Legal area

Privacy PolicyRestaurateurs and Merchants

How Dishup processes the personal data of owners, contact persons, staff and user managers of restaurateurs.

All documents
  • Legal document
  • Italian version
  • Updated June 6, 2026

Legal document

Restaurant and Merchant Privacy Policy

Privacy information for restaurateurs, merchants, staff and manager users.

Version 1.0 Last update date: June 6, 2026 Effective date: [●]

1. Data controller

This information describes how Dishup S.r.l., with registered office in [●], tax code and VAT number [●], PEC [●], e-mail privacy [●] ("Dishup"), processes the personal data of legal representatives, beneficial owners, contact persons, employees, collaborators, operators, staff and user managers of restaurants, bars, clubs and other merchants who use Dishup ("Restaurateur").

Dishup processes some data as an independent controller, for example for management of the commercial relationship, authentication, security, billing, assistance, audit and improvement of the Services.

When Dishup processes personal data on behalf of the Restaurateur relating to end customers, orders, staff, operations or management content of the establishment, Dishup may act as a data processor in accordance with the Data Processing Agreement contained in the Terms of Use for Restaurateurs or in another written agreement.

2. Scope

This information applies to:

  1. Restaurateur onboarding;
  2. creation and management of account managers;
  3. access to the dashboard, SessionDock, devices, readers, kiosks, operations consoles and other tools;
  4. business relationships, quotes, subscriptions, invoices and B2B payments;
  5. Stripe Connect, fiscal integrations, device setup and assistance;
  6. operational, administrative and commercial communications;
  7. security, audit, log and fraud prevention;
  8. use of AI tools and operational analytics.

3. Data processed

Dishup can treat:

  1. Personal and professional data: name, surname, role, company name, title, e-mail, telephone, language, avatar.
  2. Company and tax data: VAT number, tax code, headquarters, addresses, PEC, REA, billing data, licenses or administrative information.
  3. Representation and verification data: powers, roles, beneficial owners, information required for onboarding or checks.
  4. Account data and permissions: credentials, PIN, roles, authorizations, associated restaurants, capabilities, tokens, sessions.
  5. Technical data: IP, user agent, device, log, events, errors, audit trail, socket connections, device identifiers.
  6. Operational data: actions on sessions, orders, payments, tables, menus, wallets, vouchers, devices, printers, taxes and integrations.
  7. Stripe data and B2B/B2B2C payments: connected account id, readiness, reader, transactions, fees, disputes, payouts, technical errors and statuses.
  8. Assistance data: tickets, messages, screenshots, technical records if provided, attachments, intervention history.
  9. B2B marketing data: preferences, interactions with campaigns, demo requests, events, newsletters, lead sources.
  10. AI data and analytics: prompts, outputs, tools used, time ranges, audits, usage metrics and costs, where the functionality is active.

4. Purpose and legal bases

PurposeLegal basis
Create and manage account managersExecution of the contract; legitimate interest
Restaurateur onboarding and verificationExecution of the contract; legal obligations; legitimate interest
Provide dashboards, devices, payments, tax and servicesExecution of the contract
Manage Stripe Connect and payment integrationsExecution of the contract; legal obligations; legitimate anti-fraud interest
Invoicing, accounting and administrationLegal obligations; execution of the contract
Assistance, troubleshooting and maintenanceExecution of the contract; legitimate interest
Security, audit, fraud and abuse preventionLegitimate interest; legal obligations
Operational and service communicationsExecution of the contract; legitimate interest
B2B marketing on similar or demo productsLegitimate interest or consent, where required
Newsletters or non-similar promotional communicationsConsent, where required
AI assistant, analytics and product improvementExecution of the contract; legitimate interest; consent if required
Defense of rights and management of disputesLegitimate interest; legal obligations

5. Privacy roles in the relationship with the Restaurateur

Generally speaking:

  1. the Restaurateur is the data controller for end customers, staff, suppliers, tax data, orders, food, deliveries and management of the venue;
  2. Dishup is the data processor when it processes such data on behalf of the Restaurateur via the platform;
  3. Dishup is the independent controller of Dishup accounts, security, logs, billing, business relationship, support, administration, defense, product improvement and its own obligations;
  4. Stripe and other providers may be independent controllers or controllers under their respective agreements.

The Restaurateur must provide adequate privacy information to end customers and staff and must ensure suitable legal bases for using Dishup.

6. Recipients

The data can be communicated to:

  1. group companies, if any;
  2. cloud, hosting, database, monitoring, security and backup providers;
  3. Stripe, banks, circuits and payment providers;
  4. tax providers, billing, receipts, storage and devices;
  5. email, communication, notification, CRM and support provider;
  6. AI and analytics providers, if used for enabled features;
  7. legal, tax, accounting and auditor consultants;
  8. authorities, law enforcement agencies, courts or public entities;
  9. hardware, device, reader or print suppliers when necessary.

7. Non-EEA Transfers

When data is transferred outside the European Economic Area, Dishup uses appropriate safeguards under the GDPR, such as adequacy decisions, standard contractual clauses and additional measures where necessary.

8. Retention

Dishup retains data for times proportionate to the purposes:

  1. account and contract data: for the duration of the relationship and subsequent administrative period;
  2. tax data and invoices: for the legal deadlines;
  3. technical and security logs: for the period necessary for security, audit and troubleshooting;
  4. payment data, Stripe and disputes: for the period necessary for reconciliation, chargebacks, audits and legal obligations;
  5. assistance ticket: for the time necessary to document the request, response and quality of the service;
  6. B2B marketing: until opposition, revocation of consent or expiry defined by internal policies;
  7. data processed as a processor: according to the instructions of the Restaurateur and DPA, without prejudice to retention obligations.

9. Rights

Data subjects can exercise their GDPR rights of access, rectification, erasure, restriction, objection and portability and revocation of consent by writing to [●].

When the request concerns data for which the Restaurateur is the data controller, Dishup may forward the request to the Restaurateur or direct the data subject to contact the Restaurateur.

The dashboard manager uses cookies and similar tools mainly for authentication, security, preferences, session, diagnostics and technical functionality. Any analytics or non-technical tools are described in the Cookie Policy and managed according to the preferences required by law.

11. Complaints

Data subjects may lodge a complaint with the Italian Data Protection Authority or with the competent authority. They can also contact Dishup at [●] for an internal review.

12. Changes

Dishup may update this policy. Relevant changes will be communicated in an appropriate manner.