Privacy Policy

1. Data Controller

Restia Software SL ("Controller"), registered in Spain. Contact: contacto@restia.app.

2. Data We Collect

2.1 User Data

• Authentication data: name, surname, email, optional profile photo (Google OAuth 2.0, Apple Sign-In).
• Establishment data: restaurant name, table configuration, menu, prices, operating hours.
• Operational data: orders, reservations, transactions, configuration preferences.

2.2 Technical & Device Data

• Device identifiers: IDFA (iOS), Android Advertising ID, unique device IDs.
• Device info: model, OS/version, language, timezone, screen resolution.
• Network data: IP, connection type, ISP.
• App data: version, usage time, features used, errors and crashes.

2.3 External Services Data

• Google Services: Firebase Analytics, Cloud Messaging, Google auth data.
• Apple Services: Apple ID auth data, App Store Connect info.
• RevenueCat: subscriptions, transactions, payment status, billing IDs.

2.4 Mobile App Permissions

• Camera (QR scanning, product photos with consent).
• Push notifications (orders and updates).
• Local storage (offline mode and sync).

3. Purposes & Legal Basis

• Service provision (Art. 6.1.b GDPR).
• Payment processing via RevenueCat (Art. 6.1.b GDPR).
• Security and fraud prevention (Art. 6.1.c/f GDPR).
• App improvement and analytics (legitimate interest, Art. 6.1.f GDPR).
• Operational communications (Art. 6.1.b GDPR).
• Opt-in marketing (consent, Art. 6.1.a GDPR).
• Legal compliance (Art. 6.1.c GDPR).

4. Retention Periods

• Account data: active + up to 5 years for legal compliance.
• Transactions: 10 years (tax obligations).
• Error logs & analytics: 90 days, then anonymized or deleted.
• Marketing: until consent withdrawn or 2 years of inactivity.

5. Recipients & Transfers

Data is shared only with processors (Google LLC, Apple Inc., RevenueCat Inc., infrastructure/hosting providers) under GDPR safeguards. No data is sold to third parties.

6. Data Subject Rights

You can request access, rectification, erasure, restriction, portability, objection, and withdraw consent. To exercise, email with ID. We respond within 30 days. contacto@restia.app

7. Security Measures

• TLS 1.3 in transit, AES-256 at rest.
• OAuth 2.0, Apple Sign-In, MFA; least-privilege access.
• Secure infrastructure, firewalls, 24/7 monitoring.
• Local secure storage, SSL pinning where applicable.
• Daily encrypted backups with 30-day retention.

8. Cookies & Similar Tech

Web

Essential technical cookies and analytics (GA4 with IP anonymization). Configurable via consent banner.

Mobile

• Advertising IDs (IDFA/Android Advertising ID) for analytics.
• Local storage for offline mode and preferences.
• Notification tokens for push delivery.

9. Minors

Not directed to users under 18. We delete any minor data upon detection or request.

10. Changes to this Policy

We may update this Policy with at least 30 days notice (email, push notification, or prominent web notice).

11. Contact

Privacy questions or rights requests: contacto@restia.app.