Privacy notice

Privacy notice.

How Fooodo handles personal data — for restaurant guests using the electronic menu, and for restaurant staff using the admin panel. We process data under EU GDPR (Regulation 2016/679) and Lithuanian data-protection law.

Version 1.0 · Effective 2026-04-27

Two roles, one notice. When you order at a restaurant table using Fooodo, the restaurant is the data controller for your order data, and Fooodo (Foodo LT, UAB) is the data processor acting on their behalf. When you use the Fooodo admin panel as restaurant staff, this notice describes our direct processing of your account data.

Who we are

Foodo LT, UAB (legal entity code 306262368), registered at Rinktinės g. 5-101, LT-09234 Vilnius, Lithuania. Our Data Protection Officer can be reached at dpo@fooodo.com.

If you are a restaurant guest

When you scan a QR code at a Fooodo-enabled restaurant table, browse the menu, place an order, and pay, the restaurant operator is the controller of your data. Fooodo processes that data on their instructions to make the ordering and payment work.

What we process about you

  • Order data. Items, quantities, modifiers, prices, table number, timestamps. Necessary to deliver your order.
  • Payment data. Payment method, payment status, and a Mollie transaction reference. We do not see your card details. Card data is handled exclusively by Mollie under their own privacy notice and PCI scope.
  • Optional contact data. If the restaurant flow asks for your name or email (for example, for a receipt, for tip routing, or for a donation receipt), we process those only for the stated purpose.
  • Technical data. Device type, browser, IP address, language, time zone. Used to render the menu correctly and for security (rate limiting, abuse detection).

Legal basis

  • Contract performance — order fulfilment and payment processing.
  • Legitimate interest — security, fraud prevention, service stability.
  • Legal obligation — tax, accounting, and receipt-retention requirements imposed on the restaurant.

How long we keep it

Order and payment data is retained per the restaurant's data-retention policy and applicable accounting/tax law. Technical and security logs are retained for limited periods (typically days to weeks) and then deleted.

Who we share it with

  • The restaurant (the controller) — receives the order via R-Keeper or the connected POS system.
  • Mollie (payment provider) — receives only what is needed to process the payment.
  • Cloud infrastructure providers (servers, monitoring, error tracking) — receive technical data under data processing agreements.

We do not sell your data. We do not use it for advertising. We do not use it to train AI models.

If you are restaurant staff using the admin panel

When you log into the Fooodo admin panel, we (Foodo LT, UAB) are the controller of your account data, processing it directly to provide and secure the platform.

What we process

  • Account data. Email, name, role, restaurant assignment, password hash, audit log of administrative actions.
  • Authentication and security data. Session tokens, IP address, device fingerprint, login timestamps.
  • Operational metadata. Which products you created, which menu items you edited, which sync jobs you triggered. Used for support and audit.

Legal basis

  • Contract performance — the Service Agreement between Fooodo and your employer.
  • Legitimate interest — securing the platform against abuse and providing audit trails.

Retention

Account data is retained while your access is active and for a reasonable period after the employing restaurant terminates service (per the Service Agreement, this is up to 30 days, after which data may be irreversibly deleted).

Your rights under GDPR

You have the right to: access your data (Art. 15), correct it (Art. 16), erase it (Art. 17), restrict processing (Art. 18), data portability (Art. 20), object to processing (Art. 21), and not be subject to fully automated decisions with legal or similarly significant effects (Art. 22). You may also lodge a complaint with the Lithuanian State Data Protection Inspectorate (vdai.lrv.lt) or your local supervisory authority.

For order and table data at a Fooodo-enabled restaurant, please contact the restaurant first (they are the controller). If you do not know how, write to dpo@fooodo.com and we will help you reach them.

For account data and other matters where Fooodo is the controller, write directly to dpo@fooodo.com.

International transfers

Our infrastructure is hosted in the European Economic Area. Some sub-processors (for example, Vercel for frontend hosting, Mollie for payments, Anthropic for the AI Ask widget) operate internationally and are bound by Standard Contractual Clauses (SCCs) where applicable.

Cookies and analytics on this website

The Fooodo marketing website (fooodo.com) uses minimal, privacy-respecting analytics (Vercel Analytics) for traffic measurement. We do not use third-party advertising trackers and do not set cookies for tracking purposes. The Fooodo electronic menu (used at restaurant tables) uses essential cookies only — session, language preference, cart state.

Automated decision-making

We do not make solely automated decisions with legal or similarly significant effects. The AI Ask widget on this site is an informational assistant; it does not make decisions on your behalf. The Fooodo Insights product roadmap (described on /insights) explicitly requires human approval for any decision affecting employees, in line with GDPR Article 22.

Changes to this notice

We update this notice as our processing changes. Material changes are announced on this page and, where appropriate, by direct notice to administrators of restaurant accounts. The version date at the top of this page reflects the current notice.

Questions? Write to dpo@fooodo.com. For data processing agreements with restaurant operators, see our Data Processing Agreement.

Related pages: Terms of Service · Data Processing Agreement · Contact