GDPR Compliance
Last Updated: March 24, 2026
This page provides additional information about how UM4MI ("we," "our," or "us") complies with the General Data Protection Regulation (EU) 2016/679 ("EU GDPR"), the UK General Data Protection Regulation ("UK GDPR"), and the Swiss Federal Act on Data Protection ("FADP"), collectively referred to as "GDPR" in this document.
This page supplements our Privacy Policy and provides specific details required under GDPR for individuals located in the European Economic Area (EEA), United Kingdom (UK), and Switzerland (collectively, "Europe").
1. Data Controller and Processor
1.1 When UM4MI Acts as Data Controller
UM4MI is the Data Controller for personal data collected in the following contexts:
- Website visitor data (browsing behavior, cookie data, analytics)
- Guest account data (when guests create accounts directly on UM4MI)
- Restaurant Partner account data (restaurant owner/staff credentials, business information)
- Customer support communications
- Marketing communications (where you have opted in)
1.2 When UM4MI Acts as Data Processor
UM4MI acts as a Data Processor on behalf of Restaurant Partners (the Data Controllers) for:
- Guest reservation data managed through the CRM
- Guest profiles, visit history, preferences, and notes maintained by restaurants
- SMS and email communications sent by restaurants to their guests through our platform
- Order data processed on behalf of restaurants
When UM4MI processes personal data on behalf of a Restaurant Partner, the Restaurant Partner's privacy policy governs the use of that data. If you have questions about how a restaurant uses your data, please contact the restaurant directly.
1.3 Data Processing Agreement (DPA)
UM4MI enters into a Data Processing Agreement with each Restaurant Partner as part of our Terms of Service. The DPA sets out the terms under which we process personal data on behalf of Restaurant Partners, including:
- The subject matter and duration of processing
- The nature and purpose of processing
- The types of personal data processed
- The categories of data subjects
- Our obligations and rights as a processor
- Sub-processor management and notification procedures
2. Legal Bases for Processing
Under the GDPR, we must have a "legal basis" for each purpose for which we process your personal data. The legal bases we rely on are:
| Processing Purpose | Legal Basis |
|---|---|
| Processing reservations and orders | Performance of a contract — necessary to fulfill your booking or order |
| Sending booking confirmations, reminders, and order updates via email/SMS | Performance of a contract — necessary to provide the service you requested |
| Account creation and management | Performance of a contract — necessary to provide account-based services |
| Payment processing via Stripe | Performance of a contract — necessary to process transactions |
| Sending marketing and promotional communications | Consent — you can withdraw consent at any time |
| Setting non-essential cookies (analytics, functional) | Consent — managed through our cookie consent tool |
| Platform improvement and analytics | Legitimate interest — to improve our Services and user experience |
| Fraud prevention and security | Legitimate interest — to protect users and our platform |
| Compliance with legal obligations | Legal obligation — where required by European or national law |
| Processing special category data (e.g., dietary/allergy information voluntarily provided) | Explicit consent — by voluntarily entering this information, you consent to its processing for the purpose of your dining experience |
3. Your Rights Under GDPR
If you are located in Europe, you have the following rights regarding your personal data:
Right of Access (Article 15)
You have the right to request a copy of the personal data we hold about you, along with information about how we process it. We will provide this in a commonly used electronic format.
Right to Rectification (Article 16)
You have the right to request correction of inaccurate personal data or completion of incomplete data we hold about you.
Right to Erasure / "Right to Be Forgotten" (Article 17)
You have the right to request deletion of your personal data in certain circumstances, including when the data is no longer necessary for the purpose it was collected, when you withdraw consent, or when the data has been unlawfully processed.
Please note that we may need to retain certain data to comply with legal obligations, resolve disputes, or enforce our agreements.
Right to Restriction of Processing (Article 18)
You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or when the processing is unlawful.
Right to Data Portability (Article 20)
You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format (e.g., JSON or CSV), and to transmit that data to another controller without hindrance.
Right to Object (Article 21)
You have the right to object to the processing of your personal data based on our legitimate interests. Upon receiving your objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
You have an absolute right to object to the processing of your personal data for direct marketing purposes at any time.
