Bitte

Bitte Privacy Notice

Last updated: 21 May 2026

Draft template aligned with the UK GDPR and Data Protection Act 2018. This is not legal advice; please obtain UK Data Protection Officer / solicitor review before relying on this notice in production.

1. Who we are

Bitte ("we", "us", "our") is the controller of personal data processed through the Bitte Platform, comprising bitte.uk, our mobile applications, our merchant dashboard, our reservation tools, and white-label storefronts we operate on behalf of partner merchants. Bitte is registered in England and Wales. Our ICO registration number will be confirmed on publication.

You can contact our privacy team at privacy@bitte.uk.

2. What this notice covers

This notice explains what personal data we collect, how we use it, who we share it with, how long we keep it, and the rights you have over it. It applies whenever you use the Platform, whether through our own brand or through a Bitte-powered white-label site.

3. Personal data we collect

3.1 Information you give us

  • Account details: your name, email address, phone number, and password (stored only as a salted hash).
  • Order information: delivery address, order content, notes to the kitchen, dietary preferences.
  • Reservation information: party size, time, special requests.
  • Communications: reviews, in-app chat messages with merchants or couriers, support tickets.
  • Marketing preferences: the channels you've opted in to (email, SMS, push) and any opt-outs.

3.2 Information collected automatically

  • Device and technical data: IP address, device model, operating system, browser type, app version, language settings, time zone.
  • Usage data: pages visited, items viewed, items added to the basket, time spent, and the route you took through the Platform.
  • Location data: your approximate location (postcode level) for showing nearby restaurants. Precise GPS location is collected only if you grant explicit permission on the mobile app, and only while live order tracking or delivery-handoff features are active.
  • Cookies and similar technologies: see the Cookie Policy referenced in section 14.

3.3 Information from third parties

  • SSO providers (Google, Apple, Facebook): see section 7.
  • Payment processors (Stripe, PayPal): confirmation of payment status, payment method type, last four digits of the card. We never receive full card numbers.
  • Couriers and merchants: delivery status updates, order acceptance, refund eligibility evidence.

3.7. Merchant-assisted bookings

Where a booking is taken by the restaurant on your behalf — by phone, or in person as a walk-in — the restaurant provides us with your name, phone number and (optionally) email address so we can record and honour the reservation. We process these details under Article 6(1)(b) (performance of the booking contract). The restaurant is required to inform you that your details are stored by Bitte; you can request access, correction or erasure at any time at privacy@bitte.uk or via the data-subject-rights process in Section 13. We will not use these details for marketing unless you explicitly opt in.

4. Lawful bases for processing

We rely on the following lawful bases under Article 6 of the UK GDPR:

  • Performance of a contract (Article 6(1)(b)): creating and managing your account, taking and fulfilling orders, processing refunds, providing customer support, processing reservations.
  • Record bookings the merchant takes on your behalf (phone, walk-in): name, phone, optional email — processed under Article 6(1)(b) (performance of contract) so we can hold and honour the reservation on the restaurant's behalf.
  • Consent (Article 6(1)(a)): marketing emails, marketing SMS, push notifications, optional features such as personalised recommendations, and precise location tracking on the mobile app.
  • Legitimate interests (Article 6(1)(f)): securing the Platform, preventing fraud, debugging, internal analytics in aggregated and pseudonymised form, improving the service. Where we rely on legitimate interests, we balance them against your rights and freedoms.
  • Legal obligation (Article 6(1)(c)): retaining transaction records for HMRC, responding to law-enforcement requests, and complying with food safety record-keeping.

For special-category data (e.g. dietary information that reveals religious beliefs, such as Halal or Kosher preferences), we rely on your explicit consent under Article 9(2)(a) of the UK GDPR.

5. How we use your personal data

  • To create and manage your account.
  • To take, process, and deliver your orders, including sharing delivery details with the relevant merchant and courier.
  • To manage bookings and reservations.
  • To take payment and process refunds.
  • To communicate with you about your orders and account.
  • To send you marketing (only with your consent), and to let you opt out at any time.
  • To improve the Platform, detect fraud, and keep the service secure.
  • To comply with our legal and tax obligations.

6. Who we share your personal data with

  • Merchants you order from: the merchant receives your name, order details, delivery address, contact number, and any notes to the kitchen, so that they can prepare and dispatch the order.
  • Couriers: the courier receives your name, delivery address, contact number, and order tracking information.
  • Payment processors: Stripe and PayPal handle payment authorisation, capture, and chargeback processing.
  • Communication providers: Brevo for transactional email; Firebase Cloud Messaging for mobile push notifications; Pusher for real-time order status updates; Firebase Realtime Database and Firestore for in-app chat and live tracking.
  • Cloud infrastructure: Amazon Web Services hosts our servers (primarily Amazon Lightsail in the United Kingdom or Ireland) and stores our images (Amazon S3).
  • Analytics: we use minimal, aggregated, pseudonymised analytics for service improvement.
  • Professional advisers, auditors, and insurers: on a need-to-know basis under appropriate confidentiality terms.
  • Acquirers and successors: in the event of a sale, merger, or restructuring of the business, subject to the same protections set out here.
  • Law enforcement and regulators: where required by law, court order, or to protect our rights, your safety, or the safety of others.

