1. Who We Are
Seatly Software Ltd (“Seatly”, “we”, “us”) provides a white-label restaurant booking platform used by independent restaurants across the United Kingdom.
Roles under UK GDPR:
- Seatly Software Ltd acts as a data processor — we operate and maintain the booking software on behalf of restaurants.
- The restaurant you are booking with acts as the data controller — they determine why your data is collected and how it is used.
When you make a booking through a Seatly-powered widget, you are providing your personal data to the restaurant, which Seatly processes on their behalf.
Contact: Seatly Software Ltd Email: privacy@seatly.uk
2. What Data We Collect
The following personal data may be collected when you make a booking:
| Data Field | Purpose | Required? |
|---|---|---|
| Name | Identifying who the booking is for | Yes |
| Email address | Sending booking confirmations and reminders | Yes |
| Phone number | Restaurant contact for the booking | Optional |
| Party size | Table allocation | Yes |
| Date and time | Availability and scheduling | Yes |
| Special requirements | Dietary needs, accessibility requests, or other relevant information you choose to provide | Optional |
Special requirements may include information such as dietary requirements, accessibility needs, or allergy information that you choose to provide in connection with your booking. Depending on what you enter, this may include sensitive personal data (such as health or religious dietary information). This information is collected so the restaurant can prepare for and manage your booking appropriately. The restaurant you are booking with is responsible for determining the lawful basis and, where applicable, any additional condition required under Article 9 UK GDPR for collecting and using this information.
We do not collect payment details from diners. If you pay a deposit or pre-payment, this is handled directly by the restaurant through their own payment provider — not through Seatly.
3. How We Use Your Data
| Use | Legal Basis |
|---|---|
| Creating and managing your booking | Performance of a contract (Article 6(1)(b) UK GDPR) |
| Sending a 24-hour reminder before your booking | Legitimate interests (Article 6(1)(f) UK GDPR) — you have a reasonable expectation of receiving this |
| Enabling cancellation via a link in your confirmation email | Performance of a contract (Article 6(1)(b) UK GDPR) |
| Displaying booking history to restaurant staff | Legitimate interests (Article 6(1)(f) UK GDPR) — required for the restaurant to manage their operations |
SMS reminders
Restaurants using Seatly may send you a one-off SMS reminder the day before your booking. This is a service message under the UK Privacy and Electronic Communications Regulations 2003 (“PECR”): your phone number is used only for reminders about a booking you have made, not for marketing.
We rely on the PECR soft opt-in framework (Regulation 22(3)) for these messages:
- Your phone number is collected in the course of a booking you made directly with the restaurant
- The message relates only to that booking (party size, restaurant name, booking time)
- You can opt out on every message by tapping the unsubscribe link included in the message
You can stop receiving SMS reminders from a specific restaurant at any time by tapping the unsubscribe link in any reminder and confirming on the page that opens. This stops reminders from that restaurant only — bookings with other restaurants on Seatly are unaffected. Opt-out records are kept per restaurant and survive any later request to erase your personal data, so you will not start receiving SMS again if you later make another booking with the same restaurant.
To stop all SMS reminders, ask the restaurant to remove your phone number from your customer profile, or use your right of erasure (see below).
Your data is NOT used for:
- Marketing or promotional communications
- Profiling or automated decision-making
- Selling or licensing to third parties
- Advertising networks or data brokers
4. Who We Share Your Data With
| Recipient | Role | Data Shared | Why |
|---|---|---|---|
| The restaurant you booked with | Data controller | Name, email, phone, party size, date/time, special requirements | They need full booking details to seat and serve you |
| Resend Inc. | Email delivery sub-processor | Name, email address, booking reference | Required to deliver confirmation, reminder, and cancellation emails on behalf of the restaurant |
| Cloudflare Inc. | Anti-spam and CDN sub-processor | IP address, Turnstile challenge token (ephemeral) | Protects the booking form from automated abuse |
We never share your data with:
- Other restaurants on the Seatly platform
- Advertising networks
- Data brokers or analytics companies
- Any party not listed above
A full list of our sub-processors, including addresses, data locations, and transfer mechanisms, is published on our Sub-Processor List.
