Privacy notice

Last updated 12 July 2026

This notice explains how Klevra handles personal data when you place a pickup order or join a dine-in table. We keep things to the minimum needed to take your order and contact you if there's a problem.

Who's responsible

The restaurant you're ordering from is the data controller — they decide why your data is collected. Klevra is the processor that runs the ordering software on their behalf. If you have questions about how a specific restaurant uses your data, contact them directly.

What we collect

  • Pickup orders: your name, phone number, optional email, the items you ordered, and (for online payments) the masked payment confirmation we receive from Stripe. We never see your full card details.
  • Dine-in table tabs: the nickname you enter to join the table, the items you order, and a temporary guest ID stored in a cookie so split-bill and live order tracking work. No phone or email is requested.
  • Restaurant accounts (staff/owners): your email, password (hashed), and team role. Covered separately by the cookie policy for the dashboard session.

Why we can process it

We rely on contract performance (GDPR Article 6(1)(b)) — your data is needed to prepare your order and contact you if something goes wrong. We don't ask for consent because the data is essential to the order itself; without it we can't take it.

How long we keep it

Order data is retained as long as required for accounting and tax (typically 5–10 years depending on local law). Customer contact details on active orders are kept for up to 90 days after the order is collected. Table tab guest IDs are deleted automatically when the tab is closed.

Who else sees it

We use a small set of sub-processors to run the service. All data stays inside the EU. Specific provider names are available on request.

  • EU cloud database provider — stores your order securely.
  • EU cloud object storage provider — holds menu images uploaded by the restaurant. No customer personal data is stored here.
  • Payment processor — handles online checkout. They see your card details directly; we only receive a confirmation and the masked summary.
  • EU real-time messaging service — powers live order updates.
  • AI text-processing service — used by the restaurant to translate or extract menu copy. Never receives customer order data.
  • EU error-monitoring service — receives automatic technical reports when something in the app breaks (the error, the page address, and the browser/device type). Sign-in details are redacted before reports leave your device; no names, order contents, or payment data are included. Reports are deleted automatically after 90 days.

Your rights

Under GDPR you can:

  • Ask the restaurant for a copy of the personal data they hold about you.
  • Correct anything that's wrong (typo in your name, wrong phone number).
  • Ask the restaurant to delete your data, subject to accounting retention obligations.
  • Receive your data in a structured, machine-readable format.
  • Complain to your national data-protection authority if you think your rights have been breached.

Updates

We'll update this page if how we process data changes. The date at the top reflects the most recent change.

Contact

For privacy questions about Klevra as a processor, email [email protected]. For questions about a specific order, contact the restaurant directly.