We do not sell your personal data and we do not share it with third parties for their own independent marketing purposes.

7. Single Sign-On (SSO) login

You can sign in to Bitte using a third-party identity provider — currently Google, Apple, or Facebook. When you use SSO:

  • The provider tells us your name, email address, profile photo URL, and a unique identifier assigned by that provider. With Apple, you can choose to share a relay email address instead of your real one; we treat that relay address as your account email.
  • We do not receive your social-media password, friends list, contacts, posts, calendars, photos, or any other content from your provider account.
  • We store the provider's unique identifier so we recognise you on return visits. You can disconnect SSO from your account settings; if you do, we'll ask you to set a Bitte password to keep using the same account.
  • You can revoke our access from your provider at any time by visiting your Google, Apple, or Facebook security settings.
  • Each SSO provider has its own privacy notice that governs the data it holds about you, independent of this notice.

8. White-label storefronts and reservation sites

Bitte also powers branded storefronts and reservation sites for partner restaurants — for example, a restaurant might run its own ordering site at "order.example-restaurant.co.uk", which is in fact built on Bitte technology. When you use one of these white-label sites:

  • Your data is stored on Bitte infrastructure under the same security standards described in this notice.
  • Bitte and the operating Merchant act as joint controllers under Article 26 of the UK GDPR, with each having defined responsibilities. Broadly: Bitte controls the technical platform, account creation, payment processing, security, and infrastructure; the Merchant controls its menu, pricing, customer communications relating to the order, and the customer relationship for its products.
  • The Merchant operating the site can see your customer data for orders placed with them — name, contact, delivery address, order content, notes — so they can prepare and deliver the order.
  • Customer data is isolated per merchant: if you also order from a different Merchant via Bitte, the Merchants cannot see each other's order history.
  • You can exercise your rights (section 11) against either Bitte or the relevant Merchant; both will co-operate to respond.

9. International data transfers

The majority of our processing takes place within the United Kingdom or the European Economic Area, on AWS infrastructure in the London (eu-west-2) and Ireland (eu-west-1) regions. Some service providers, in particular Stripe, Firebase, and Google's analytics services, may transfer data to the United States or other locations outside the UK. Where that happens, we rely on the UK International Data Transfer Agreement or the EU Standard Contractual Clauses plus the UK International Data Transfer Addendum to protect your data, and we apply supplementary measures (such as encryption in transit and at rest) where appropriate.

10. How long we keep your personal data

  • Account data: for as long as your account is active, plus up to 7 years after closure to satisfy UK tax and accounting obligations.
  • Order and payment records: 7 years, in line with HMRC requirements.
  • Marketing consent: until you withdraw it, plus a 12-month audit trail of the withdrawal.
  • Support and chat records: 2 years from the date of the last interaction.
  • Server access logs: 90 days.
  • Reservation records: 2 years.
  • Anonymous, aggregated analytics: indefinitely.

Where we are required to keep data for a legal reason, we'll retain it only for as long as that reason applies, and only for the relevant processing purpose.

11. Your rights

Under the UK GDPR you have the following rights, which you can exercise free of charge:

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — ask us to correct inaccurate or incomplete data.
  • Right to erasure — ask us to delete your data, subject to legal retention requirements.
  • Right to restrict processing — ask us to pause certain processing while a question is resolved.
  • Right to data portability — receive your data in a structured, commonly-used, machine-readable format.
  • Right to object — object to processing based on legitimate interests or to direct marketing.
  • Right to withdraw consent — where we rely on consent, withdraw it at any time without affecting the lawfulness of processing before withdrawal.
  • Rights related to automated decision-making — we do not use solely automated decisions that produce legal or similarly significant effects on you.

To exercise any of these rights, email privacy@bitte.uk. We respond within one month, with one possible extension of two months for complex requests.

12. Right to complain to the ICO

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection regulator. We would appreciate the chance to address your concerns first, but you may contact the ICO at any time.

  • Website: ico.org.uk
  • Helpline: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

13. Security

We take security seriously. We use TLS to encrypt data in transit, store passwords as salted bcrypt hashes, encrypt sensitive data at rest in our managed databases, restrict access to personal data on a need-to-know basis, and audit access regularly. Despite our efforts, no system is perfectly secure; if you suspect a security incident, please tell us at privacy@bitte.uk.

14. Cookies and similar technologies

We use cookies and similar technologies to keep you signed in, remember your preferences, secure the Platform against fraud, and (with your consent) to measure how the Platform is used. You can manage non-essential cookies through the consent banner shown on your first visit, and revisit your choices at any time from the footer "Cookie settings" link.

15. Children's data

The Platform is not intended for children under 16. We do not knowingly collect data about children under 16. If you believe we hold data about a child under 16, please contact privacy@bitte.uk and we will delete it promptly.

16. Changes to this notice

We may update this notice from time to time. Material changes will be notified to you by email and shown on the Platform at least 30 days before they take effect. The "Last updated" date at the top of this notice always reflects the current version.

17. Contact