Privacy Policy

Last updated: April 17, 2026

1. Introduction

This Privacy Policy explains how your personal data is collected, used, and protected when you use the BiteBack loyalty rewards platform. It is written to comply with the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and applicable national data-protection laws. If any term in this policy conflicts with a mandatory law in your jurisdiction, the mandatory law prevails.

2. Data Controller & Processor

BiteBack operates as a multi-tenant platform. For the purposes of the GDPR:

• The Partner (the restaurant or business whose loyalty program you joined) is the Data Controller. The Partner decides what data is collected, for what purpose, and for how long.
• BiteBack (the platform operator) acts as the Data Processor on behalf of the Partner. BiteBack provides the technical infrastructure and processes your data only according to the Partner's instructions and these policies.
• If you have a question about your data, you may contact either the Partner (primary contact, details in the Additional Terms section) or the platform operator.

3. Data We Collect

When you register and use the Service, the following categories of personal data are collected:

• Identity data — full name, username, optional birthday, and profile language preference
• Contact data — phone number (required, used for login) and optional email address
• Authentication data — hashed password and API session tokens
• Loyalty data — points earned, tier, visits, amounts spent (when provided by the Partner's POS), reward redemptions, active vouchers, game plays, challenge progress, and achievements
• Social-layer data — referrals made or received, group visit references, friendship records (shared visit count, level, last seen together), and point transfers sent or received between friends
• Feedback data — ratings, tags, and any free-text comments you submit about a visit
• Communication data — in-app notifications and, if you opt in, marketing messages
• Technical data — IP address at registration and on key security events, device identifiers used by the service worker, and preferred locale stored in local storage
• POS-sourced data — where the Partner has connected a point-of-sale system, we also receive an external customer identifier and visit/transaction data from that POS to match to your account

4. How We Use Your Data & Legal Basis

Each processing purpose has a specific legal basis under Article 6 GDPR:

• To create and operate your loyalty account, track visits, points, tiers, and reward redemptions — legal basis: performance of a contract (Art. 6(1)(b))
• To display tenant leaderboards, challenge progress, and group-visit / friendship features using your username — legal basis: legitimate interest in providing the gamified experience you signed up for (Art. 6(1)(f)); you can opt out via the PWA account settings where available
• To send you marketing communications about promotions and new rewards — legal basis: consent (Art. 6(1)(a)); you can withdraw consent at any time without affecting past processing
• To produce anonymized / aggregated analytics for the Partner (e.g., engagement, tier distribution, visit frequency) — legal basis: legitimate interest (Art. 6(1)(f))
• To prevent fraud, abuse of promotions, and secure the platform (rate limiting, IP logging, admin audit logs) — legal basis: legitimate interest (Art. 6(1)(f)) and legal obligation (Art. 6(1)(c))
• To comply with legal obligations (e.g., respond to lawful requests, retain fiscal or accounting records where required) — legal basis: legal obligation (Art. 6(1)(c))

5. Cookies & Local Storage

We use only strictly-necessary session cookies required for authentication and locale handling. In addition, the PWA uses browser local storage to hold your session token, theme preference, onboarding/tutorial flags, and the scan-station device identifier — these are functional and necessary for the Service to work on your device. We do not use tracking cookies, cross-site analytics cookies, or third-party advertising cookies. Because our cookies and local-storage entries are strictly necessary, they are exempt from the consent requirement under the ePrivacy Directive and Art. 5(3) of Directive 2002/58/EC as amended.

6. Data Sharing & Sub-Processors

Your personal data is shared only with:

• The Partner (restaurant/business) whose loyalty program you joined — their authorized staff can see your name, contact details, visit history, points balance, feedback, and social-layer activity
• Sub-processors engaged by BiteBack to run the platform: the hosting/cloud provider, transactional email provider, and (where the Partner has connected one) the POS integration vendor. A current list is available from the platform operator on request.
• We do not sell, rent, or share your data with any other third parties for marketing purposes.

7. International Transfers

BiteBack is primarily hosted within the European Economic Area (EEA). Where a sub-processor necessarily operates outside the EEA, transfers take place under appropriate safeguards (EU Standard Contractual Clauses under Decision 2021/914, adequacy decisions, or equivalent). A copy of the relevant safeguards is available on request.

