Legal

GDPR Compliance

Last updated: 1 July 2026

How EatRoot meets its GDPR obligations — and helps the restaurants on our platform meet theirs.

1. Our commitment

EatRoot is committed to protecting personal data in line with the EU General Data Protection Regulation (GDPR) and comparable laws such as the UK GDPR. This page explains how we meet those obligations and support restaurants in meeting theirs.

2. Controller and processor roles

For a restaurant's own account and billing data, EatRoot is the data controller. For guest and order data that a restaurant collects through EatRoot, the restaurant is the controller and EatRoot is the processor acting on the restaurant's instructions.

3. Lawful basis for processing

We process personal data on the bases set out in our Privacy Policy — contract, legitimate interests, consent and legal obligation. Restaurants are responsible for having a lawful basis for the guest data they collect.

4. Data subject rights

We support the GDPR rights of access, rectification, erasure, restriction, portability and objection. Individuals can contact privacy@eatroot.com, and we will respond within the timeframes required by law. Where EatRoot is a processor, we forward requests to the relevant restaurant and assist them in responding.

5. Data Processing Agreement

We offer a Data Processing Agreement (DPA) to merchant customers that sets out our obligations as a processor, including confidentiality, security, sub-processing and assistance. Contact dpa@eatroot.com to request one.

6. Sub-processors

We use vetted sub-processors — such as hosting, payment, delivery and analytics providers — to deliver the Service. We keep an up-to-date list available on request and impose data-protection obligations on each of them.

7. International transfers

Where personal data leaves the EEA or UK, we rely on approved safeguards such as Standard Contractual Clauses and, where relevant, adequacy decisions, together with additional measures where needed.

8. Security measures

We apply technical and organisational measures appropriate to the risk, including encryption in transit, access controls, least-privilege permissions, logging and regular reviews.

9. Data breach notification

If a personal-data breach occurs, we will assess it promptly and, where required, notify the relevant supervisory authority and affected controllers without undue delay, along with the information needed to respond.

10. Contact and DPO

For GDPR matters, including DPA requests and data-subject rights, contact our privacy team at privacy@eatroot.com. You also have the right to lodge a complaint with your local supervisory authority.

Questions about this policy? Email legal@eatroot.com or reach us via the contact page.