Data Processing Terms

Data-processing terms for restaurants using OrderNow modules. Effective from: 05.05.2026

This is a base data-processing annex for the individual restaurant agreement, not a standalone online checkbox. It reflects the current product map and Article 28 GDPR structure. The final scope of processing may be specified in the individual agreement with the restaurant.

1. Parties and roles

The processor is: Robert Dziak, operating an unregistered business activity under the OrderNow brand, Warsaw, Poland, unregistered business activity (not entered in CEIDG), contact: kontakt@ordernow.pl, +48 514 192 425.

The restaurant is the controller for personal data it enters into restaurant modules or collects through its own storefront, including guest, customer, staff, courier and supplier data.

OrderNow remains a separate controller for its own account administration, support, security, billing, legal claims and product analytics described in the Privacy Policy.

2. Processing scope

Subject matter: providing OrderNow software for QR menu, online ordering, reservations, delivery operations, loyalty, KDS, staff and restaurant administration.
Duration: for the term of the restaurant's use of OrderNow and afterwards only for deletion, export, mandatory retention, legal claims or documented restaurant instructions. Specific retention periods may be defined in the individual agreement, product settings or internal retention policy.
Nature and purpose: hosting, storing, displaying, transmitting, securing and supporting data processed in restaurant workflows.

3. Data categories

Depending on enabled modules, processing may include names, email addresses, phone numbers, delivery addresses, table or order identifiers, reservations, order history, loyalty balances, feedback, staff accounts, roles, shifts, courier assignments, supplier contact data and uploaded operational documents.

4. Processor obligations

OrderNow processes entrusted data only on documented instructions from the restaurant, including these Terms, the commercial agreement and product settings selected by authorised restaurant users.
OrderNow limits access to authorised persons and requires confidentiality from persons involved in providing the service.
OrderNow applies technical and organisational safeguards appropriate to the service, including access control, encrypted transport and separation of restaurant workspaces where supported by the system. Backup, logging, incident and audit details may be described in B2B documentation or the individual agreement where needed.

5. Sub-processors

OrderNow may use the following providers to operate the service. The table is a working subprocessor list for the restaurant agreement annex. It must be verified before signing a final DPA.

Provider	Purpose	Verification status
Vercel	Application hosting, deployments, logs, Vercel Blob, optional Vercel Analytics and Speed Insights after consent.	Provider region, transfer mechanism and contractual documents are maintained in B2B/internal documentation and may be updated after provider verification.
Supabase	Application database.	Provider region, transfer mechanism and contractual documents are maintained in B2B/internal documentation and may be updated after provider verification.
Supabase Storage	Private operational file storage.	Provider region, transfer mechanism and contractual documents are maintained in B2B/internal documentation and may be updated after provider verification.
Upstash Redis	Rate limiting and cache.	Provider region, transfer mechanism and contractual documents are maintained in B2B/internal documentation and may be updated after provider verification.
Pusher	Realtime POS/KDS/order/reservation/courier channels.	Provider region, transfer mechanism and contractual documents are maintained in B2B/internal documentation and may be updated after provider verification.
Resend	Transactional email.	Provider region, transfer mechanism and contractual documents are maintained in B2B/internal documentation and may be updated after provider verification.
DeepL	Admin-requested product/menu text translation.	Provider region, transfer mechanism and contractual documents are maintained in B2B/internal documentation and may be updated after provider verification.
Leaflet / OpenStreetMap / Nominatim	Map tiles and delivery-address geocoding where the delivery module sends an address query to Nominatim/OpenStreetMap.	Provider region, transfer mechanism and contractual documents are maintained in B2B/internal documentation and may be updated after provider verification.

Material changes to sub-processors should be communicated through the Privacy Policy, product notice, email or other durable channel allowing the restaurant to object where required by law or contract.

6. Assistance and end of service

OrderNow assists the restaurant, within reasonable technical possibilities, with data-subject requests, security incidents, DPIA-related information and audits.
After service termination, OrderNow deletes or returns entrusted personal data according to product capabilities, retention rules and legal requirements.
If OrderNow believes an instruction infringes data-protection law, it should inform the restaurant unless prohibited by law.