8. Data Retention

We keep your personal data only as long as necessary for the purposes above. Indicative retention periods:

• Active account data — for the duration of your participation in the Partner's loyalty program
• Dormant accounts — deleted 24 months after your last login or activity (you receive a notice before deletion if we hold a valid email)
• Visit and transaction records — up to 24 months after account closure; fiscal records, where the Partner is legally required to keep them, are retained by the Partner separately and may survive account closure
• Marketing consent — renewed or removed after 24 months of non-engagement
• Security and activity logs — 24 months; admin-panel audit logs — 90 days by default (Partner-configurable)
• In-app notifications — 30 days after being read, 90 days if unread
• IP addresses recorded for terms-acceptance and security events — 12 months
• Anonymized / aggregated analytics — retained indefinitely (no longer personal data)

9. Group Scans, Friendships & Gift Points

Where the Partner enables social features, the platform processes additional relational data about you:

• When you check in as part of a group at the till, each member's visit is linked by a shared group reference, so your co-visitors can see that you were present in that group via their own history
• After you share several group visits with the same person, a friendship record is automatically created (level, shared visit count, last seen together). Friendship levels unlock bonus points when you scan together
• If you refer another customer, a referral record links the two accounts for the purpose of awarding referral rewards and (optionally) seeding a new friendship at Level 1
• If you gift points to a friend (or receive a gift), both of you will see a point-transfer record with the recipient, amount, and source visit
• You can ask the Partner or the platform operator to delete specific friendship records or social interactions at any time. Deletion may affect past bonus points but will not claw back rewards already redeemed

10. Leaderboard & Public Visibility

Where the leaderboard is enabled by the Partner, your username (not your full name) and score are visible to other registered customers of the same Partner. The leaderboard is not publicly indexed on the internet. You can request the Partner to exclude you from the leaderboard without losing any other benefits of the program.

11. Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

• Right of access — request a copy of the data we hold about you (Art. 15)
• Right to rectification — correct inaccurate personal data (Art. 16)
• Right to erasure — request deletion of your personal data, the "right to be forgotten" (Art. 17)
• Right to restrict processing — limit how your data is processed in specific circumstances (Art. 18)
• Right to data portability — receive your data in a structured, machine-readable format and transmit it to another controller (Art. 20)
• Right to object — object to processing based on legitimate interest, including profiling, at any time (Art. 21); for direct marketing, the objection is absolute
• Right to withdraw consent — withdraw marketing consent at any time without affecting the lawfulness of past processing (Art. 7(3))
• Right to lodge a complaint — file a complaint with a data-protection supervisory authority. In Italy this is the Garante per la protezione dei dati personali (www.garanteprivacy.it). You may also lodge a complaint with the authority in your country of habitual residence or alleged infringement (Art. 77)

We will respond to any verified request within one month, subject to extension by two further months for complex requests. Requests are handled free of charge except where manifestly unfounded or excessive.

12. Marketing Communications

Marketing messages (promotions, new rewards, campaigns) are sent only if you explicitly opted in. Consent is collected separately from acceptance of the Terms and is unchecked by default. You can change your marketing preferences at any time from the PWA profile page, by contacting the Partner, or by using the unsubscribe link included in each marketing email. Withdrawal of consent takes effect immediately and does not affect the lawfulness of processing carried out before withdrawal.

13. Minimum Age

The Service is not intended for users below 16 years of age. We do not knowingly collect personal data from minors below this age. If we become aware that we hold data of a minor below the applicable digital-consent age, we will delete it promptly. A Partner operating in a jurisdiction with a lower digital-consent age may onboard younger users only with verified parental consent.

14. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including password hashing (bcrypt), HTTPS encryption in transit, rate-limiting, HMAC signature verification on POS webhooks, security headers, role-based admin access, and an admin audit log. In the event of a personal data breach affecting you, we (or the Partner, as Controller) will notify the competent supervisory authority within 72 hours where required by Art. 33 GDPR and will notify you directly where the breach is likely to result in a high risk to your rights and freedoms (Art. 34).

15. Partner Admin Analytics

Partner staff with admin access can view detailed customer analytics for legitimate business purposes, including names, usernames, visit frequency, spending patterns, feedback, and engagement metrics. This data is restricted to authorized staff via role-based access controls. Partners and their staff are bound by their own Terms of Service and Privacy Policy to treat this as confidential and to use it only for the loyalty program. BiteBack is not responsible for Partner-side misuse; such misuse may trigger Partner-level liability under the GDPR.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via the app or email and, where required by law, will ask you to re-accept the updated policy before continuing to use the Service. The "Last updated" date at the top of this page always reflects the current version.

17. Contact Us

To exercise your data rights or for any questions about this Privacy Policy, please contact the Partner through whose loyalty program you registered (details in the Additional Terms section, when provided) or the platform operator at the email published on the Partner's BiteBack landing page. Partners that have designated a Data Protection Officer will publish the DPO's contact details in the Additional Terms section.