Privacy Policy

We collect the following categories of personal data:

• Account data: your name, email address, restaurant name, and location details provided during signup
• Guest feedback data: survey responses (food, service, atmosphere ratings), optional comments, and optional contact details (name, email, phone) submitted by guests at your restaurant
• Consent records: a hashed record of the guest's IP address (truncated SHA-256) and user agent, stored as an audit trail of consent
• Usage data: how you interact with the product, pages visited, and features used
• Payment data: handled entirely by Stripe. We never store card numbers or payment details directly
• Review data: public reviews imported from third-party platforms via our review provider, Zembra

Under UK GDPR (Article 6), we process personal data on the following legal bases:

• Contract performance (Article 6(1)(b)): to provide and maintain the TasteScore service, process billing, manage your account, and fulfil our obligations under our Terms of Service
• Legitimate interest (Article 6(1)(f)): to improve the service, ensure security, prevent fraud, generate anonymised analytics, and send transactional communications such as alerts and weekly service briefs
• Consent (Article 6(1)(a)): to send marketing communications and to follow up with guests who have explicitly opted in. You may withdraw consent at any time

We do not sell your data to third parties.

TasteScore uses the following third-party sub-processors, each with their own privacy policies and data protection practices:

• Stripe (United States) — payment processing. Stripe is certified under the UK Extension to the EU-US Data Privacy Framework
• Resend (United States) — transactional email delivery
• OpenAI (United States) — AI-powered reply drafts and service intelligence
• Zembra — public review import and monitoring

Where data is transferred outside the United Kingdom, we rely on Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO) or equivalent safeguards to protect your data in accordance with UK GDPR.

Guest feedback is collected on behalf of the restaurant you manage. In this context:

• The restaurant is the data controller — responsible for having a lawful basis for collecting feedback and for how guest data is used
• TasteScore is the data processor — processing guest data only on the restaurant's behalf and in accordance with their instructions

Guests may submit feedback anonymously at any time. Contact details (name, email, phone number) are only collected when the guest voluntarily provides them. Two separate consent checkboxes are presented — one for follow-up contact about the visit, and one for marketing communications — both unchecked by default.

A consent record is stored for each submission, including a hashed IP address and user agent, to provide an auditable trail of when and how consent was given.

Guests may exercise their data rights (see Section 7) by contacting the restaurant directly or by emailing hello@tastescore.co.uk.

Account data is retained while your account is active and for 90 days following account deletion. Guest feedback data follows the same retention schedule. After the 90-day period, all personal data is permanently deleted.

You may request earlier deletion of your data at any time by contacting us or using the data management tools in your account settings.

If you are based in the United Kingdom or European Economic Area, you have the following rights under UK GDPR:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — request correction of inaccurate data
• Right to erasure — request deletion of your personal data
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interest
• Right to restrict processing — request that we limit how we use your data
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, email hello@tastescore.co.uk. You can also export or delete your data directly from your account settings. We aim to respond to all requests within 30 days.

Guests who have submitted feedback may exercise these rights by contacting the restaurant that collected their data, or by emailing us directly at the address above.

If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

TasteScore uses the following cookies, all of which are strictly necessary for the service to function:

• tastescore_session — authentication session cookie. HttpOnly, Secure, SameSite=Lax. Expires after 7 days
• tastescore_oidc_tmp — temporary cookie used during third-party login. HttpOnly, Secure. Expires after 10 minutes

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. As these cookies are strictly necessary for the operation of the service, they are exempt from consent requirements under the UK Privacy and Electronic Communications Regulations (PECR).