Noqta
Existing sign inGet started

Legal

Data Processing Addendum

Version 2026-05-draft-1 · Effective 4 May 2026

What this is

This is a data-processing addendum ("DPA") between Noqta Platform (a product of AtharCo) and the venue / restaurant that subscribes to it. It sits alongside the Restaurant Services Agreement and explains how diner data is handled when a venue uses the platform.

1. Roles

  • Venue = data controller. Decides what to collect, why, and for how long.
  • Noqta = data processor. Stores and processes data on the venue's instructions and per the platform's normal operation.

2. What data is processed

  • Diner names (when given).
  • Diner phone numbers.
  • Diner order history (items, prices, dates, table numbers, delivery addresses where applicable).
  • Diner loyalty data (points balance, redemption history).
  • Diner profile fields (age range, gender, city) — only if the diner provides them.

3. The venue's responsibilities

The venue agrees to:

  • Collect only data that is necessary and lawful for running their business.
  • Honor diner data-rights requests (access, correction, deletion, portability) within a reasonable time.
  • Tell their diners that Noqta processes data on the venue's behalf — typically via the menu footer link to the Privacy Policy.
  • Configure data-retention settings appropriately for the venue's local laws.

4. Noqta's responsibilities

Noqta agrees to:

  • Process data only on the venue's instructions or as required to run the platform.
  • Not sell or share diner data with anyone except the infrastructure providers needed to run the service (Supabase, Vercel).
  • Apply industry-standard security: encryption at rest, encryption in transit, role-based access controls, audit logs.
  • Provide self-serve tooling so the venue can export and delete diner data.
  • Notify the venue without undue delay if a security incident affects the venue's data.

5. Sub-processors

Noqta uses these sub-processors:

  • Supabase (database hosting, EU region) — GDPR-compliant data processor.
  • Vercel (web hosting, mixed regions) — GDPR-compliant data processor.
  • Resend (transactional email — for legitimate operator-side notifications only).

If a sub-processor changes, the venue will be notified at least 30 days in advance and may object.

6. Diner-request delegation

If a diner submits a data-rights request directly to Noqta (instead of to the venue), Noqta will:

  1. Forward the request to the venue.
  2. Wait for the venue's response.
  3. If the venue does not respond within 30 calendar days, Noqta may act on the request on the venue's behalf and notify the venue of the action taken.

This clause prevents diner requests from getting stuck if a venue churns or stops responding.

7. Data location and transfer

Diner data is stored in EU-region database infrastructure. Backups are encrypted and retained per Supabase's standard backup policy (point-in-time recovery for ~7 days, daily snapshots for ~30 days). No data is transferred outside the EU/EEA without an appropriate transfer mechanism.

8. End of relationship

When a venue cancels its Noqta subscription:

  • The venue can export all of its data within 30 days of cancellation.
  • After the export window, Noqta retains the data for an additional 30 days for recovery.
  • After 60 days from cancellation, the venue's data is permanently deleted from production. Audit logs (who-did-what, redacted of diner PII) are retained for 12 additional months for security and dispute resolution.

A venue can request earlier deletion by writing to privacy@noqtaplatform.com.

9. Liability

This DPA does not change the liability allocations in the main Restaurant Services Agreement. It clarifies data-handling responsibilities only.

10. Contact

privacy@noqtaplatform.com — Noqta's privacy contact.

The venue's privacy contact is published in the menu footer / Privacy Policy of each venue.