Right to Withdraw Consent (Article 7)
Where we rely on your consent to process personal data, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
Right to Lodge a Complaint
You have the right to lodge a complaint with your local data protection authority (supervisory authority) if you believe we have violated your data protection rights. A list of EU supervisory authorities can be found at edpb.europa.eu.
4. How to Exercise Your Rights
To exercise any of the rights described above, please contact us at:
- Email: contact@um4mi.com
- Subject line: "GDPR Data Subject Request"
We will respond to your request within 30 days. In complex cases, we may extend this by up to 60 additional days, in which case we will notify you of the extension and explain the reasons.
We may need to verify your identity before processing your request. This may include asking you to provide information that matches the records we hold about you.
For guest data managed by Restaurant Partners: If your data is processed by UM4MI on behalf of a Restaurant Partner, we may redirect your request to the relevant restaurant, as they are the Data Controller for that information.
5. Sub-Processors
UM4MI engages the following sub-processors to provide our Services. Each sub-processor processes personal data only as necessary for the purposes described:
| Sub-Processor | Purpose | Data Location |
|---|---|---|
| Supabase (via AWS) | Database hosting, authentication, and real-time data services | United States / EU |
| Vercel | Website hosting, CDN, and serverless functions | United States / Global edge |
| Stripe | Payment processing and fraud detection | United States / EU |
| Resend | Transactional email delivery (confirmations, reminders, review requests) | United States |
| SMS Provider | SMS delivery for reservation confirmations and reminders | Varies by region |
| Google (Gemini AI) | AI concierge features (V0NCI) — no personal data is used for model training | United States / EU |
We will notify Restaurant Partners before adding or replacing any sub-processor and provide an opportunity to object if the change materially affects the processing of their guest data.
6. International Data Transfers
As some of our sub-processors are located outside the EEA, we transfer personal data internationally. To ensure an adequate level of protection, we rely on:
- Standard Contractual Clauses (SCCs) — approved by the European Commission, incorporated into our agreements with all non-EEA sub-processors
- Adequacy decisions — where the European Commission has determined a country provides adequate data protection
- Supplementary measures — technical (encryption in transit and at rest) and organizational safeguards as recommended by the EDPB
You may request a copy of the safeguards we have put in place by contacting us at contact@um4mi.com.
7. Data Retention
We retain personal data only for as long as necessary for the purposes outlined in our Privacy Policy. Specific retention periods include:
- Guest reservation data: Retained for up to 3 years of inactivity, then anonymized or deleted
- Restaurant Partner accounts: Retained for 12 months after cancellation, then deleted upon request
- Transactional/payment records: Retained as required by applicable financial regulations (typically 7 years)
- Communication logs: Retained for up to 24 months for customer support quality purposes
- Cookie data: Retained for the duration specified in our Cookie Policy
8. Data Protection by Design and Default
In accordance with Article 25 of the GDPR, UM4MI implements data protection by design and by default:
- Encryption: All data is encrypted in transit (TLS 1.2+) and at rest
- Access controls: Role-based access ensures staff members only see data relevant to their role
- Data minimization: We collect only the minimum data necessary for each purpose
- Pseudonymization: Where feasible, we use pseudonymized identifiers in analytics
- Regular security assessments: We conduct periodic reviews of our security measures and practices
- Tenant isolation: Each Restaurant Partner's data is logically isolated using row-level security policies
9. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, UM4MI will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR
- Notify affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34
- Notify affected Restaurant Partners (Data Controllers) within 48 hours so they can fulfill their own notification obligations
- Document the breach, its effects, and the remedial actions taken
10. Children's Data
Our Services are not directed to children under the age of 16 (or the applicable age of digital consent in the relevant Member State). We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data without parental consent, we will take steps to delete such data.
11. Automated Decision-Making
UM4MI does not engage in purely automated decision-making that produces legal effects or similarly significant effects on individuals, as described in Article 22 of the GDPR. Our AI features (such as restaurant recommendations) are advisory in nature and do not make binding decisions about you.
12. Contact Our Data Protection Team
For any questions or concerns about our GDPR compliance, please contact us at:
UM4MI — Data ProtectionEmail: contact@um4mi.com
Subject: GDPR Inquiry
Website: um4mi.com
We are committed to working with you to resolve any data protection concerns. If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.