status, read status, click status, device status, and user agent status.
  8. Technical data: IP address, logs, browser, operating system, device identifiers, security events, technical cookies and similar tools.
  9. Assistance data: requests, messages, attachments, evidence, contact and response history.
  10. Voluntary data: order notes, food preferences or other information entered by the Customer.

The Customer must avoid entering unnecessary sensitive data. If you communicate allergies, intolerances, health information or specific dietary requirements, such data may be transmitted to the Restaurateur to manage the order.

4. Purpose and legal bases

Dishup processes data for the following purposes:

PurposeLegal basis
Creation and management of customer accountsExecution of the contract or pre-contractual measures
Authentication, login, token refresh and account securityExecution of the contract; legitimate interest in security
Consultation of menus, sessions, orders and operational statusExecution of the contract; legitimate interest in correct provision
Digital payments and technical reconciliationExecution of the contract; legal obligations; legitimate anti-fraud interest
Wallets, vouchers, local credit and movementsExecution of the contract; legal obligations; legitimate anti-fraud interest
Operational notifications on orders, payments, receipts and collectionExecution of the contract; legitimate operational interest
Browser push notificationsConsent or browser settings, where required
Assistance, complaints and dispute managementExecution of the contract; legitimate interest; legal obligations
Security, fraud prevention, abuse, chargebacks and auditsLegitimate interest; legal obligations
Tax, accounting, legal obligations and defense of rightsLegal obligations; legitimate interest
Product improvement and aggregate statisticsLegitimate interest, where data is minimized or aggregated
Dishup direct marketing, if anyConsent or legitimate interest to the extent permitted
Non-technical cookies and trackingConsent, where required

5. Relationship with restaurateurs

The restaurateur is normally an independent controller for:

  1. sale and administration of food and drinks;
  2. order preparation, collection, delivery and assistance;
  3. information on ingredients, allergens, prices and availability;
  4. issuing receipts, invoices and commercial documents;
  5. management of commercial reimbursements, product complaints and healthcare obligations;
  6. restaurant loyalty programs, vouchers or promotions, where activated.

Dishup can transmit to the Restaurateur the data necessary to manage the order, session, payment, invoice, collection or local credit.

6. Recipients of the data

The data can be communicated to:

  1. Restaurateurs where the Customer interacts or orders;
  2. payment providers, including Stripe and related banks/circuits;
  3. cloud, hosting, database, security and monitoring providers;
  4. email, push notification, messaging and support provider;
  5. tax or billing providers, if activated;
  6. authentication providers, such as Google or Apple;
  7. legal, tax, accounting and auditor consultants;
  8. authorities, law enforcement agencies or public entities in the cases provided for by law;
  9. technical suppliers appointed as processors or sub-processors, where applicable.

The updated list of the main supplier categories can be requested from [●].

7. Non-EEA Transfers

Some suppliers may process data outside the European Economic Area. In such cases Dishup uses appropriate safeguards under the GDPR, such as adequacy decisions, standard contractual clauses, additional measures where necessary or other legitimate bases.

8. Retention

Dishup retains data for the time necessary for the purposes indicated. Indicatively:

  1. account data: for the duration of the account and subsequent technical/administrative period;
  2. order, payment, wallet and tax data: for the period necessary for legal, tax, accounting obligations, disputes, chargebacks and defense;
  3. technical and security logs: for a period proportionate to the risk and audit needs;
  4. push token and preferences: as long as active or until revoked/deactivated;
  5. assistance requests: for the time necessary to manage the request and document the outcome;
  6. data processed on consent: until revoked, unless retention is necessary for other legal bases.

The precise retention times are defined in the internal policies and may vary based on legal obligations, disputes, fraud, security or technical needs.

9. Rights of the data subject

The Customer may exercise, within the limits of the GDPR, the rights of access, rectification, erasure, restriction, objection and portability, revocation of consent and complaint to the supervisory authority.

Inquiries can be sent to [●]. Dishup may request information necessary to verify the applicant's identity.

For processing activities carried out by the Restaurateur as an independent controller, Dishup can refer the Customer to the competent Restaurateur.

10. Account deletion

The Customer can request deletion of the account using the available functions or by writing to [●].

Deletion does not result in the immediate removal of data that Dishup or the Restaurants must retain for legal obligations, payments, disputes, taxation, security, audits, assistance or defense of rights.

The use of cookies and similar tools is described in Cookie Policy. Non-technical cookies and tracking tools subject to consent are used only according to the preferences expressed by the Customer, unless otherwise required by law.

12. Complaints

The Customer may lodge a complaint with the Italian Data Protection Authority or with the competent authority of their Member State. Before filing a complaint, Customer may contact Dishup at [●] to allow for internal verification.

13. Changes

Dishup may update this policy. The changes will be published on the platform or communicated in an appropriate manner when relevant.