Privacy Policy

This policy explains how Pisteo handles personal data. It covers everything we do as a controller in our own right, and signposts what we do as a processor on behalf of restaurants.

If you are a diner who used Pisteo at a restaurant, most of the information about you is held by the restaurant, not by us. The restaurant is the controller for its own customer relationship and for any marketing it sends you. We are the processor that operates the technology.

1. Who is responsible

The controller for this policy is:

Easy Host Oy (trading as Pisteo) Business ID: 3288005-7 Registered office: Helsinki, Finland Email: [email protected] WhatsApp: +358 40 923 3586

For data we process on behalf of a restaurant (for example, that restaurant’s diner marketing list), the restaurant is the controller and we act as their processor under a Data Processing Agreement.

2. The two roles in plain terms

• Controller for the restaurant relationship. When a restaurant signs up to Pisteo, we are the controller for the restaurant’s account: company details, contact people, billing, support history, usage analytics in the admin app, and so on.
• Processor for diner data. When diners use the diner app at a restaurant, the personal data created (orders, payment metadata via Stripe, optional email for receipts, optional marketing opt-in) belongs to the restaurant. We process it on their instructions.

Stripe and certain other partners may act as independent controllers for their own fraud, anti-money laundering, and compliance work. We list them below.

3. What we collect

3.1 Restaurant account data

• Company name, business ID (Y-tunnus), address, VAT details
• Names, emails, and roles of users you invite (Owner, Manager, Staff)
• Authentication metadata (Google account ID, session tokens, login timestamps)
• Branding (logo, colours)
• Menu content, table setup, opening hours, kitchen printer configuration
• Stripe Connect Express account identifier
• Subscription plan, billing history, invoices
• Support correspondence with us

3.2 Payment metadata

We do not see or store full card numbers. Stripe holds the card data. We store:

• Payment intent IDs and transaction references
• Amount, currency, and timestamp
• Payment method type (Apple Pay, MobilePay, card)
• The last four digits of the card if applicable
• Refund records

3.3 Diner data (held on behalf of the restaurant)

• Order content, table number, time of order, special instructions
• Optional email if the diner asks for a receipt or opts in to marketing
• Optional name on the order ticket
• Loyalty stamps if the diner opts in
• Marketing consent records

We do not run analytics or behavioural tracking on the diner-facing app. No PostHog, no advertising pixels, no third-party trackers on the diner side.

3.4 Technical and security data

• IP address and basic browser information, processed transiently for security and fraud prevention
• Audit logs of significant admin actions (refunds, menu changes, role changes)
• Error reports captured by Sentry (we configure Sentry to scrub personally identifying data where possible)

3.5 Admin product analytics

We use PostHog (EU Cloud) to understand how restaurant admins use the admin app. We track events such as “menu published”, “menu import completed”, “subscription upgraded”. We do not track diners.

3.6 Marketing data on pisteo.io

If you sign up to our newsletter or fill out a form on pisteo.io, we collect the email address and any details you give us, and use them to send the content you asked for.

4. Why we use it and on what legal basis

Purpose	Legal basis
Providing the Pisteo service to a restaurant	Art 6(1)(b) GDPR, performance of a contract
Processing diner orders and payments on behalf of the restaurant	Art 6(1)(b) GDPR, performance of the diner’s contract with the restaurant
Sending receipts and marketing emails that diners opt into	Art 6(1)(a) GDPR, consent, given to the restaurant via the Pisteo interface
Authenticating users and securing the service	Art 6(1)(f) GDPR, legitimate interest in protecting the platform
Billing, invoicing, and tax records	Art 6(1)(c) GDPR, legal obligation under Finnish accounting and tax law
Customer support	Art 6(1)(b) and (f) GDPR
Product analytics on the admin app	Art 6(1)(f) GDPR, legitimate interest in improving the product
Marketing on pisteo.io	Art 6(1)(a) GDPR, consent

For marketing emails that restaurants send to their diners, the restaurant is the controller and the legal basis is the diner’s consent given to the restaurant. We act as processor.

5. How long we keep data

• Restaurant account data: for the duration of the contract, then up to 24 months unless retention is required for accounting or tax law.
• Billing records, invoices, payment records: six years from the end of the financial year, in line with Finnish accounting law (Kirjanpitolaki).
• Diner order and payment records (held on behalf of the restaurant): six years from the end of the financial year for accounting purposes.
• Diner email used for a receipt only: deleted within 90 days unless tied to an order record we must keep.
• Marketing consent and email: kept until the diner withdraws consent or the restaurant deletes the list.
• Session cookie: session duration only.
• Security and fraud logs: up to 12 months.
• Support emails: up to 24 months after the last message.