5. Where Your Data Is Stored
Your booking data is stored in the United Kingdom on servers provided by Supabase Inc., hosted in the AWS London region (eu-west-2). This data does not leave the UK for storage purposes.
Emails are transmitted to Resend Inc. (United States) for delivery. This transfer is protected by a UK International Data Transfer Agreement (UK IDTA) and Standard Contractual Clauses (SCCs) under Article 46(2)(c) UK GDPR.
Cloudflare processes IP addresses and anti-spam tokens at its global edge network. This processing is protected by a UK IDTA and SCCs.
6. How Long We Keep Your Data
| Data | Retention Period |
|---|---|
| Booking records (name, email, phone, booking details) | 24 months from the booking date (default; configurable by restaurant) |
| Customer profile data | Until erasure is requested or the retention period expires |
| Email content | Not stored by Seatly — emails are transmitted to Resend for delivery only |
After the retention period expires, personal data is anonymised — identifying fields are removed or replaced with non-identifying values. Anonymised records may be retained for aggregate reporting purposes (e.g. total covers per month).
If the restaurant you booked with has configured a different retention period, that period applies instead of the 24-month default. The restaurant is responsible for ensuring any retention period it selects is reflected in its own privacy information and is appropriate for its purposes.
7. Your Rights
Under UK GDPR, you have the following rights in relation to your personal data:
| Right | What It Means | How to Exercise |
|---|---|---|
| Access | Request a copy of the personal data held about you | Contact the restaurant directly |
| Rectification | Ask for inaccurate or incomplete data to be corrected | Contact the restaurant directly |
| Erasure | Ask for your personal data to be deleted | Contact the restaurant directly |
| Portability | Receive your data in a machine-readable format | Contact the restaurant directly |
| Object | Object to processing based on legitimate interests | Contact the restaurant directly |
| Complaint | Lodge a complaint with the Information Commissioner’s Office | See contact details below |
Because the restaurant you booked with is the data controller for your booking data, you should normally contact that restaurant first to exercise your rights.
If you contact Seatly instead (at privacy@seatly.uk), we may forward your request to the relevant restaurant and assist them in fulfilling it where our involvement is required. We do not decide whether a request relating to restaurant booking data should be granted; that decision rests with the restaurant as controller.
The restaurant is responsible for responding within the applicable UK GDPR timeframe (normally one calendar month from receipt of request, per Article 12(3)).
Information Commissioner’s Office (ICO): Website: ico.org.uk Helpline: 0303 123 1113
8. Cookies
The Seatly booking widget uses one cookie-equivalent mechanism: Cloudflare Turnstile, an anti-spam challenge that sets a short-lived token to verify that a booking is submitted by a human.
This mechanism is strictly necessary for the security of the booking form. It does not track you across websites and does not require your consent under the UK Privacy and Electronic Communications Regulations (PECR).
No advertising, analytics, or tracking cookies are set by Seatly.
For full details, see our Cookie Policy.
9. Children’s Data
The Seatly booking platform is intended for general consumer use and is not designed for children to use independently. We do not knowingly seek to collect personal data directly from children. If you believe a child’s personal data has been submitted inappropriately, please contact us at privacy@seatly.uk.
10. Changes to This Policy
We may update this policy from time to time. Changes will be reflected in the version number and “Last Updated” date at the top of this document. Material changes will be communicated to restaurant clients (data controllers) via their registered account email address.
Previous versions of this policy are available on request by emailing privacy@seatly.uk.
11. Contact Us
For any questions about this policy, or to exercise your data rights, please contact:
Seatly Software Ltd Email: privacy@seatly.uk
If you are not satisfied with our response, you have the right to complain to the Information Commissioner’s Office:
Information Commissioner’s Office Website: ico.org.uk Helpline: 0303 123 1113
Change Log
| Version | Date | Changed By | Summary of Changes |
|---|---|---|---|
| 1.0 | 2026-04-15 | Seatly Software Ltd | Initial publication |