Overview
Seatly Software Ltd (“Seatly”) engages the following sub-processors to provide its restaurant booking SaaS platform. Each sub-processor has been assessed for compliance with UK GDPR and the UK Data Protection Act 2018. This document forms part of Seatly’s Data Processing Agreement (DPA) and is incorporated by reference into Seatly’s Privacy Policy.
Restaurant clients (data controllers) are notified of any changes to this list at least 30 days in advance via email to their registered account address. Clients may object to a new or changed sub-processor within that 30-day window by contacting privacy@seatly.uk. Where an objection cannot be resolved, either party may terminate the relevant service on written notice.
Sub-Processor Table
| Sub-Processor | Registered Address | Purpose | Personal Data Processed | Data Location | Transfer Mechanism | Sub-Processor DPA |
|---|---|---|---|---|---|---|
| Supabase Inc. | 970 Toa Payoh North, #07-04, Singapore 318992 | Database hosting, authentication, Edge Functions (serverless compute) | All booking and customer data: diner name, email address, phone number, booking details; restaurant staff credentials | London, UK (AWS eu-west-2) | Primary hosting in UK. Seatly does not intentionally store core booking data outside the UK. Any onward or remote access by the provider is governed by their contractual safeguards where applicable. | Supabase DPA |
| Resend Inc. | 2261 Market Street #5284, San Francisco, CA 94114, USA | Transactional email delivery (booking confirmations, reminders, cancellation notices) | Diner name, email address, booking reference | United States | UK IDTA / Standard Contractual Clauses (SCCs) | Resend DPA |
| Stripe Inc. | 510 Townsend Street, San Francisco, CA 94103, USA | Payment processing for restaurant subscription billing | Restaurant billing contact name, email address, payment card data (tokenised), subscription details. No diner personal data is processed by Stripe. | United States / European Union | UK IDTA / Standard Contractual Clauses (SCCs) | Stripe Privacy & DPA |
| Cloudflare Inc. | 101 Townsend Street, San Francisco, CA 94107, USA | CDN, DNS, Pages hosting (widget and marketing site delivery), Turnstile anti-spam service | IP addresses, Turnstile challenge tokens (ephemeral, not linked to individuals) | Global edge network | UK IDTA / Standard Contractual Clauses (SCCs) | Cloudflare DPA |
Transfer Mechanisms — Definitions
- UK primary hosting — data is stored in the United Kingdom. Seatly does not intentionally store core booking data outside the UK for this service. Any onward or remote access by the provider is governed by their contractual safeguards where applicable.
- UK IDTA — UK International Data Transfer Agreement, issued under section 119A of the Data Protection Act 2018, used for transfers to third countries without an adequacy decision.
- Standard Contractual Clauses (SCCs) — European Commission standard data protection clauses adopted under Article 46(2)(c) UK GDPR, incorporated into the UK IDTA addendum where applicable.
Change Log
| Version | Date | Changed By | Summary of Changes |
|---|---|---|---|
| 1.0 | 2026-04-15 | Seatly Software Ltd | Initial publication |