If a contract is terminated, we delete data on the timeline in the Terms of Service and the Data Processing Agreement, with exceptions for records we must keep by law.

6. Who we share data with

We share personal data only where it is needed to run the service or where the law requires it.

6.1 Sub-processors

We use the following sub-processors:

• Stripe Payments Europe Ltd (Ireland) — payment processing and Stripe Connect Express
• Cloudflare R2 (EU region) — image storage
• Railway (US-headquartered, EU data residency available) — application hosting and managed PostgreSQL
• Resend (US) — transactional and marketing email delivery, under Standard Contractual Clauses
• PostHog (EU Cloud) — admin product analytics; diners are not tracked
• Sentry (US) — error monitoring, under Standard Contractual Clauses
• Anthropic (US) — Claude for menu import and Menu Performance Report. No diner personal data is sent to Anthropic. Under Standard Contractual Clauses.
• OpenAI (US) — secondary natural-language processing provider, used only where a specific capability is meaningfully better. No diner personal data is sent. Under Standard Contractual Clauses.
• GitHub (US) — code hosting only. No customer or diner data is stored at GitHub.

6.2 Independent controllers

• Stripe is also an independent controller for its own fraud prevention, anti-money laundering, and regulatory compliance work.

6.3 Authorities

We share data with authorities (police, tax, data protection regulator) where the law requires it.

6.4 What we never do

We do not sell personal data. We do not use it for advertising. We do not use a restaurant’s diner list to market other Pisteo restaurants to those diners.

7. International transfers

Most of our infrastructure runs in the EU. Where data is transferred outside the EEA (mainly to US-headquartered processors), we rely on the European Commission’s Standard Contractual Clauses (2021/914), and on supplementary measures where appropriate.

The current US transfers are:

• Railway hosting, with EU data residency selected where available
• Resend for email delivery
• Sentry for error monitoring
• Anthropic for menu parsing and the Performance Report
• OpenAI as a secondary provider

We review the legal basis of these transfers periodically.

8. Your rights

You have these rights under the GDPR:

• Access (Art 15): ask what we hold about you and get a copy
• Rectification (Art 16): correct inaccurate data
• Erasure (Art 17): ask us to delete data, subject to legal retention obligations
• Restriction (Art 18): ask us to pause processing
• Portability (Art 20): get your data in a portable, machine-readable format
• Objection (Art 21): object to processing based on legitimate interest
• Withdraw consent (Art 7(3)): at any time, with no effect on prior lawful processing
• Not be subject to solely automated decisions (Art 22): we do not make such decisions about you

To exercise any right, email [email protected]. We respond within one month, free of charge in normal cases.

If your data is held by a restaurant (for example, your order history at that restaurant), contact the restaurant directly. We will help the restaurant respond to your request.

9. Complaints

You can complain to the Finnish Data Protection Ombudsman:

Tietosuojavaltuutetun toimisto Lintulahdenkuja 4, 00530 Helsinki [email protected] www.tietosuoja.fi

10. Cookies and tracking

See our Cookie Policy for the full list.

In short: the diner app uses one strictly necessary session cookie. No analytics, advertising, or third-party tracking on the diner side. The admin app uses session authentication and PostHog product analytics.

11. Children

Pisteo is a B2B service for restaurants. The diner app is not designed for children and we do not knowingly collect personal data from anyone under 16. If you believe a child has given us data, contact us and we will delete it.

12. Security

We protect personal data with technical and organisational measures, including:

• Encryption in transit (TLS 1.2 or higher) for all traffic
• Encryption at rest for databases and object storage
• Role-based access control with multi-factor authentication for all staff with production access
• Audit logging of administrative actions
• Automated backups with tested restore
• Vulnerability monitoring and dependency scanning
• Secure software development practices, including code review
• An incident response plan with a named on-call

We review security measures at least once a year and update them as the platform evolves.

13. Breach notification

If we discover a personal data breach, we notify affected restaurants without undue delay and within 24 hours. Restaurants notify the Tietosuojavaltuutettu and, where required, the affected diners. For breaches that affect Pisteo’s own controller data, we notify the Tietosuojavaltuutettu within 72 hours where required under Art 33 GDPR.

14. Changes to this policy

If we change this policy in a way that affects you, we publish the new version at pisteo.io/legal/privacy and update the “Last updated” date. Material changes are notified to restaurant Owners by email.